Next Page >>
CPU usage
XAMPP for Windows setup filename: xampp-win32-1.7.2.exe
PHP Version 5.3.0
Timeline:
12:30 - started the attack
12:30 + few seconds: CPU usage => 100%
In a few seconds, the web server is not responding anymore, 65535
temporary files are created and no more files could be created anymore.
On XAMPP for Windows, PHP is creating the temporary files in
C:\xampp\tmp (if your XAMPP installation was in C:\xampp\)
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
keys. The algorithmic complexity of inserting n elements into the table
then goes to O(n**2), making it possible to exhaust hours of CPU time
using a single HTTP request.
This issue has been known since at least 2003 and has influenced Perl
and CRuby 1.9 to change their hash functions to include randomization.
Details:
A single HTTP request with the Content-Length header variable set
to a value greater than zero in a request which no body, will cause
the P4Webs.exe process to consume 99% of CPU time on the target
system. of up to 99%.
The attack can be executed remotely. No authentication is required
for exploitation.
Successful exploitation of the above vulnerabilities allows execution
of arbitrary code.
4) A logic error when parsing long tokens can result in an infinite
loop. Exploitation will result in maximum CPU usage until an
application-configured timeout expires. In some cases memory usage
will increase until the OS terminates the process.
======================================================================
5) Solution
CVE-2011-2484
Vasiliy Kulikov of Openwall discovered that the number of exit handlers that
a process can register is not capped, resulting in local denial of service
through resource exhaustion (cpu time and memory).
CVE-2011-2491
Vasily Averin discovered an issue with the NFS locking implementation. A
malicious NFS server can cause a client to hang indefinitely in an unlock
execute arbitrary code.
CVE-2008-1294
David Peer discovered that users could escape administrator imposed cpu
time limitations (RLIMIT_CPU) by setting a limit of 0.
CVE-2008-1375
Alexander Viro discovered a race condition in the directory notification
subsystem that allows local users to cause a Denial of Service (oops)
certain safe-level restrictions (CVE-2008-3655).
A denial of service vulnerability was found in Ruby's HTTP server
toolkit, WEBrick. A remote attacker could send a specially-crafted
HTTP request to a WEBrick server that would cause it to use an
excessive amount of CPU time (CVE-2008-3656).
An insufficient taintness check issue was found in Ruby's DL module,
a module that provides direct access to the C language functions.
This flaw could be used by an attacker to bypass intended safe-level
restrictions by calling external C functions with the arguments from
> because it would leave the language almost useless. Although some do attempt
> to fix this by disabling all possible functions that can execute something
> like exec, system, eval, etc. but it is not limited to that. The same long
> wait can be achieved with fsockopen or any other stream function like fread,
> fwrite, etc. Even if your wait is limited to 60 seconds you can just repeat
> it in a simple loop and still maintain the very low actual cpu time usage.
>
> This is and has never been a security hole or threat. It will also never be.
> It is just an annoyance for which many solutions are already available.
>
> Greetings,
14/12/2008 : Attached the correct POC file (mea culpa) and a stack trace and details
of memory corruption that repeatedly occurred during testing the POC
24/12/2008 : dveditz@mozilla.com comments : "I can definitely confirm the denial
of service aspect, and there's a very minor memory leak (after 9
hours of CPU time memory use went from 60MB to 360MB). Haven't been
able to reproduce a crash."
27/05/2009 : The 4 month grace period [2] given is reached. Release of this advisory.
specially crafted content from a guest virtual machine to exploit this
vulnerability. As a result, an attacker logged with admin privileges on
a guest VM may cause:
1. All applications in virtual machines stop responding.
2. The host kernel CPU usage rises up to 100%.
3. The host machine is unable to reboot (It shows the close window
but it never performs the host rebooting).
The vulnerability could not be exploited remotely or by anonymous users.
execute arbitrary code.
CVE-2008-1294
David Peer discovered that users could escape administrator imposed cpu
time limitations (RLIMIT_CPU) by setting a limit of 0.
CVE-2008-1375
Alexander Viro discovered a race condition in the directory notification
subsystem that allows local users to cause a Denial of Service (oops)
packets. ntpd logged information about all such packets and replied
with an NTP packet that was treated as malformed when received by
another ntpd. A remote attacker could use this flaw to create an NTP
packet reply loop between two ntpd servers through a malformed packet
with a spoofed source IP address and port, causing ntpd on those
servers to use excessive amounts of CPU time and fill disk space with
log messages.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-3563 to this issue.
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891).
This update provides fixes for these vulnerabilities.
_______________________________________________________________________
scripts, then it's a vulnerability, and not one which is easily fixed.
OTOH, if you merely consider it a precaution against "runaway"
scripts, which aren't actively trying to evade such constraints, then
it's just a limitation (and, AFAICT, an intentional one, i.e. it's
only intended to limit CPU usage).
> I am of the opinion that PHP ... should automatically interrupt any
> processes in the process tree from the current script execution
That's easier said than done, particularly if you are trying to
Successful exploitation of the above vulnerabilities allows execution
of arbitrary code.
4) A logic error when parsing long tokens can result in an infinite
loop. Exploitation will result in maximum CPU usage until an
application-configured timeout expires. In some cases memory usage
will increase until the OS terminates the process.
