[kgb-maintainers] Bug#776424: Bug#776424: can be crashed by some network traffic

Antoine Beaupre anarcat at orangeseeds.org
Tue Feb 28 16:04:38 UTC 2017


On Sun, Feb 08, 2015 at 06:01:14PM +0000, Damyan Ivanov wrote:
> -=| Joey Hess, 27.01.2015 18:00:11 -0400 |=-
> > Source: kgb-bot
> > Version: 1.33-2
> > Severity: important
> > Tags: security
> > 
> > 2015.01.19 18:08:39: Listening on http://0.0.0.0:9999?session=KGB
> > 2015.01.19 18:08:43: Connected to freenode (holmes.freenode.net)
> > 2015.01.19 18:08:43: Joining #commits...
> > 2015.01.19 18:08:43: Connected to oftc (graviton.oftc.net)
> > 2015.01.19 18:08:43: Joining #ikiwiki #vcs-home #git-annex...
> > Did not get DONE/CLOSE event for Wheel ID 73 from IP 222.186.34.155 at
> > /usr/share/perl5/POE/Component/Server/SimpleHTTP.pm line 221.
> > I had a problem posting to event Got_Request of session SOAPServer for
> > DIR handler '.*'. As reported by Kernel: 'No such file or directory',
> > perhaps the session name is spelled incorrectly for this handler? at
> > /usr/share/perl5/POE/Session.pm line 483.
> 
> Tincho, can you have a look? I'm afraid POE internals are a mystery to 
> me.
> 
> A way to reproduce the problem would certainly help too.
> 
> > This has happened to me twice now, and it takes the bot down.
> > 
> > root at elephant:/home/joey>systemctl  status kgb-bot.service 
> > ● kgb-bot.service - LSB: Collaborative IRC helper
> >    Loaded: loaded (/etc/init.d/kgb-bot)
> >    Active: active (exited) since Mon 2015-01-19 14:08:39 JEST; 1 weeks 1 days ago
> >   Process: 26584 ExecReload=/etc/init.d/kgb-bot reload (code=exited, status=0/SUCCESS)
> > 
> > Jan 26 03:57:27 elephant kgb-bot[26584]: Reloading Collaborative IRC helper: kgb-bot.
> > 
> > systemd thinks the service is running ok, but the daemon has in fact crashed or
> > exited because of the event logged above. Both "service kbg-bot start" and
> > "systemctl start kgb-bot" do nothing. I have to "service kgb-bot stop" to get
> > out of this state. (It seems that this could stand to be improved, by eg,
> > writing a systemd service file that doesn't let the daemon fork, so systemd
> > can handle logging and know when the process has exited.)
> 
> This is easy to fix, as the bot has a --foreground parameter.
> 
> > Here's the log from the previous time it happened:
> > 
> > 2015.01.15 23:05:33: Connected to freenode (wolfe.freenode.net)
> > 2015.01.15 23:05:33: Joining #commits...
> > Did not get DONE/CLOSE event for Wheel ID 1089 from IP 222.186.34.155 at /usr/share/perl5/POE/Component/Server/SimpleHTTP.pm line 221.
> > I had a problem posting to event Got_Request of session SOAPServer for DIR handler '.*'. As reported by Kernel: 'No such file or directory', perhaps the session name is spelled incorrectly for this handler? at /usr/share/perl5/POE/Session.pm line 483.
> > 
> > I don't know the IP 222.186.34.155. I assume it is trying to exploit my
> > server with its DIR .*
> 
> "DIR .*" is a red herring here. The SOAP service registers a HTTP 
> handler for all paths, expressed as ".*" (AIUI).

I am not sure, but it seems to me the "DONE/CLOSE" message is also a red
herring: at that point, the server is already shutting down for some
other reason - probably the "No such file or directory" error?

> > Since this appears to be at least a DOS, I've tagged the bug as 
> > a minor security issue.

So far, this was marked as "no-dsa" by the security team in jessie
because it is considered to be a "minor issue"... 

Is there a workaround for this? Did we fix the .service file to
automatically restart the bot? Since it's pretty much stateless, it
would seem to be okay to recover from those problems immediately, unless
the attacker makes a deliberate attempt at DOS in which case that
workaround wouldn't really be effective.

I tried to figure out what's going on in the source code, but I'm not
familiar with POE either, and I'm not sure I should spend more time on
this without a POC.

Joey, did you manage to reproduce this issue without an external
attacker? Can you still reproduce in 1.34?

We would probably need a HTTP trace at this point to reproduce the exact
HTTP request sent that makes KGB crash... 

Since there's no upstream fix yet, I have marked this as no-dsa for
Wheezy LTS as well.

A.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/kgb-maintainers/attachments/20170228/503c12df/attachment.sig>


More information about the kgb-maintainers mailing list