By Jake Edge
December 1, 2010
While it isn't altogether new, the implications of a recently reported
denial of service (DoS)
attack method against web servers is somewhat eye-opening. The attack
itself is similar in many ways to the Slowloris technique. Depending
on how the web server is configured, a DoS against it may only require a
fairly small number of slow-moving connections. In addition, since it
exploits a weakness in HTTP, it is difficult to work around.
Open Web Application Security Project (OWASP) researchers, Wong Onn Chee and
Tom Brennan, presented [PDF]
on the flaw at the AppSec DC 2010
conference in mid-November. As they point out, most DoS (and distributed DoS or DDoS)
attacks target lower layers in the network stack, typically the transport
layer, which is layer four in the OSI model. More recent
DoS attacks have moved up the stack, with things like Slowloris attacking
layer seven, the application layer (e.g. HTTP, FTP, SMTP).
ISPs and
internet carriers have gotten
much better at thwarting attacks at the transport layer, but for a number
of reasons, attacks against applications are more difficult to deal with.
It can be difficult to distinguish legitimate application traffic from a
DoS attack. Applications tend to have a larger footprint and require more
server resources. That means that a smaller number of attacking resources may
be needed to perform a DoS at the application versus those required
to do it at the transport layer.
Previously, Slowloris and other techniques used the HTTP GET method in
conjunction with sending the HTTP headers very slowly to monopolize a
connection to the web server. If enough of those "clients" were running,
they would consume all of the sockets or other resources at the server end,
thus denying any other clients (i.e. legitimate traffic) access to the
server. Since that time,
various workarounds have been found to reduce the problem from slow HTTP
GETs in the Apache web server. Interestingly, Microsoft's IIS web server
uses a
different mechanism to handle incoming requests and was not vulnerable to
GET-based DoS.
What Chee and his team found in September 2009 was that the HTTP POST
method could also be used to perform a DoS. By sending a very large
value in the Content-Length header, then very slowly sending that
amount of data, one byte at a time, a client can consume a connection on
the server for a very long time. In addition, because all of the headers
have been sent, the mechanism that allowed IIS to avoid the GET-based
attack was bypassed, so IIS and Apache are both vulnerable to these POST-based
attacks.
So, Apache and IIS web servers that accept any kind of forms—that is
to say, nearly
all of them—are vulnerable. In addition, the attacks don't even have
to reference a valid form on the server as most servers don't check until
after the request is received. How many attacker connections are
required to shut down a server is variable depending on the configuration
of the server. The presentation mentions 20,000 connections for IIS and
fewer for Apache because of client or thread limits in
httpd.conf. An Acunetix blog
post notes that 256 connections can be enough for Apache 1.3 in its
default configuration. In any case, neither 256 nor 20,000 is a
significant hurdle for an interested attacker.
Both Apache and Microsoft were contacted about this problem, but neither
plans to "fix" it, because it is inherent in the protocol. HTTP is meant
to allow for slow and intermittent connections, which don't look very
different from this kind of attack. Apache has two potential workarounds:
the experimental mod_reqtimeout,
which allows for timeouts on headers and request bodies, or the LimitRequestBody
directive, which allows a maximum request size to be set (by default it
is 2GB). Those may provide band-aids but there will be collateral damage
as folks with slower, dodgier connections—perhaps from a mobile
device—may suffer. It seems likely that most servers could live with
maximum request sizes significantly smaller than 2GB, however.
Chee and Brennan also report that botnet operators have started incorporating
application layer DDoS into their bag of tricks, so we will likely be
seeing more of these kind of attacks. It may mostly be GET-based attacks
for the moment, but the botnet "herders" will eventually get around to
incorporating POST-based attacks as well. The researchers predict that
application layer DDoS will supplant transport layer DDoS sometime in the
next ten
years.
DoS attacks are probably less of a problem to small-time web site operators
as the likely targets are deep-pocketed online retailers and the like.
Criminals often target those sites at particularly important points in the
calendar, like when holiday shoppers are likely to visit. It isn't too
difficult to extract a large payment from such a retailer when it is faced
with losing most of its sales at such a critical time. Those kinds of
sites should probably be gearing up—hopefully have already geared
up—for those kinds of attacks over the next month and beyond.
Comments (7 posted)
Brief items
The current security callbacks are absolutely nonsensical random crap slapped all
around the kernel. It increases our security complexity and has thus the opposite
effect - it makes us _less_ secure.
Did no-one think of merging the capabilities checks and the security subsystem
callbacks in some easy-to-use manner, which makes the default security policy
apparent at first sight?
