Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc

[Amos Jeffries <squid3 () treenet co nz>]

On 8/03/2013 10:07 a.m., Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/05/2013 01:53 PM, tytusromekiatomek () hushmail com wrote:
> > ################################################################ #
> > DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc #
> > ################################################################ #
> > # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 #
> > c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 #
> > #######################################
> >
> > # Versions: 3.2.5, 3.2.7
> >
> >
> > This error is only triggered when squid needs to generate an error
> > page (for example backend node is not responding etc...) POC
> > (request): -- cut -- GET http://127.0.0.1:1/foo HTTP/1.1
> > Accept-Language: , -- cut --
> >
> > e.g : curl -H "Accept-Language: ," http://localhost:3129/
> >
> > Code:
> >
> > strHdrAcptLangGetItem is called with pos equals 0, therefore first
> > branch in if (316 line) is taken, because xisspace(hdr[pos]) is
> > false, then pos++ is not executed (because hdr[0] is ','). In 335
> > line statement in while is also false because hdr[0] = ',', so
> > whole loop body is omited. dt = lang, thus after assignment in 353
> > line *lang == '\0', so expression in if statement in 357 line is
> > false. So next execution of while body (314 line), has got same
> > preconditions as previous, thus it's infinite loop.
> Was this reported upstream to squid-bugs () squid-cache org? Has anyone
> confirmed this, and if so, does it require a CVE #?

I confirm it is possible. A regression was introduced in some 3.2 parser 
alterations.
A preliminary patch is attached which restores the Squid-3.1 behaviour.

As this is triggerable by remote clients I am inclined to release an 
advisory.
Affected stable versions are Squid-3.3 up to and including 3.3.2, 
Squid-3.2 up to and including 3.2.8.

Amos Jeffries
Squid Project


> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0
> QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg
> vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3
> fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ
> QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ
> /31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q
> N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX
> WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9//
> gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG
> 5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ
> E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY
> 8E7GKbUGP4HexDIWiA0a
> =tSGC
> -----END PGP SIGNATURE-----

Attachment: accept_lang_vulnerability.patch
Description: