Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120417053439.GA24627@alf.mars>
Date: Tue, 17 Apr 2012 07:34:40 +0200
From: Helmut Grohne <helmut@...divi.de>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, Jan Lieskovsky <jlieskov@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	668667@...s.debian.org
Subject: Re: CVE Request (minor) -- Two Munin graphing
 framework flaws

Hi Kurt,

Please always CC the bug report when adding detail to it. Doing it now
for you.

On Mon, Apr 16, 2012 at 01:19:32PM -0600, Kurt Seifried wrote:
> > [3] Remote users can fill /tmp filesystem: Red Hat would not
> > consider this to be a security flaw => no RH BTS entry.
> > 
> > Original report: 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667
> 
> I reread this one a few times, I'm not clear on what:
> 
> ==========
> printf 'GET
> /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo
> HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc
> localhost 80
> 
> Provided that the filename actually exists, munin will render the image
> ==========
> 
> means exactly, does the file vmstat-day.png need to exist where? It
> seems like if the image is of any size (say 20k or more) the
> amplification (each get request = 20k of tmp space usage) and the
> files have to be deleted manually it might qualify as a DoS.
> 
> helmut@...divi.de can you shed more light on this?

The basic requirement is that a plugin called vmstat is configured for
the node localhost.localdomain. I just picked it as an example, cause it
is present on my system. In practise any plugin for any host will do.

The filling of the disk works by choosing a unique query string for each
request, because munin "caches" all theses images without ever deleting
them and includes the query string in the filename. So you are right,
that we get a base amplification of 20k/request.

In addition munin parses parts of the query string. You are allowed to
modify the size of the image. By choosing a path
"....png?size_x=20000&size_y=20000&uniquestuff" you can do the same
attack while simultaneously using a large image size. The raw image
would be 381M (assuming 8bits/pixel) in this case. A png version will
likely be smaller, say 4M? So now you have an amplification of
4M/request. Note that this query can get a node into swapping, because
rrdtool needs to create the whole image in main memory.

Hope this helps

Helmut

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.