An OpenSource VooDoo cIRCle - security advisory 20080904-01


Persistent URL of this advisory is available at http://voodoo-circle.sourceforge.net/sa/sa-20080904-01.html

Summary

In POSIX environments, when using GnuTLS library, and using pthread library (the default), a resource leak exists. This vulnerability can be exploited from the network as DoS attack. There is no breach of data confidentality or data integrity. This vulnerability was discovered by author. Vulnerability is fixed in the CVS repository.

In-depth

In file "params.h" there is defined by preprocessor value of "DH_RSA_REGENERATION_NUM_SECS" which defaults to value of 12 hours, and "DH_RSA_REGENERATION_NUM_TRANSACTIONS" which defaults to value of 500. These two constants are used only when bot is compiled to use GnuTLS library and control how often RSA and DH parameters are regenerated. Parameters are regenerated every 12 hours, or every 500 SSL connections, whichever comes first. In file "ssl.cpp" there was missing pthread_join() API call after thread ended. This can be exploited by malicious local or remote users from network to connect and subsequently disconnect many times to SSL-enabled listening socket.

Symptoms

On Linux, bot's process consume on each RSA and DH parameters regeneration approximately 20 kilobytes of physical memory (RSS) for stack, and 8 megabytes of virtual memory (which is the default stack size for new thread on Linux). On other POSIX systems these values may vary.

Workaround

Workaround is to not use SSL listening sockets by removing particular SSL-enabled server-creation commands and functions from the configuration file "logic.txt" (see documentation).

Solution

Either export new source from CVS repository or apply following patch:

--- irc_bot/src/ssl.cpp.old	2008-06-29 18:37:52.000000000 +0200
+++ irc_bot/src/ssl.cpp	2008-09-04 00:11:41.000000000 +0200
@@ -2662,6 +2662,11 @@
     }
 #ifndef USE_OPENSSL
     static my_time_t thread_start=0;
+
+#if defined(HAVE_LIBPTHREAD)
+    static pthread_t thread;
+#endif
+
     if(last_dh_rsa_gen+DH_RSA_REGENERATION_NUM_SECS<my_time(NULL) || num_transactions>=DH_RSA_REGENERATION_NUM_TRANSACTIONS) {
         num_transactions=0;
         last_dh_rsa_gen=my_time(NULL);
@@ -2697,7 +2702,6 @@
                 ssl_dh_thread_running=false;
             } else {
                 cs_init=true;
-                pthread_t thread;
                 int rc=pthread_create(&thread,NULL,ssl_dh_thread,NULL);
                 if(rc) {
                     cs_init=false;
@@ -2746,6 +2750,8 @@
 #       else
 #         ifdef HAVE_LIBPTHREAD
             pthread_mutex_destroy(&mutex);
+            void* code=NULL;
+            pthread_join(thread,&code);
 #         endif
 #       endif

Time line

2008-09-03 - Memory resources increase investigation.
2008-09-03 - Discovery of bug.
2008-09-04 - Public disclosure.
2009-01-25 - Appended RCS ID
2009-01-25 - Made persistent URL of this advisory clickable (hyperlink)
2009-03-26 - Changed sf.net logo at the bottom of this page

Legal notice

Some names used in this document may be registered trademarks of their respective owners.

Get VooDoo cIRCle at SourceForge.net. Fast, secure and Free Open Source software downloads