You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2009/12/16 17:08:35 UTC
svn commit: r891284 - /httpd/test/framework/trunk/t/security/CVE-2009-3555.t
Author: jorton
Date: Wed Dec 16 16:08:34 2009
New Revision: 891284
URL: http://svn.apache.org/viewvc?rev=891284&view=rev
Log:
- add test case for a prefix attack which attempts
to a inject additional requests beyond the
renegotiation.
Added:
httpd/test/framework/trunk/t/security/CVE-2009-3555.t
Added: httpd/test/framework/trunk/t/security/CVE-2009-3555.t
URL: http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2009-3555.t?rev=891284&view=auto
==============================================================================
--- httpd/test/framework/trunk/t/security/CVE-2009-3555.t (added)
+++ httpd/test/framework/trunk/t/security/CVE-2009-3555.t Wed Dec 16 16:08:34 2009
@@ -0,0 +1,60 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+
+plan tests => 4, need 'ssl';
+
+# This test case attempts only one type of attack which is possible
+# due to the TLS renegotiation vulnerability, CVE-2009-3555. A
+# specific defense against this attack was added to mod_ssl in
+# r891282. For more information, see the dev@httpd thread beginning
+# at message ID <4B...@adnovum.ch>.
+
+Apache::TestRequest::set_client_cert("client_ok");
+
+Apache::TestRequest::module('mod_ssl');
+
+my $sock = Apache::TestRequest::vhost_socket('mod_ssl');
+ok $sock && $sock->connected;
+
+
+my $req = "GET /require/asf/ HTTP/1.1\r\n".
+ "Host: " . Apache::TestRequest::hostport() . "\r\n".
+ "\r\n".
+ "GET /this/is/a/prefix/injection/attack HTTP/1.0\r\n".
+ "\r\n";
+
+ok $sock->print($req);
+
+my $line = Apache::TestRequest::getline($sock) || '';
+
+ok t_cmp($line, qr{^HTTP/1\.. 200}, "read first response-line");
+
+my $rv = 0;
+
+do {
+ $line = Apache::TestRequest::getline($sock) || '';
+ $line = super_chomp($line);
+ print "# line: $line\n";
+ if ($line eq "Connection: close") {
+ $rv = 1;
+ }
+} until ($line eq "");
+
+ok $rv, 1, "expected Connection: close header in response";
+
+sub super_chomp {
+ my ($body) = shift;
+
+ ## super chomp - all leading and trailing \n (and \r for win32)
+ $body =~ s/^[\n\r]*//;
+ $body =~ s/[\n\r]*$//;
+ ## and all the rest change to spaces
+ $body =~ s/\n/ /g;
+ $body =~ s/\r//g; #rip out all remaining \r's
+
+ $body;
+}
Re: svn commit: r891284 - /httpd/test/framework/trunk/t/security/CVE-2009-3555.t
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Jan 6, 2010 at 10:30 AM, Jeff Trawick <tr...@gmail.com> wrote:
> Index: Apache-Test/lib/Apache/TestRequest.pm
> ===================================================================
> --- Apache-Test/lib/Apache/TestRequest.pm (revision 895795)
> +++ Apache-Test/lib/Apache/TestRequest.pm (working copy)
> @@ -303,7 +303,7 @@
> do {
> $self->read($c, 1);
> $buf .= $c;
> - } until ($c eq "\n");
> + } until ($c eq "\n" || $c eq "");
> $buf;
> },
> );
>
committed (I didn't realize I had commit access to that tree)
Re: svn commit: r891284 - /httpd/test/framework/trunk/t/security/CVE-2009-3555.t
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Dec 16, 2009 at 11:08 AM, <jo...@apache.org> wrote:
> Author: jorton
> Date: Wed Dec 16 16:08:34 2009
> New Revision: 891284
>
> URL: http://svn.apache.org/viewvc?rev=891284&view=rev
> Log:
> - add test case for a prefix attack which attempts
> to a inject additional requests beyond the
> renegotiation.
>
> Added:
> httpd/test/framework/trunk/t/security/CVE-2009-3555.t
>
> Added: httpd/test/framework/trunk/t/security/CVE-2009-3555.t
> URL: http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2009-3555.t?rev=891284&view=auto
> ==============================================================================
> --- httpd/test/framework/trunk/t/security/CVE-2009-3555.t (added)
> +++ httpd/test/framework/trunk/t/security/CVE-2009-3555.t Wed Dec 16 16:08:34 2009
> @@ -0,0 +1,60 @@
> +use strict;
> +use warnings FATAL => 'all';
> +
> +use Apache::Test;
> +use Apache::TestRequest;
> +use Apache::TestUtil;
> +
> +plan tests => 4, need 'ssl';
> +
> +# This test case attempts only one type of attack which is possible
> +# due to the TLS renegotiation vulnerability, CVE-2009-3555. A
> +# specific defense against this attack was added to mod_ssl in
> +# r891282. For more information, see the dev@httpd thread beginning
> +# at message ID <4B...@adnovum.ch>.
> +
> +Apache::TestRequest::set_client_cert("client_ok");
> +
> +Apache::TestRequest::module('mod_ssl');
> +
> +my $sock = Apache::TestRequest::vhost_socket('mod_ssl');
> +ok $sock && $sock->connected;
> +
> +
> +my $req = "GET /require/asf/ HTTP/1.1\r\n".
> + "Host: " . Apache::TestRequest::hostport() . "\r\n".
> + "\r\n".
> + "GET /this/is/a/prefix/injection/attack HTTP/1.0\r\n".
> + "\r\n";
> +
> +ok $sock->print($req);
> +
> +my $line = Apache::TestRequest::getline($sock) || '';
With 0.9.8l, the client busy-loops here, repeating this sequence:
alarm(600) = 0
alarm(0) = 600
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {SIG_DFL}, {0x809aad0, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {0x809aad0, [], 0}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
(It seems that 600 is the read timeout.)
This resolves the loop for me:
Index: Apache-Test/lib/Apache/TestRequest.pm
===================================================================
--- Apache-Test/lib/Apache/TestRequest.pm (revision 895795)
+++ Apache-Test/lib/Apache/TestRequest.pm (working copy)
@@ -303,7 +303,7 @@
do {
$self->read($c, 1);
$buf .= $c;
- } until ($c eq "\n");
+ } until ($c eq "\n" || $c eq "");
$buf;
},
);