Asp Forum - [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

Zed A. Shaw

10/25/2006 7:08:00 PM

This is important so please read this message very carefully.

There is a DoS for Ruby's cgi.rb that is easily exploitable. The attack involves sending a malformed multipart MIME body in an HTTP request. The full explanation of the attack as well as how to fix it RIGHT NOW is given below.

Most of the work was done by Jeremy Kemper and Jamis Buck. They did all the work of building the hot fix gem you'll install and getting the right people to finally agree to get this out.

The original report is attached to this message so you can read it in full.

I'm putting this fix into the Mongrel pre-release process to give Matz time to get an official release out. If he doesn't within the next few days then I'll turn this into an official Mongrel release.

FULL DISCLOSURE

There has been an exploitable bug in the Ruby CGI library named cgi.rb which allows:

Anyone on the Internet to...
Send a single HTTP request to...
Any Ruby program (NOT just Mongrel) using...
cgi.rb multipart parsing with...
A malformed MIME body that...
Causes the Ruby process to go into a 99% CPU infinite loop killing it.

I broke this down so that it's as clear as possible, and so you don't miss that it's for ANY program using cgi.rb mime parsing. Not just Rails and Mongrel.

What happens is that the final MIME boundary is sometimes given as:

-ASDFADSFASFD--

Rather than:

--ADFADSFADSF--

And this causes cgi.rb to go into an infinite loop waiting for more input that isn't coming. This is caused by any system that reads directly from an input stream that returns "" rather than EOF.

The fix described below has a full exploit/tester script demonstrating the defect. It also doesn't matter if you have file uploads on your site or not. I can point this script at your site on any URI and cause a DoS on your site.

WHO'S AFFECTED

Currently, the following servers are affected:

* Mongrel -- Reads from a socket so gets "" rather than EOF.
* Litespeed -- Affected but has an internal timeout that nails the process.
* CGI Standalone -- Impacted since reading from a normal input stream.
* Any other custom server using the above similar operations.

Looks like FastCGI's FCGIInputStream, WEBrick and mod_ruby are not vulnerable since they either read from a domain socket or don't use normal cgi.rb.

THE FIX

Everyone using Mongrel can get the fix immediately by installing the latest pre-release version 0.3.14:

sudo gem install mongrel --source=http://mongrel.rubyforge.or...

Win32 people and anyone who can't upgrade that way can get the fix by doing this:

1) gem install cgi_multipart_eof_fix --source=http://mongrel.rubyforge.or...
2) Edit your environment.rb to have: require 'cgi_multipart_eof_fix'
3) Restart your services.

People using other frameworks can get the fix by simply requiring rubygems and this fix in some start-up location for your framework.

THE PATCH

If you can't do the hot fix gem install, then there is also a patch for cgi.rb attached to this e-mail. You can apply the patch with the following process:

1) Find the original cgi.rb file in your install. Mine's in /usr/lib/ruby/1.8
2) cd /usr/lib/ruby/1.8
3) sudo patch < ~/cgi_multipart_eof_fix.patch

You can look at the patch. It's literally changing one line, so you can edit by hand if you get really desperate.

FUTURE DEFECTS

Based on how the cgi.rb file is coded it's most likely that there will be more of these kinds of defects in the future. If you find a defect like this, then please don't flip out. Just report it to me or anyone else, and I'll cook up another one of these hot fix releases rather than wait for an official fix. I promise immediate turn-around from now on using a hot-fix gem if I can't get an official fix within a few days.

Suggestions on how to do a more standardized hot-fix release process are much appreciated.

Flame wars about screwing goats or the merits of full-disclosure are not appreciated.

GETTING HELP

I'll be in the Mongrel lingr room:

http://www.lingr.com/room/3...

And on irc.freenode.org in #rubyonrails, #rails-security, and #ruby-lang fielding questions and helping people. If I don't answer right away then wait a bit.

I'll also answer help e-mails directly if you can't access any of the above.

---
Zed A. Shaw

4 Answers

Jacob Fugal

10/25/2006 7:21:00 PM

On 10/25/06, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
> THE PATCH
>
> If you can't do the hot fix gem install, then there is also a patch
> for cgi.rb attached to this e-mail. You can apply the patch with the
> following process:
>
> 1) Find the original cgi.rb file in your install. Mine's in
> /usr/lib/ruby/1.8
> 2) cd /usr/lib/ruby/1.8
> 3) sudo patch < ~/cgi_multipart_eof_fix.patch
>
> You can look at the patch. It's literally changing one line, so you
> can edit by hand if you get really desperate.