--
Ingo Molnar
Comments (2 posted)
The
Savannah front page currently
reads: "
There's been a SQL injection leading to leaking of encrypted
account passwords, some of them discovered by brute-force attack, leading
in turn to project membership access." The site is being restored
to its state as of November 23; changes committed after that date will
need to be redone. (Thanks to Giacomo Catenazzi).
Comments (25 posted)
New vulnerabilities
condor: authentication bypass
| Package(s): | condor |
CVE #(s): | CVE-2010-4179
|
| Created: | December 1, 2010 |
Updated: | December 1, 2010 |
| Description: |
The Condor management tool trusted its "trusted channel" a bit too much, enabling an attacker to submit jobs as any user (except root). |
| Alerts: |
|
Comments (none posted)
dracut: insecure /dev/systty permissions
| Package(s): | dracut |
CVE #(s): | CVE-2010-4176
|
| Created: | November 25, 2010 |
Updated: | December 3, 2010 |
| Description: |
From the Fedora advisory:
It was discovered that /dev/systty device file created by dracut-generated initramfs scripts used
an insecure file permissions. This could possibly allow local user to snoop on other user's
terminal.
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2010-3448
CVE-2010-3848
CVE-2010-3849
CVE-2010-3850
CVE-2010-3858
CVE-2010-3859
CVE-2010-3873
CVE-2010-3874
CVE-2010-3875
CVE-2010-3876
CVE-2010-3877
CVE-2010-3880
CVE-2010-4072
CVE-2010-4073
CVE-2010-4074
CVE-2010-4078
CVE-2010-4079
CVE-2010-4080
CVE-2010-4081
CVE-2010-4083
CVE-2010-4164
|
| Created: | November 29, 2010 |
Updated: | August 9, 2011 |
| Description: |
From the Debian advisory:
Dan Jacobson reported an issue in the thinkpad-acpi driver. On certain
Thinkpad systems, local users can cause a denial of service (X.org crash) by
reading /proc/acpi/ibm/video. (CVE-2010-3448)
Nelson Elhage discovered an issue in the Econet protocol. Local users can
cause a stack overflow condition with large msg->msgiovlen values that can
result in a denial of service or privilege escalation. (CVE-2010-3848)
Nelson Elhage discovered an issue in the Econet protocol. Local users can
cause a denial of service (oops) if a NULL remote addr value is passed as a
parameter to sendmsg(). (CVE-2010-3849)
Nelson Elhage discovered an issue in the Econet protocol. Local users can
assign econet addresses to arbitrary interfaces due to a missing
capabilities check. (CVE-2010-3850)
Brad Spengler reported an issue in the setup_arg_pages() function. Due to a
bounds-checking failure, local users can create a denial of service (kernel
oops). (CVE-2010-3858)
Dan Rosenberg reported an issue in the TIPC protocol. When the tipc module
is loaded, local users can gain elevated privileges via the sendmsg() system call. (CVE-2010-3859)
Dan Rosenberg reported an issue in the X.25 network protocol. Local users
can cause heap corruption, resulting in a denial of service (kernel panic).
(CVE-2010-3873)
Dan Rosenberg discovered an issue in the Control Area Network (CAN)
subsystem on 64-bit systems. Local users may be able to cause a denial of
service (heap corruption). (CVE-2010-3874)
Vasiliy Kulikov discovered an issue in the AX.25 protocol. Local users can
obtain the contents of sensitive kernel memory. (CVE-2010-3875)
Vasiliy Kulikov discovered an issue in the Packet protocol. Local users can
obtain the contents of sensitive kernel memory. (CVE-2010-3876)
Vasiliy Kulikov discovered an issue in the TIPC protocol. Local users can
obtain the contents of sensitive kernel memory. (CVE-2010-3877)
Nelson Elhage discovered an issue in the INET_DIAG subsystem. Local users
can cause the kernel to execute unaudited INET_DIAG bytecode, resulting in a
denial of service. (CVE-2010-3880)
Kees Cook discovered an issue in the System V shared memory subsystem.
Local users can obtain the contents of sensitive kernel memory. (CVE-2010-4072)
Dan Rosenberg discovered an issue in the System V shared memory subsystem.
