oss-sec mailing list archives
Re: Polipo: denial-of-service using range
From: "Alexandr Savca (chinarulezzz)" <alexandr.savca89 () gmail com>
Date: Wed, 28 Jul 2021 15:01:51 +0300
Hi Jeff, There is Heap Buffer Overflow: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ==2450==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000277 at pc 0x7fe440a56332 bp 0x7ffd71e73b10 sp 0x7ffd71e732c8 WRITE of size 10 at 0x602000000277 thread T0 #0 0x7fe440a56331 (/usr/lib/libasan.so.6+0x42331) #1 0x5582d71d4b05 (/usr/bin/polipo+0x150b05) #2 0x5582d71d0de7 (/usr/bin/polipo+0x14cde7) #3 0x5582d71c34d2 (/usr/bin/polipo+0x13f4d2) #4 0x7fe43ff05e09 in __libc_start_main (/lib/libc.so.6+0x23e09) #5 0x5582d71c3c99 (/usr/bin/polipo+0x13fc99) 0x602000000277 is located 0 bytes to the right of 7-byte region [0x602000000270,0x602000000277) allocated by thread T0 here: #0 0x7fe440ac61a7 in __interceptor_malloc (/usr/lib/libasan.so.6+0xb21a7) #1 0x5582d72a876c (/usr/bin/polipo+0x22476c) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/libasan.so.6+0x42331) Shadow bytes around the buggy address: 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00 0x0c047fff8010: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00 0x0c047fff8020: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8030: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 fa =>0x0c047fff8040: fa fa 01 fa fa fa 00 02 fa fa fd fa fa fa[07]fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2450==ABORTING <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Built with CFLAGS: -O2 -march=x86-64 -pipe -fdiagnostics-color=always -fsanitize=address -fsanitize=leak -fsanitize=undefined -fsanitize-recover=address -DNDEBUG Kind Regards, Alex. On Mon, 19 Jul 2021 14:18:05 -0400 Jeffrey Walton <noloader () gmail com> wrote:
I found a vulnerability in the Polipo [1], lightweight, caching web proxy. ... Polipo doesn't ignore/reject the malformed header. Instead, it has an assertion: server.c:1473: assert(from >= 0 && (to < 0 || to > from)); So, a malformed Range header ("Range: bytes=3-2" for example) will cause an assertion failed. This error handling allows an attacker to cause a denial of service.I would be interested to know what happens when NDEBUG is defined so the assert goes away. Does the server crash, does it lead to memory corruption, an information leakage (like a private key), or something else? Jeff
Current thread:
- Re: Polipo: denial-of-service using range John Helmert III (Jul 18)
- <Possible follow-ups>
- Re: Polipo: denial-of-service using range Jeffrey Walton (Jul 19)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Jul 28)
- Re: Polipo: denial-of-service using range John Helmert III (Aug 01)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Aug 03)
- Re: Polipo: denial-of-service using range John Helmert III (Aug 13)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Jul 28)