Bug 38478 - A client starting a SSL renegotiation can crash the server
Summary: A client starting a SSL renegotiation can crash the server
Status: RESOLVED LATER
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.2-HEAD
Hardware: Other other
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: MassUpdate
Depends on:
Blocks:
 
Reported: 2006-02-01 16:50 UTC by keilh
Modified: 2018-11-07 21:09 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description keilh 2006-02-01 16:50:10 UTC
Description:

Consider the following situation:

a) a client performs the initial SSL handshake

b) the client is sending an incomplete request
   (or noting at all)

c) the client is starting a SSL renegotiation 
   (not triggered by the server. Due to security reasons
   that is okay)

d) The client is sending only the SSL 'ClientHello'
   (or the server can only the 'ClientHello')

e) after the configured timeout apache is closing the 
   connection. 

In step e) there is a free memory read than can crash the the server:

In 'ssl_io_filter_output(..)' the function 'ssl_io_filter_connect(..)'
will be called for checking the state of the SSL. And thereby the SSL 
struct (and the BIOS) will be freed due to the incomplete renegotiation
handshake. 
And in 'ssl_io_filter_output(..)' it will be not checked again, if the 
SSL struct has been freed.
In so in 'bio_filter_out_flush(..)' the already freed BIOS will be accessed


Log:
The error_log for that situation looks like:
[Wed Feb 01 16:04:17 2006] [info] [client 192.168.5.137] Connection to child 9
established (server adnpool01.zh.adnovum.ch:44301)
[Wed Feb 01 16:04:17 2006] [info] Seeding PRNG with 136 bytes of entropy
[Wed Feb 01 16:04:17 2006] [debug] ssl_engine_kernel.c(1749): OpenSSL:
Handshake: start
[Wed Feb 01 16:04:17 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
before/accept initialization
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 11/11
bytes from BIO#239438 [mem: 255ce8] (BIO dump follows)
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1747): | 0000: 80 4d 01 03 01
00 24                             .M....$          |
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1751): | 0011 - <SPACES/NULS>
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 68/68
bytes from BIO#239438 [mem: 255cf3] (BIO dump follows)
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1747): | 0000: 00 00 66 00 00
65 00 00-64 00 00 60 00 00 05 00  ..f..e..d..`.... |
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1747): | 0010: 00 04 00 00 03
00 00 18-00 00 17 08 00 80 01 00  ................ |
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1747): | 0020: 80 02 00 80 95
99 f8 0a-86 4e 2d 3e f5 0e 89 ca  .........N->.... |
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1747): | 0030: 15 8f d9 5b 97
24 d6 05-d7 81 12 08 2d 03 c2 e7  ...[.$......-... |
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1747): | 0040: 93 c2 f3 b1  
                                   ....             |
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 read client hello A
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 write server hello A
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 write certificate A
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 write server done A
[Wed Feb 01 16:04:23 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 flush data
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5
bytes from BIO#239438 [mem: 255ce8] (BIO dump follows)
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 86
                                  .....            |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 134/134
bytes from BIO#239438 [mem: 255ced] (BIO dump follows)
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0000: 10 00 00 82 00
80 04 6c-6b 61 9b ac ad 9f 00 5c  .......lka.....\ |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0010: b4 93 78 0d 43
9e e1 da-62 c6 be e2 a0 77 fd 33  ..x.C...b....w.3 |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0020: 99 f8 b0 f3 dc
ab 77 21-05 b9 0f 69 76 0d aa 33  ......w!...iv..3 |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0030: 5c 67 7c 37 3f
7a bf 87-cb f5 62 1e 6e 2f 32 18  \g|7?z....b.n/2. |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0040: c3 08 60 44 23
6e 73 e4-9d ef 37 3c d9 de 15 04  ..`D#ns...7<.... |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0050: 27 dd 1c da 04
6c da dd-7f 75 d2 5e f3 ac 86 db  '....l...u.^.... |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0060: 29 b7 68 04 fa
b3 e3 8b-8d 48 da 49 94 d1 40 ee  ).h......H.I..@. |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0070: 00 47 01 80 15
0e 84 df-c3 4d 64 46 10 83 d2 e5  .G.......MdF.... |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0080: da cb cc c6 fc
62                                .....b           |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 read client key exchange A
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5
bytes from BIO#239438 [mem: 255ce8] (BIO dump follows)
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0000: 14 03 01 00 01
                                  .....            |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 1/1
bytes from BIO#239438 [mem: 255ced] (BIO dump follows)
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0000: 01           
                                   .                |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5
bytes from BIO#239438 [mem: 255ce8] (BIO dump follows)
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01     
                                   ...              |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1751): | 0005 - <SPACES/NULS>
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 32/32
bytes from BIO#239438 [mem: 255ced] (BIO dump follows)
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0000: 1b 15 00 3d be
d2 ef 1d-b9 32 2c 50 08 b0 ea ee  ...=.....2,P.... |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1747): | 0010: 3a 55 21 bf c7
de 54 50-cd 05 b5 6d fa 77 b7 e4  :U!...TP...m.w.. |
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 read finished A
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 write change cipher spec A
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 write finished A
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 flush data
[Wed Feb 01 16:04:35 2006] [debug] ssl_engine_kernel.c(1753): OpenSSL:
Handshake: done
[Wed Feb 01 16:04:35 2006] [info] Connection: Client IP: 192.168.5.137,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5
bytes from BIO#239438 [mem: 255ce8] (BIO dump follows)
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 4d
                                  ....M            |
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 77/77
bytes from BIO#239438 [mem: 255ced] (BIO dump follows)
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1747): | 0000: 15 f1 9d 00 28
eb b2 57-75 12 3a 22 6d c4 c7 27  ....(..Wu.:"m..' |
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1747): | 0010: 7b 93 72 dd 3c
b5 bd e5-44 80 da b5 8a 88 b7 ea  {.r.<...D....... |
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1747): | 0020: 53 2e 03 f4 3c
a5 41 64-b5 ac 56 2a cb 2e 2b 9e  S...<.Ad..V*..+. |
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1747): | 0030: be 6d 06 92 ba
4c 3d 61-4b 91 cb ce 35 cf c3 82  .m...L=aK...5... |
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1747): | 0040: 44 4b 5c 84 2f
3a 17 7e-e9 2e e1 0c db           DK\./:.~.....    |
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_kernel.c(1749): OpenSSL:
Handshake: start
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
before accept initialization
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 read client hello A
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 write server hello A
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 write certificate A
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 write server done A
[Wed Feb 01 16:04:42 2006] [debug] ssl_engine_kernel.c(1757): OpenSSL: Loop:
SSLv3 flush data
[Wed Feb 01 16:06:42 2006] [debug] ssl_engine_io.c(1786): OpenSSL: I/O error, 5
bytes expected to read on BIO#239438 [mem: 255ce8]
[Wed Feb 01 16:06:42 2006] [debug] ssl_engine_kernel.c(1786): OpenSSL: Exit:
error in SSLv3 read client certificate A
[Wed Feb 01 16:06:42 2006] [info] [client 192.168.5.137] (70007)The timeout
specified has expired: SSL input filter read failed.
[Wed Feb 01 16:07:15 2006] [debug] ssl_engine_io.c(1786): OpenSSL: I/O error, 5
bytes expected to read on BIO#239438 [mem: 255ce8]
[Wed Feb 01 16:07:15 2006] [debug] ssl_engine_kernel.c(1786): OpenSSL: Exit:
error in SSLv3 read client certificate A
[Wed Feb 01 16:07:23 2006] [info] [client 192.168.5.137] (70014)End of file
found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Wed Feb 01 16:07:28 2006] [info] [client 192.168.5.137] Connection closed to
child 9 with abortive shutdown (server adnpool01.zh.adnovum.ch:44301)


