oss-sec mailing list archives
Re: Polipo: denial-of-service using range
From: "Alexandr Savca (chinarulezzz)" <alexandr.savca89 () gmail com>
Date: Tue, 3 Aug 2021 15:37:01 +0300
Hello John, I reproduced it with the original PoC script. There is an important point that I have overlooked: the parent proxy must be started. I'm using socks5/tor parent proxy, and have not tested squid/http. Here is my polipo config file: ``` daemonise = false pidFile = /var/run/polipo/pid logFile = /var/log/polipo/log proxyAddress = 127.0.0.1 proxyPort = 8123 allowedClients = 127.0.0.1 socksParentProxy = "localhost:9050" socksProxyType = socks5 ``` Without starting a parent proxy (tor instance) on localhost:9050, I get ERROR 504 just like you. On Sun, 1 Aug 2021 18:31:27 +0000 John Helmert III <jchelmert3 () posteo net> wrote:
How did you produce this? I can't seem to reproduce with the original PoC script. Running it, polipo outputs: Empty DNS name. Host (unknown) lookup failed: empty name (22). The script outputs: HTTP/1.1 504 Host (unknown) lookup failed: empty name Connection: keep-alive Date: Sun, 01 Aug 2021 18:07:07 GMT Content-Type: text/html Content-Length: 515 Expires: 0 Cache-Control: no-cache Pragma: no-cache <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head> <title>Proxy error: 504 Host (unknown) lookup failed: empty name.</title> </head><body> <h1>504 Host (unknown) lookup failed: empty name</h1> <p>The following error occurred while trying to access <strong>http://</strong>:<br><br> <strong>504 Host (unknown) lookup failed: empty name</strong></p> <hr>Generated Sun, 01 Aug 2021 13:07:07 CDT by Polipo on <em>localhost:8123</em>. </body></html> Fixing the script to GET a real website shows a bunch of memory alignment issues, but no heap overflow as far as I can tell: dns.c:1467:5: runtime error: store to misaligned address 0x7ffe1de13c69 for type 'short unsigned int', which requires 2 byte alignment 0x7ffe1de13c69: note: pointer points here 63 6f 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ dns.c:1468:5: runtime error: store to misaligned address 0x7ffe1de13c6b for type 'short unsigned int', which requires 2 byte alignment 0x7ffe1de13c6b: note: pointer points here 6d 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ dns.c:1554:5: runtime error: load of misaligned address 0x7ffe1de13b69 for type 'short unsigned int', which requires 2 byte alignment 0x7ffe1de13b69: note: pointer points here 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 fe a7 00 04 5d b8 d8 22 7f 00 00 50 3c e1 1d fe ^ dns.c:1555:5: runtime error: load of misaligned address 0x7ffe1de13b6b for type 'short unsigned int', which requires 2 byte alignment 0x7ffe1de13b6b: note: pointer points here 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 fe a7 00 04 5d b8 d8 22 7f 00 00 50 3c e1 1d fe 7f 00 ^ dns.c:1596:9: runtime error: load of misaligned address 0x7ffe1de13b6f for type 'short unsigned int', which requires 2 byte alignment 0x7ffe1de13b6f: note: pointer points here 00 01 c0 0c 00 01 00 01 00 00 fe a7 00 04 5d b8 d8 22 7f 00 00 50 3c e1 1d fe 7f 00 00 22 3d 00 ^ dns.c:1596:9: runtime error: load of misaligned address 0x7ffe1de13b71 for type 'short unsigned int', which requires 2 byte alignment 0x7ffe1de13b71: note: pointer points here c0 0c 00 01 00 01 00 00 fe a7 00 04 5d b8 d8 22 7f 00 00 50 3c e1 1d fe 7f 00 00 22 3d 00 00 40 ^ dns.c:1596:9: runtime error: load of misaligned address 0x7ffe1de13b73 for type 'unsigned int', which requires 4 byte alignment 0x7ffe1de13b73: note: pointer points here 00 01 00 01 00 00 fe a7 00 04 5d b8 d8 22 7f 00 00 50 3c e1 1d fe 7f 00 00 22 3d 00 00 40 60 00 ^ dns.c:1596:9: runtime error: load of misaligned address 0x7ffe1de13b77 for type 'short unsigned int', which requires 2 byte alignment 0x7ffe1de13b77: note: pointer points here 00 00 fe a7 00 04 5d b8 d8 22 7f 00 00 50 3c e1 1d fe 7f 00 00 22 3d 00 00 40 60 00 00 6b 3c e1 ^
Current thread:
- Re: Polipo: denial-of-service using range John Helmert III (Jul 18)
- <Possible follow-ups>
- Re: Polipo: denial-of-service using range Jeffrey Walton (Jul 19)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Jul 28)
- Re: Polipo: denial-of-service using range John Helmert III (Aug 01)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Aug 03)
- Re: Polipo: denial-of-service using range John Helmert III (Aug 13)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Jul 28)