httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: svn commit: r891284 - /httpd/test/framework/trunk/t/security/CVE-2009-3555.t
Date Wed, 06 Jan 2010 15:30:27 GMT
On Wed, Dec 16, 2009 at 11:08 AM,  <jorton@apache.org> wrote:
> Author: jorton
> Date: Wed Dec 16 16:08:34 2009
> New Revision: 891284
>
> URL: http://svn.apache.org/viewvc?rev=891284&view=rev
> Log:
> - add test case for a prefix attack which attempts
>  to a inject additional requests beyond the
>  renegotiation.
>
> Added:
>    httpd/test/framework/trunk/t/security/CVE-2009-3555.t
>
> Added: httpd/test/framework/trunk/t/security/CVE-2009-3555.t
> URL: http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2009-3555.t?rev=891284&view=auto
> ==============================================================================
> --- httpd/test/framework/trunk/t/security/CVE-2009-3555.t (added)
> +++ httpd/test/framework/trunk/t/security/CVE-2009-3555.t Wed Dec 16 16:08:34 2009
> @@ -0,0 +1,60 @@
> +use strict;
> +use warnings FATAL => 'all';
> +
> +use Apache::Test;
> +use Apache::TestRequest;
> +use Apache::TestUtil;
> +
> +plan tests => 4, need 'ssl';
> +
> +# This test case attempts only one type of attack which is possible
> +# due to the TLS renegotiation vulnerability, CVE-2009-3555.  A
> +# specific defense against this attack was added to mod_ssl in
> +# r891282.  For more information, see the dev@httpd thread beginning
> +# at message ID <4B01BD20.1060300@adnovum.ch>.
> +
> +Apache::TestRequest::set_client_cert("client_ok");
> +
> +Apache::TestRequest::module('mod_ssl');
> +
> +my $sock = Apache::TestRequest::vhost_socket('mod_ssl');
> +ok $sock && $sock->connected;
> +
> +
> +my $req = "GET /require/asf/ HTTP/1.1\r\n".
> +   "Host: " . Apache::TestRequest::hostport() . "\r\n".
> +    "\r\n".
> +    "GET /this/is/a/prefix/injection/attack HTTP/1.0\r\n".
> +    "\r\n";
> +
> +ok $sock->print($req);
> +
> +my $line = Apache::TestRequest::getline($sock) || '';

With 0.9.8l, the client busy-loops here, repeating this sequence:

alarm(600)                              = 0
alarm(0)                                = 600
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {SIG_DFL}, {0x809aad0, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {0x809aad0, [], 0}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0

(It seems that 600 is the read timeout.)

This resolves the loop for me:

Index: Apache-Test/lib/Apache/TestRequest.pm
===================================================================
--- Apache-Test/lib/Apache/TestRequest.pm	(revision 895795)
+++ Apache-Test/lib/Apache/TestRequest.pm	(working copy)
@@ -303,7 +303,7 @@
         do {
             $self->read($c, 1);
             $buf .= $c;
-        } until ($c eq "\n");
+        } until ($c eq "\n" || $c eq "");
         $buf;
     },
 );

Mime
View raw message