Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request #58209

Closed
iankko mannequin opened this issue Feb 13, 2012 · 10 comments
Closed

CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request #58209

iankko mannequin opened this issue Feb 13, 2012 · 10 comments
Labels
stdlib Python modules in the Lib dir topic-XML type-security A security issue

Comments

@iankko
Copy link
Mannequin

iankko mannequin commented Feb 13, 2012

BPO 14001
Nosy @loewis, @orsenthil, @pitrou, @ezio-melotti, @florentx, @davidmalcolm
Files
  • xmlrpc_loop.diff
  • xmlrpc_loop-1.diff
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2012-02-19.10:23:55.593>
created_at = <Date 2012-02-13.13:45:33.860>
labels = ['type-security', 'expert-XML', 'library']
title = 'CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request'
updated_at = <Date 2021-11-04.14:29:45.496>
user = 'https://bugs.python.org/iankko'

    bugs.python.org fields:

    activity = <Date 2021-11-04.14:29:45.496>
actor = 'erlendaasland'
assignee = 'none'
closed = True
closed_date = <Date 2012-02-19.10:23:55.593>
closer = 'neologix'
components = ['Library (Lib)', 'XML']
creation = <Date 2012-02-13.13:45:33.860>
creator = 'iankko'
dependencies = []
files = ['24513', '24522']
hgrepos = []
issue_num = 14001
keywords = ['patch']
message_count = 10.0
messages = ['153267', '153270', '153296', '153336', '153356', '153375', '153396', '153431', '153644', '153696']
nosy_count = 12.0
nosy_names = ['loewis', 'orsenthil', 'pitrou', 'schmir', 'ezio.melotti', 'Arfrever', 'iankko', 'flox', 'dmalcolm', 'neologix', 'rosslagerwall', 'python-dev']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue14001'
versions = ['Python 3.1']
    @iankko
    Copy link
    Mannequin Author

    iankko mannequin commented Feb 13, 2012

    A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.

    Credit:
    Issue reported by Daniel Callaghan

    References:
    [1] https://bugzilla.redhat.com/show_bug.cgi?id=789790

    Steps to reproduce:
    ------------------
    A) for v3.2.2 version:

    1. start server:
      cat s.py
      #!/usr/local/bin/python3
    from xmlrpc.server import SimpleXMLRPCServer
server = SimpleXMLRPCServer(('127.0.0.1', 12345))
server.serve_forever()

    1. top

    2. issue request from client:
      echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345

    Return to 'top' screen and see, how CPU consumption on particular host quickly moves to 100%.

    B) for v2.7.2 version:

    1. start server:

    cat s.py
    #!/usr/bin/python

    from SimpleXMLRPCServer import SimpleXMLRPCServer

server = SimpleXMLRPCServer(('127.0.0.1', 12345))
server.serve_forever()

    Steps 2) and 3) for v2.7.2 version are identical to
    those for v3.2.2 version.

    @iankko iankko mannequin added stdlib Python modules in the Lib dir type-security A security issue labels Feb 13, 2012
    @iankko
    Copy link
    Mannequin Author

    iankko mannequin commented Feb 13, 2012

    CVE request:
    [2] http://www.openwall.com/lists/oss-security/2012/02/13/3

    @florentx florentx mannequin added the topic-XML label Feb 13, 2012
    @neologix
    Copy link
    Mannequin

    neologix mannequin commented Feb 13, 2012

    SimpleXMLRPCRequestHandler.do_POST() is simply looping on EOF.
    The patch attached fixes this (the server doesn't seem to generate an error in response to this partial request though).

