CPU time
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
keys. The algorithmic complexity of inserting n elements into the table
then goes to O(n**2), making it possible to exhaust hours of CPU time
using a single HTTP request.
This issue has been known since at least 2003 and has influenced Perl
and CRuby 1.9 to change their hash functions to include randomization.
Details:
A single HTTP request with the Content-Length header variable set
to a value greater than zero in a request which no body, will cause
the P4Webs.exe process to consume 99% of CPU time on the target
system. of up to 99%.
The attack can be executed remotely. No authentication is required
for exploitation.
14/12/2008 : Attached the correct POC file (mea culpa) and a stack trace and details
of memory corruption that repeatedly occurred during testing the POC
24/12/2008 : dveditz@mozilla.com comments : "I can definitely confirm the denial
of service aspect, and there's a very minor memory leak (after 9
hours of CPU time memory use went from 60MB to 360MB). Haven't been
able to reproduce a crash."
27/05/2009 : The 4 month grace period [2] given is reached. Release of this advisory.
> some do attempt to fix this by disabling all possible functions that
> can execute something like exec, system, eval, etc. but it is not
> limited to that. The same long wait can be achieved with fsockopen or
> any other stream function like fread, fwrite, etc. Even if your wait
> is limited to 60 seconds you can just repeat it in a simple loop and
> still maintain the very low actual cpu time usage.
>
> This is and has never been a security hole or threat. It will also
> never be. It is just an annoyance for which many solutions are already
> available.
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) 40000
open files (-n) 11095
pipe size (512 bytes, -p) 1
stack size (kbytes, -s) 65536
cpu time (seconds, -t) unlimited
max user processes (-u) 5547
virtual memory (kbytes, -v) 40000
swap size (kbytes, -w) unlimited
[cx@82 /www]$ cat define.php
<?php
5. Vulnerability Details
========================
If a message containing packets of a specific size is sent to the JDENET service, a Denial of service condition is triggered, because the kernel in
charge of dispatching those packets uses all the available CPU time.
Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch
their systems and protect against the exploitation of the described vulnerability.
6. Solution
8.2. *Remarks*
As a side effect, the 'fbserver.exe' process will enter an infinite
loop, consuming 100% CPU time.
On Windows platform, in a default installation, Firebird SQL server is
installed as a Windows service, and another service (the Firebird
Guardian) runs together with the server, in order to automatically
restart the 'fbserver.exe' process if it crashes or stops running
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891).
This update provides fixes for these vulnerabilities.
_______________________________________________________________________
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891).
This update provides fixes for these vulnerabilities.
_______________________________________________________________________
handled certain malformed NTP packets. ntpd logged information about
all such packets and replied with an NTP packet that was treated as
malformed when received by another ntpd. A remote attacker could use
this flaw to create an NTP packet reply loop between two ntpd servers
via a malformed packet with a spoofed source IP address and port,
causing ntpd on those servers to use excessive amounts of CPU time
and fill disk space with log messages (CVE-2009-3563).
This update provides a solution to this vulnerability.
_______________________________________________________________________
execute arbitrary code.
CVE-2008-1294
David Peer discovered that users could escape administrator imposed cpu
time limitations (RLIMIT_CPU) by setting a limit of 0.
CVE-2008-1375
Alexander Viro discovered a race condition in the directory notification
subsystem that allows local users to cause a Denial of Service (oops)
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891).
This update provides fixes for these vulnerabilities.
_______________________________________________________________________
SA-2012-L119-003 Hash collisions in AWS
Problem: Impacted versions of AWS store key/value pairs from submitted
form data in hash tables using a hash function that has
predictable collisions. As a result, a single specially crafted
HTTP request can cause the server to use hours of CPU time,
thus causing a denial of service.
Impact: All AWS releases and wavefronts prior to 2012-01-21
Status: This was fixed in AWS 2.11 and 2.10.2 on 2012-01-21
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891).
The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in
the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13
allows remote FTP servers to cause a denial of service (NULL pointer
> In this case a security policy has been designated with the
> "max_execution_time" directive and that policy is being
> violated by the blocking code.
No, it is not, since "execution time" here is defined as CPU time. This
"vulnerability" report is factually incorrect, as well as pointless.
> As with any vulnerability it is the vendor's responsibility
> to provide a fix and protect it's users.
CVE-2011-2484
Vasiliy Kulikov of Openwall discovered that the number of exit handlers that
a process can register is not capped, resulting in local denial of service
through resource exhaustion (cpu time and memory).
CVE-2011-2491
Vasily Averin discovered an issue with the NFS locking implementation. A
malicious NFS server can cause a client to hang indefinitely in an unlock
certain safe-level restrictions (CVE-2008-3655).
A denial of service vulnerability was found in Ruby's HTTP server
toolkit, WEBrick. A remote attacker could send a specially-crafted
HTTP request to a WEBrick server that would cause it to use an
excessive amount of CPU time (CVE-2008-3656).
An insufficient taintness check issue was found in Ruby's DL module,
a module that provides direct access to the C language functions.
This flaw could be used by an attacker to bypass intended safe-level
restrictions by calling external C functions with the arguments from
> because it would leave the language almost useless. Although some do attempt
> to fix this by disabling all possible functions that can execute something
> like exec, system, eval, etc. but it is not limited to that. The same long
> wait can be achieved with fsockopen or any other stream function like fread,
> fwrite, etc. Even if your wait is limited to 60 seconds you can just repeat
> it in a simple loop and still maintain the very low actual cpu time usage.
>
> This is and has never been a security hole or threat. It will also never be.
> It is just an annoyance for which many solutions are already available.
>
> Greetings,
CVE-2011-2484
Vasiliy Kulikov of Openwall discovered that the number of exit handlers that
a process can register is not capped, resulting in local denial of service
through resource exhaustion (cpu time and memory).
CVE-2011-2491
Vasily Averin discovered an issue with the NFS locking implementation. A
malicious NFS server can cause a client to hang indefinitely in an unlock
execute arbitrary code.
CVE-2008-1294
David Peer discovered that users could escape administrator imposed cpu
time limitations (RLIMIT_CPU) by setting a limit of 0.
CVE-2008-1375
Alexander Viro discovered a race condition in the directory notification
subsystem that allows local users to cause a Denial of Service (oops)
max_execution_time is *CPU EXECUTION* time and not
*WALL-CLOCK* time -- reread the definition from the PHP man pages.
Since you are doing sleep() in the script, which is suspending the
process (script), no CPU time is accruing for that process (script),
therefore you do not hit the max_execution_time. This is completely
working as intended and is consistent with a Unix/Posix model. Now,
if you want a wall-clock alarm/termination, that is a completely
different issue and should be handled via a different mechanism, don't
confuse the two.
CVE-2011-2484
Vasiliy Kulikov of Openwall discovered that the number of exit handlers that
a process can register is not capped, resulting in local denial of service
through resource exhaustion (cpu time and memory).
CVE-2011-2491
Vasily Averin discovered an issue with the NFS locking implementation. A
malicious NFS server can cause a client to hang indefinitely in an unlock
packets. ntpd logged information about all such packets and replied
with an NTP packet that was treated as malformed when received by
another ntpd. A remote attacker could use this flaw to create an NTP
packet reply loop between two ntpd servers through a malformed packet
with a spoofed source IP address and port, causing ntpd on those
servers to use excessive amounts of CPU time and fill disk space with
log messages.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-3563 to this issue.
|