Looks like either you forgot the attachment, or maybe the mailing list
software (or gateway bridge?) ate it. Can you please include the patch
in the body of a response? Thanks!

Jacob Fugal

Wilson Bilkovich

10/25/2006 7:26:00 PM

On 10/25/06, Jacob Fugal <lukfugl@gmail.com> wrote:
> On 10/25/06, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
> > THE PATCH
> >
> > If you can't do the hot fix gem install, then there is also a patch
> > for cgi.rb attached to this e-mail. You can apply the patch with the
> > following process:
> >
> > 1) Find the original cgi.rb file in your install. Mine's in
> > /usr/lib/ruby/1.8
> > 2) cd /usr/lib/ruby/1.8
> > 3) sudo patch < ~/cgi_multipart_eof_fix.patch
> >
> > You can look at the patch. It's literally changing one line, so you
> > can edit by hand if you get really desperate.
>
> Looks like either you forgot the attachment, or maybe the mailing list
> software (or gateway bridge?) ate it. Can you please include the patch
> in the body of a response? Thanks!
>
> Jacob Fugal
>
>

Here's the patch, inline:
--- /opt/local/lib/ruby/1.8/cgi.rb 2005-10-06 19:01:22.000000000 -0600
+++ cgi.rb 2006-09-22 16:38:08.000000000 -0600
@@ -1017,7 +1017,7 @@
else
stdinput.read(content_length)
end
- if c.nil?
+ if c.nil? || c.empty?
raise EOFError, "bad content body"
end
buf.concat(c)

James Britt

10/25/2006 7:50:00 PM

Wilson Bilkovich wrote:
> On 10/25/06, Jacob Fugal <lukfugl@gmail.com> wrote:
>
>> On 10/25/06, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
>> > THE PATCH
>> >
>> > If you can't do the hot fix gem install, then there is also a patch
>> > for cgi.rb attached to this e-mail. You can apply the patch with the
>> > following process:
>> >
>> > 1) Find the original cgi.rb file in your install. Mine's in
>> > /usr/lib/ruby/1.8
>> > 2) cd /usr/lib/ruby/1.8
>> > 3) sudo patch < ~/cgi_multipart_eof_fix.patch
>> >
>> > You can look at the patch. It's literally changing one line, so you
>> > can edit by hand if you get really desperate.
>>
>> Looks like either you forgot the attachment, or maybe the mailing list
>> software (or gateway bridge?) ate it. Can you please include the patch
>> in the body of a response? Thanks!
>>
>> Jacob Fugal
>>
>>
>
> Here's the patch, inline:

Zed also pointed me to Google groups

http://groups.google.com/group/rubyonrails-talk/browse_frm/thread/8bbee5200ac4312c/87b5d92d513aa3ce#87b5d9...

which has the patch attachment

--
James Britt

http://www.ru... - Ruby Help & Documentation
http://www.artima.c... - The Journal By & For Rubyists
http://www.rub... - The Ruby Store for Ruby Stuff
http://www.... - Hacking in the Desert

Zed A. Shaw

10/25/2006 8:03:00 PM

On Thu, 26 Oct 2006 04:49:33 +0900
James Britt <james.britt@gmail.com> wrote:

> Zed also pointed me to Google groups
>
> http://groups.google.com/group/rubyonrails-talk/browse_frm/thread/8bbee5200ac4312c/87b5d92d513aa3ce#87b5d9...
>

Thanks folks. Yep, either of those will work.

Another point to make is this:

If you can't upgrade Mongrel or your software just install the cgi_multipart_eof_fix gem.

If you can't even install the gem then use the patch. The gem includes a README, and a test script you can run to validate your server.

If you want the latest and greatest Mongrel that will just install the gem for you and have the least hassle then install pre-release Mongrel (see OP).

Only warning with pre-release Mongrel is that because of this fix mongrel_upload_progress users might run into problems. Let me know if this is the case, but it's been heavily tested by many people already.

--
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.ze...
http://safari.oreilly.com/... -- The Mongrel Book
http://mongrel.ruby...
http://www.lingr.com/room/3... -- Come get help.

comp.lang.ruby

[SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

Zed A. Shaw

Jacob Fugal

Wilson Bilkovich

James Britt

Zed A. Shaw

x Login to ForumsZone