Local users on 64-bit system can obtain the contents of sensitive kernel
memory via the 32-bit compatible semctl() system call. (CVE-2010-4073)
Dan Rosenberg reported issues in the mos7720 and mos7840 drivers for USB
serial converter devices. Local users with access to these devices can
obtain the contents of sensitive kernel memory. (CVE-2010-4074)
Dan Rosenberg reported an issue in the framebuffer driver for SiS graphics
chipesets (sisfb). Local users with access to the framebuffer device can
obtain the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl. (CVE-2010-4078)
Dan Rosenberg reported an issue in the ivtvfb driver used for the Hauppauge
PVR-350 card. Local users with access to the framebuffer device can obtain
the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl. (CVE-2010-4079)
Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP
audio devices. Local users with access to the audio device can obtain the
contents of sensitive kernel memory via the NDRV_HDSP_IOCTL_GET_CONFIG_INFO
ioctl. (CVE-2010-4080)
Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP
MADI audio devices. Local users with access to the audio device can obtain
the contents of sensitive kernel memory via the
SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl. (CVE-2010-4081)
Dan Rosenberg discovered an issue in the semctl system call. Local users can
obtain the contents of sensitive kernel memory through usage of the semid_ds
structure. (CVE-2010-4083)
Dan Rosenberg discovered an issue in the X.25 network protocol. Remote users can achieve a denial of service (infinite loop) by taking advantage of an integer underflow in the facility parsing code. (CVE-2010-4164)
|
| Alerts: |
|
Comments (none posted)
krb5: authentication bypass
| Package(s): | krb5 |
CVE #(s): | CVE-2010-1323
CVE-2010-1324
CVE-2010-4020
|
| Created: | December 1, 2010 |
Updated: | December 24, 2010 |
| Description: |
Due to a series of checksum flaws, Kerberos protocol packets can be crafted by a remote attacker in a way which could bypass authentication mechanisms in some configurations. |
| Alerts: |
|
Comments (none posted)
krb5: privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2010-4021
|
| Created: | December 1, 2010 |
Updated: | December 24, 2010 |
| Description: |
From the Mandriva advisory: An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ
it has intercepted. The attacker could then use this ticket for
S4U2Proxy to impersonate the targeted client even if the client never
authenticated to the subverted service. The vulnerable configuration
is believed to be rare. |
| Alerts: |
|
Comments (none posted)
mono: privilege escalation
| Package(s): | mono |
CVE #(s): | CVE-2010-4159
|
| Created: | November 25, 2010 |
Updated: | May 3, 2011 |
| Description: |
From the Mandriva advisory:
Untrusted search path vulnerability in metadata/loader.c in Mono 2.8
and earlier allows local users to gain privileges via a Trojan horse
shared library in the current working directory (CVE-2010-4159).
|
| Alerts: |
|
Comments (none posted)
openconnect: information leak
| Package(s): | openconnect |
CVE #(s): | CVE-2010-3902
|
| Created: | November 30, 2010 |
Updated: | December 1, 2010 |
| Description: |
From the Red Hat bugzilla:
OpenConnect before 2.26 places the webvpn cookie value in the
debugging output, which might allow remote attackers to obtain
sensitive information by reading this output, as demonstrated by
output posted to the public openconnect-devel mailing list.
|
| Alerts: |
|
Comments (none posted)
openjdk-6: information leak
| Package(s): | openjdk-6 |
CVE #(s): | CVE-2010-3860
|
| Created: | November 30, 2010 |
Updated: | April 15, 2011 |
| Description: |
From the Ubuntu advisory:
It was discovered that certain system property information was being
leaked, which could allow an attacker to obtain sensitive information.
|
| Alerts: |
|
Comments (none posted)
openslp: denial of service
| Package(s): | openslp |
CVE #(s): | CVE-2010-3609
|
| Created: | November 30, 2010 |
Updated: | April 10, 2013 |
| Description: |
From the openSUSE advisory:
the openslp daemon could run into an endless loop when
receiving specially crafted packets |
| Alerts: |
|
Comments (none posted)
php: insufficiently random number generation
| Package(s): | php |
CVE #(s): | CVE-2010-1128
|
| Created: | November 30, 2010 |
Updated: | December 2, 2010 |
| Description: |
From the Red Hat advisory:
It was discovered that the PHP lcg_value() function used insufficient
entropy to seed the pseudo-random number generator. A remote attacker could
possibly use this flaw to predict values returned by the function, which
are used to generate session identifiers by default. This update changes
the function's implementation to use more entropy during seeding.
|
| Alerts: |
|
Comments (1 posted)
phpmyadmin: cross-site scripting
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2010-4329
|
| Created: | November 30, 2010 |
Updated: | December 31, 2010 |
| Description: |
From the Mandriva advisory:
It was possible to conduct a XSS attack using spoofed request on the
db search script. |
| Alerts: |
|
Comments (none posted)
wireshark: code execution
| Package(s): | wireshark |
CVE #(s): | CVE-2010-4300
|
| Created: | November 29, 2010 |
Updated: | April 19, 2011 |
| Description: |
From the Mandriva advisory:
Heap-based buffer overflow in the dissect_ldss_transfer function
(epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark
1.2.0 through 1.2.12 and 1.4.0 through 1.4.1 allows remote attackers
to cause a denial of service (crash) and possibly execute arbitrary
code via an LDSS packet with a long digest line that triggers memory
corruption. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
