Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 18 Jun 2013 00:41:01 +0200
From: Willy Tarreau <w@....eu>
To: oss-security@...ts.openwall.com
Subject: CVE-2013-2175 : haproxy may crash when using header occurrences relative to the tail

Hi,

David Torgerson reported an haproxy crash with enough traces to diagnose
the cause as being related to the use of a negative occurrence number in
a header extraction, which is used to extract an entry starting from the
last occurrence.

--- summary ---

Configurations at risk are those which make use of "hdr_ip(name,-1)" (in
1.4) or any hdr_* variant with a negative occurrence count in 1.5, or
the "usesrc hdr_ip(name)" statement in both 1.4 and 1.5. These
configurations may be crashed when run with haproxy 1.4.4 to 1.4.23 or
development versions up to and including 1.5-dev18. Versions 1.4.24 and
1.5-dev19 are safe.

--- quick workaround ---

A workaround consists in rejecting dangerous requests early using
hdr_cnt(<name>), which is available both in 1.4 and 1.5 :
    
       block if { hdr_cnt(<name>) ge 10 }

--- details ---

When a config makes use of hdr_ip(x-forwarded-for,-1) or any such thing
involving a negative occurrence count, the header is still parsed in the
order it appears, and an array of up to MAX_HDR_HISTORY entries is created.
When more entries are used, the entries simply wrap and continue this way.
    
A problem happens when the incoming header field count exactly divides
MAX_HDR_HISTORY, because the computation removes the number of requested
occurrences from the count, but does not care about the risk of wrapping
with a negative number. Thus we can dereference the array with a negative
number and randomly crash the process.
    
The bug is located in http_get_hdr() in haproxy 1.5, and get_ip_from_hdr2()
in haproxy 1.4. It affects configurations making use of one of the following
functions with a negative <value> occurence number :
    
   - hdr_ip(<name>, <value>)  (in 1.4)
   - hdr_*(<name>, <value>)   (in 1.5)
    
It also affects "source" statements involving "hdr_ip(<name>)" since that
statement implicitly uses -1 for <value> :
    
   - source 0.0.0.0 usesrc hdr_ip(<name>)
    
This bug has been present since the introduction of the negative offset
count in 1.4.4 via commit bce70882.

CVE-2013-2175 was assigned to this bug.

Special thanks to David Torgerson who provided a significant number of
traces, and to Ryan O'Hara from Red Hat for providing a CVE id.
    
--- links ---
 1.4-stable patch for version <= 1.4.23 :
 http://git.1wt.eu/web?p=haproxy-1.4.git;a=commitdiff;h=f534af74ed
 1.4.24 source code: 
 http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.24.tar.gz
 
 1.5-dev patch for versions <= 1.5-dev18 :
 http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=67dad2715b
 1.5-dev19 source code:
 http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz

Please check with your distro vendor for packaged updates.

Thanks,
Willy Tarreau

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.