Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Apr 2012 23:04:56 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Helmut Grohne <helmut@...divi.de>, Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>, 668667@...s.debian.org
Subject: Re: CVE Request (minor) -- Two Munin graphing framework
 flaws

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2012 11:34 PM, Helmut Grohne wrote:
> Hi Kurt,
> 
> Please always CC the bug report when adding detail to it. Doing it
> now for you.
> 
> On Mon, Apr 16, 2012 at 01:19:32PM -0600, Kurt Seifried wrote:
>>> [3] Remote users can fill /tmp filesystem: Red Hat would not 
>>> consider this to be a security flaw => no RH BTS entry.
>>> 
>>> Original report: 
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667
>> 
>> I reread this one a few times, I'm not clear on what:
>> 
>> ========== printf 'GET 
>> /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo
>>
>> 
HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc
>> localhost 80
>> 
>> Provided that the filename actually exists, munin will render the
>> image ==========
>> 
>> means exactly, does the file vmstat-day.png need to exist where?
>> It seems like if the image is of any size (say 20k or more) the 
>> amplification (each get request = 20k of tmp space usage) and
>> the files have to be deleted manually it might qualify as a DoS.
>> 
>> helmut@...divi.de can you shed more light on this?
> 
> The basic requirement is that a plugin called vmstat is configured
> for the node localhost.localdomain. I just picked it as an example,
> cause it is present on my system. In practise any plugin for any
> host will do.

Is this the default configuration?

> In addition munin parses parts of the query string. You are allowed
> to modify the size of the image. By choosing a path 
> "....png?size_x=20000&size_y=20000&uniquestuff" you can do the
> same attack while simultaneously using a large image size. The raw
> image would be 381M (assuming 8bits/pixel) in this case. A png
> version will likely be smaller, say 4M? So now you have an
> amplification of 4M/request. Note that this query can get a node
> into swapping, because rrdtool needs to create the whole image in
> main memory.
> 
> Hope this helps

Ouch.

> Helmut


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjkt4AAoJEBYNRVNeJnmTzqwQAKn7u4+dg9mYpMuAAC14fIYh
JGQGLSRJ98s3IgH14dOO6q9nASErz5wBPhcTnTwOKOLAdbbFHU5Z1DKm+ARyLMXw
XPIGHrdTb5TkWvsRKilA7iIbUhaXuMckELJj2WWi5LdHvzVLG8mEivQQKMtSY8b1
Wmp0JmDguHpqcToYq4uwYA1O22fHxwPjBFnsZ6A2HjLtMwCUkZ6WZZEuc85+v2C5
utfJm3AYSRgW1mI24kLxTIsige88txXZpUt44Bx3T26UkUz2X4ebbO/z5slqXt7n
RLZ4IDWEs03yau8vJD6vuNtOvQ+p3SmQYeRr6GvEXYrem+mTPB6toKLUeRUr7fNR
+RO4syrQ1KMoGfcAlNJ9ide2qZHsByXseriSJ02yb0VYKqYD1peUo1wR3Kw/EBnC
lnWNfb54JmwJih4qzEpE/SKoVEgxTKfuJGT4QcZ1PDrABQSfOWc4v3bughgLNH6m
c/voNTCuk7XI0//hCj4qF9jx/SPAB0xnnxnhqgmPTCBUVB3WHlSK0V335DV4KIGm
9c4GqdEJ0lxtKWJpwpZbNBU00LksXpHFQHMjcJ+0Bc0B1CrbaL0Hi9+1/kWH0aYG
X+N6Ah6/eY1bP78B1rH91CqcSRm5fouIbY5QSraN7ZGvrKXAvrQrnRqdEj+XKYUL
YTFUs403T/QOG6KuIGhg
=/Jxz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