classification
Title: CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request
Type: security Stage: resolved
Components: Library (Lib), XML Versions: Python 3.3, Python 3.2, Python 3.1, Python 2.7, Python 2.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Arfrever, dmalcolm, ezio.melotti, flox, iankko, loewis, neologix, orsenthil, pitrou, python-dev, rosslagerwall, schmir
Priority: normal Keywords: patch

Created on 2012-02-13 13:45 by iankko, last changed 2012-02-19 10:23 by neologix. This issue is now closed.

Files
File name Uploaded Description Edit
xmlrpc_loop.diff neologix, 2012-02-13 20:27 review
xmlrpc_loop-1.diff neologix, 2012-02-14 18:27 review
Messages (10)
msg153267 - (view) Author: Jan Lieskovsky (iankko) Date: 2012-02-13 13:45
A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.

Credit:
Issue reported by Daniel Callaghan

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=789790

Steps to reproduce:
------------------
A) for v3.2.2 version:

1) start server:
cat s.py 
#!/usr/local/bin/python3

from xmlrpc.server import SimpleXMLRPCServer
server = SimpleXMLRPCServer(('127.0.0.1', 12345))
server.serve_forever()

2) # top

3) issue request from client:
echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345

Return to 'top' screen and see, how CPU consumption on particular host quickly moves to 100%.

B) for v2.7.2 version:

1) start server:

cat s.py 
#!/usr/bin/python

from SimpleXMLRPCServer import SimpleXMLRPCServer

server = SimpleXMLRPCServer(('127.0.0.1', 12345))
server.serve_forever()

Steps 2) and 3) for v2.7.2 version are identical to
those for v3.2.2 version.
msg153270 - (view) Author: Jan Lieskovsky (iankko) Date: 2012-02-13 14:06
CVE request:
[2] http://www.openwall.com/lists/oss-security/2012/02/13/3
msg153296 - (view) Author: Charles-François Natali (neologix) * (Python committer) Date: 2012-02-13 20:27
SimpleXMLRPCRequestHandler.do_POST() is simply looping on EOF.
The patch attached fixes this (the server doesn't seem to generate an error in response to this partial request though).
msg153336 - (view) Author: Jan Lieskovsky (iankko) Date: 2012-02-14 11:25
The CVE identifier of CVE-2012-0845 has been assigned to this issue:
[3] http://www.openwall.com/lists/oss-security/2012/02/13/4
msg153356 - (view) Author: Charles-François Natali (neologix) * (Python committer) Date: 2012-02-14 18:27
With test.
test_xmlrpc has a timeout detection code which is simply broken (and it's actually documented): I just removed it, so if the server loops, the test will block. I think it's acceptable since other tests behave in the same way, and those days we have faulthandler that can be used to pinpoint such deadlocks/loops easily. Also, I've noticed that people are more inclined to fix tests that block than mere failing tests :-)
msg153375 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-02-14 22:34
The patch looks ok to me.
msg153396 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-02-15 08:29
As a security issue, it applies to 2.6 and 3.1 as well.
msg153431 - (view) Author: Charles-François Natali (neologix) * (Python committer) Date: 2012-02-15 20:16
The test fails on 2.6 and 2.7, because of a EPIPE, which is normal in
this case (well, at least expected):
"""
test_partial_post (test.test_xmlrpc.SimpleServerTestCase) ...
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 47844)
Traceback (most recent call last):
  File "/home/cf/python/cpython/Lib/SocketServer.py", line 283, in
_handle_request_noblock
    self.process_request(request, client_address)
  File "/home/cf/python/cpython/Lib/SocketServer.py", line 309, in
process_request
    self.finish_request(request, client_address)
  File "/home/cf/python/cpython/Lib/SocketServer.py", line 322, in
finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/home/cf/python/cpython/Lib/SocketServer.py", line 617, in __init__
    self.handle()
  File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 329, in handle
    self.handle_one_request()
  File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 323, in
handle_one_request
    method()
  File "/home/cf/python/cpython/Lib/SimpleXMLRPCServer.py", line 490, in do_POST
    self.send_response(200)
  File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 384, in
send_response
    self.send_header('Server', self.version_string())
  File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 390, in send_header
    self.wfile.write("%s: %s\r\n" % (keyword, value))
  File "/home/cf/python/cpython/Lib/socket.py", line 318, in write
    self.flush()
  File "/home/cf/python/cpython/Lib/socket.py", line 297, in flush
    self._sock.sendall(buffer(data, write_offset, buffer_size))
error: [Errno 32] Broken pipe
"""

What should I do? Remove the test?
msg153644 - (view) Author: Roundup Robot (python-dev) Date: 2012-02-18 14:03
New changeset 24244a744d01 by Charles-François Natali in branch '2.6':
Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
http://hg.python.org/cpython/rev/24244a744d01

New changeset 0c02f30b2538 by Charles-François Natali in branch '2.7':
Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
http://hg.python.org/cpython/rev/0c02f30b2538

New changeset 4dd5a94fd3e3 by Charles-François Natali in branch '3.1':
Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
http://hg.python.org/cpython/rev/4dd5a94fd3e3

New changeset cd67740ce653 by Charles-François Natali in branch '3.2':
Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
http://hg.python.org/cpython/rev/cd67740ce653

New changeset 5756b295b6fb by Charles-François Natali in branch 'default':
Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
http://hg.python.org/cpython/rev/5756b295b6fb
msg153696 - (view) Author: Charles-François Natali (neologix) * (Python committer) Date: 2012-02-19 10:23
Committed, thanks!
History
Date User Action Args
2012-02-19 10:23:55neologixsetstatus: open -> closed
resolution: fixed
messages: + msg153696

stage: patch review -> resolved
2012-02-18 14:03:11python-devsetnosy: + python-dev
messages: + msg153644
2012-02-15 20:16:13neologixsetmessages: + msg153431
2012-02-15 08:29:27loewissetmessages: + msg153396
versions: + Python 2.6, Python 3.1
2012-02-14 22:34:38pitrousetnosy: + pitrou
messages: + msg153375
2012-02-14 18:27:42neologixsetfiles: + xmlrpc_loop-1.diff

messages: + msg153356
2012-02-14 13:54:55pitrousetstage: needs patch -> patch review
2012-02-14 12:29:24orsenthilsetnosy: + orsenthil
2012-02-14 11:25:30iankkosetmessages: + msg153336
title: Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request -> CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request
2012-02-13 21:26:21Arfreversetnosy: + Arfrever
2012-02-13 20:27:47neologixsetfiles: + xmlrpc_loop.diff

nosy: + neologix
messages: + msg153296

keywords: + patch
2012-02-13 16:37:29dmalcolmsetnosy: + dmalcolm
2012-02-13 16:30:48rosslagerwallsetnosy: + rosslagerwall
2012-02-13 14:18:50floxsetnosy: + flox

components: + XML
versions: + Python 3.3
2012-02-13 14:06:26iankkosetmessages: + msg153270
2012-02-13 13:54:05ezio.melottisetnosy: + loewis, ezio.melotti

stage: needs patch
2012-02-13 13:48:51schmirsetnosy: + schmir
2012-02-13 13:45:33iankkocreate