======================================================================
5) Solution
handled certain malformed NTP packets. ntpd logged information about
all such packets and replied with an NTP packet that was treated as
malformed when received by another ntpd. A remote attacker could use
this flaw to create an NTP packet reply loop between two ntpd servers
via a malformed packet with a spoofed source IP address and port,
causing ntpd on those servers to use excessive amounts of CPU time
and fill disk space with log messages (CVE-2009-3563).
This update provides a solution to this vulnerability.
_______________________________________________________________________
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891).
This update provides fixes for these vulnerabilities.
_______________________________________________________________________
> some do attempt to fix this by disabling all possible functions that
> can execute something like exec, system, eval, etc. but it is not
> limited to that. The same long wait can be achieved with fsockopen or
> any other stream function like fread, fwrite, etc. Even if your wait
> is limited to 60 seconds you can just repeat it in a simple loop and
> still maintain the very low actual cpu time usage.
>
> This is and has never been a security hole or threat. It will also
> never be. It is just an annoyance for which many solutions are already
> available.
8.2. *Remarks*
As a side effect, the 'fbserver.exe' process will enter an infinite
loop, consuming 100% CPU time.
On Windows platform, in a default installation, Firebird SQL server is
installed as a Windows service, and another service (the Firebird
Guardian) runs together with the server, in order to automatically
restart the 'fbserver.exe' process if it crashes or stops running
CVE-2011-2484
Vasiliy Kulikov of Openwall discovered that the number of exit handlers that
a process can register is not capped, resulting in local denial of service
through resource exhaustion (cpu time and memory).
CVE-2011-2491
Vasily Averin discovered an issue with the NFS locking implementation. A
malicious NFS server can cause a client to hang indefinitely in an unlock
CVE-2010-1849
MySQL could be tricked to read packets indefinitely if it received a
packet larger than the maximum size of one packet.
This results in high CPU usage and thus denial of service conditions.
CVE-2010-1850
MySQL was susceptible to a buffer-overflow attack due to a
max_execution_time is *CPU EXECUTION* time and not
*WALL-CLOCK* time -- reread the definition from the PHP man pages.
Since you are doing sleep() in the script, which is suspending the
process (script), no CPU time is accruing for that process (script),
therefore you do not hit the max_execution_time. This is completely
working as intended and is consistent with a Unix/Posix model. Now,
if you want a wall-clock alarm/termination, that is a completely
different issue and should be handled via a different mechanism, don't
confuse the two.
With the mailicious config when we open the server by double clicking rmserver.exe at C:\Program Files\Real\Helix Server\Bin
or
Start -> Programs -> Helix Mobile Server -> Helix Mobile Server
rmserver.exe process CPU usage will shoot upto 90+ percentage and remains there !!!
Successful exploitation of the above vulnerabilities allows execution
of arbitrary code.
4) A logic error when parsing long tokens can result in an infinite
loop. Exploitation will result in maximum CPU usage until an
application-configured timeout expires. In some cases memory usage
will increase until the OS terminates the process.
======================================================================
5) Solution
Successful exploitation of the above vulnerabilities allows execution
of arbitrary code.
4) A logic error when parsing long tokens can result in an infinite
loop. Exploitation will result in maximum CPU usage until an
application-configured timeout expires. In some cases memory usage
will increase until the OS terminates the process.
======================================================================
5) Solution
A flaw was found in the APR library, which could be exploited through
Apache HTTPD's mod_autoindex. If a directory indexed by mod_autoindex
contained files with sufficiently long names, a remote attacker could
send a carefully crafted request which would cause excessive CPU
usage. This could be used in a denial of service attack.
For the oldstable distribution (lenny), this problem has been fixed in
version 1.2.12-5+lenny3.
For the stable distribution (squeeze), this problem has been fixed in
not properly reacting to certain incoming packets.
An unexpected NTP mode 7 packets (MODE_PRIVATE) with spoofed IP data can lead
ntpd to reply with a mode 7 response to the spoofed address. This may result
in the service playing packet ping-pong with other ntp servers or even itself
which causes CPU usage and excessive disk use due to logging. An attacker
can use this to conduct denial of service attacks.
For the oldstable distribution (etch), this problem has been fixed in
version 1:4.2.2.p4+dfsg-2etch4.
CVE-2011-2484
Vasiliy Kulikov of Openwall discovered that the number of exit handlers that
a process can register is not capped, resulting in local denial of service
through resource exhaustion (cpu time and memory).
CVE-2011-2491
Vasily Averin discovered an issue with the NFS locking implementation. A
malicious NFS server can cause a client to hang indefinitely in an unlock
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891).
The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in
the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13
allows remote FTP servers to cause a denial of service (NULL pointer
A flaw was found in the APR library, which could be exploited through
Apache HTTPD's mod_autoindex. If a directory indexed by mod_autoindex
contained files with sufficiently long names, a remote attacker could
send a carefully crafted request which would cause excessive CPU
usage. This could be used in a denial of service attack.
For the oldstable distribution (lenny), this problem has been fixed in
version 1.2.12-5+lenny4.
Next Page>>
|
