Headline
GHSA-7h24-c332-p48c: vproxy Divide by Zero DoS Vulnerability
Summary
Untrusted, user-controlled data from the HTTP Proxy-Authorization header can induce a denial of service state.
Details
Untrusted data is extracted from the user-controlled HTTP Proxy-Authorization header and passed to Extension::try_from and flows into parse_ttl_extension where it is parsed as a TTL value. If an attacker supplies a TTL of zero (e.g. by using a username such as ‘configuredUser-ttl-0’), the modulo operation ‘timestamp % ttl’ will cause a division by zero panic, causing the server to crash causing a denial-of-service.
The code assumed to be responsible for this can be found here: https://github.com/0x676e67/vproxy/blob/ab304c3854bf8480be577039ada0228907ba0923/src/extension.rs#L173-L183
PoC
- Download and run the latest version of vproxy
- Send a cUrl request like the following, adjusting address and port as necessary:
curl -x "http://test-ttl-0:test@127.0.0.1:8101" https://google.com - Wait for a cUrl error indicating “Proxy CONNECT aborted”
- View logs from the vproxy server
- Observe that the vproxy server crashed due to a divide-by-zero panic
Impact
The resulting crash renders the proxy server unusable until it is reset.
Finally, one last note: I’m reporting this on behalf of another researcher at Black Duck. Credit for discovery should be attributed to David Bohannon (dbohannon)
Summary
Untrusted, user-controlled data from the HTTP Proxy-Authorization header can induce a denial of service state.
Details
Untrusted data is extracted from the user-controlled HTTP Proxy-Authorization header and passed to Extension::try_from and flows into parse_ttl_extension where it is parsed as a TTL value. If an attacker supplies a TTL of zero (e.g. by using a username such as ‘configuredUser-ttl-0’), the modulo operation ‘timestamp % ttl’ will cause a division by zero panic, causing the server to crash causing a denial-of-service.
The code assumed to be responsible for this can be found here: https://github.com/0x676e67/vproxy/blob/ab304c3854bf8480be577039ada0228907ba0923/src/extension.rs#L173-L183
PoC
- Download and run the latest version of vproxy
- Send a cUrl request like the following, adjusting address and port as necessary: curl -x “http://test-ttl-0:test@127.0.0.1:8101” https://google.com
- Wait for a cUrl error indicating “Proxy CONNECT aborted”
- View logs from the vproxy server
- Observe that the vproxy server crashed due to a divide-by-zero panic
Impact
The resulting crash renders the proxy server unusable until it is reset.
Finally, one last note: I’m reporting this on behalf of another researcher at Black Duck. Credit for discovery should be attributed to David Bohannon (dbohannon)
References
- GHSA-7h24-c332-p48c
- 0x676e67/vproxy@aa1bf64
- https://github.com/0x676e67/vproxy/releases/tag/v2.4.0