    @iankko
    Copy link
    Mannequin Author

    iankko mannequin commented Feb 14, 2012

    The CVE identifier of CVE-2012-0845 has been assigned to this issue:
    [3] http://www.openwall.com/lists/oss-security/2012/02/13/4

    @iankko iankko mannequin changed the title Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request Feb 14, 2012
    @neologix
    Copy link
    Mannequin

    neologix mannequin commented Feb 14, 2012

    With test.
    test_xmlrpc has a timeout detection code which is simply broken (and it's actually documented): I just removed it, so if the server loops, the test will block. I think it's acceptable since other tests behave in the same way, and those days we have faulthandler that can be used to pinpoint such deadlocks/loops easily. Also, I've noticed that people are more inclined to fix tests that block than mere failing tests :-)

    @pitrou
    Copy link
    Member

    pitrou commented Feb 14, 2012

    The patch looks ok to me.

    @loewis
    Copy link
    Mannequin

    loewis mannequin commented Feb 15, 2012

    As a security issue, it applies to 2.6 and 3.1 as well.

    @neologix
    Copy link
    Mannequin

    neologix mannequin commented Feb 15, 2012

    The test fails on 2.6 and 2.7, because of a EPIPE, which is normal in
    this case (well, at least expected):
    """
    test_partial_post (test.test_xmlrpc.SimpleServerTestCase) ...
    ----------------------------------------

    Exception happened during processing of request from ('127.0.0.1', 47844)
Traceback (most recent call last):
  File "/home/cf/python/cpython/Lib/SocketServer.py", line 283, in
_handle_request_noblock
    self.process_request(request, client_address)
  File "/home/cf/python/cpython/Lib/SocketServer.py", line 309, in
process_request
    self.finish_request(request, client_address)
  File "/home/cf/python/cpython/Lib/SocketServer.py", line 322, in
finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/home/cf/python/cpython/Lib/SocketServer.py", line 617, in __init__
    self.handle()
  File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 329, in handle
    self.handle_one_request()
  File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 323, in
handle_one_request
    method()
  File "/home/cf/python/cpython/Lib/SimpleXMLRPCServer.py", line 490, in do_POST
    self.send_response(200)
  File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 384, in
send_response
    self.send_header('Server', self.version_string())
  File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 390, in send_header
    self.wfile.write("%s: %s\r\n" % (keyword, value))
  File "/home/cf/python/cpython/Lib/socket.py", line 318, in write
    self.flush()
  File "/home/cf/python/cpython/Lib/socket.py", line 297, in flush
    self._sock.sendall(buffer(data, write_offset, buffer_size))
error: [Errno 32] Broken pipe
"""

    What should I do? Remove the test?

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Feb 18, 2012

    New changeset 24244a744d01 by Charles-François Natali in branch '2.6':
    Issue bpo-14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
    http://hg.python.org/cpython/rev/24244a744d01

    New changeset 0c02f30b2538 by Charles-François Natali in branch '2.7':
    Issue bpo-14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
    http://hg.python.org/cpython/rev/0c02f30b2538

    New changeset 4dd5a94fd3e3 by Charles-François Natali in branch '3.1':
    Issue bpo-14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
    http://hg.python.org/cpython/rev/4dd5a94fd3e3

    New changeset cd67740ce653 by Charles-François Natali in branch '3.2':
    Issue bpo-14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
    http://hg.python.org/cpython/rev/cd67740ce653

    New changeset 5756b295b6fb by Charles-François Natali in branch 'default':
    Issue bpo-14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
    http://hg.python.org/cpython/rev/5756b295b6fb

    @neologix
    Copy link
    Mannequin

    neologix mannequin commented Feb 19, 2012

    Committed, thanks!

    @neologix neologix mannequin closed this as completed Feb 19, 2012
    @ahmedsayeed1982 ahmedsayeed1982 mannequin added topic-email and removed stdlib Python modules in the Lib dir topic-XML labels Nov 4, 2021
    @erlend-aasland erlend-aasland added stdlib Python modules in the Lib dir topic-XML and removed topic-email labels Nov 4, 2021
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    stdlib Python modules in the Lib dir topic-XML type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @pitrou @erlend-aasland