How to reproduce:
The situation can be reproduced with 'openssl -s_client' with some 
modifications.


Fix:
From our point of view, the problem or bug is, that 'ssl_io_filter_connect(..)'
is returning APR_SUCCESS also there is an SSL error and even the SSL struct 
has been freed.
The fix is simply to return APR_EGENERAL if there are SSL errors:

Index: httpd-2.2.X/modules/ssl//ssl_engine_io.c
===================================================================
RCS file:
/opt/projects/CVSROOT/navajo/src/org/apache/httpd-2.2.X/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.1
diff -c -r1.1 ssl_engine_io.c
*** httpd-2.2.X/modules/ssl//ssl_engine_io.c    2005/12/08 14:50:46 1.1
--- httpd-2.2.X/modules/ssl//ssl_engine_io.c    2006/02/01 15:42:52
***************
*** 1100,1106 ****
              inctx->rc = APR_EGENERAL;
          }

!         return ssl_filter_io_shutdown(filter_ctx, c, 1);
      }

      /*
--- 1100,1107 ----
              inctx->rc = APR_EGENERAL;
          }

!       ssl_filter_io_shutdown(filter_ctx, c, 1);
!         return APR_EGENERAL;
      }

      /*
Comment 1 keilh 2006-02-16 16:45:45 UTC
Since there is no feedback, and I think that should be fixed
I changed the severity to major 
Comment 2 Joe Orton 2006-02-17 13:05:08 UTC
Thanks for the report, Hartmut.

The error handling here is completely broken.  ssl_io_filter_connect() is
returning a mixture of APR status codes, HTTP error codes, and once even an
OpenSSL error code!?!  ssl_io_filter_shutdown() has a redundant return value
which is always APR_SUCCESS, so that should always be ignored; there are several
more callers like this.  And finally, ssl_io_filter_error() is expecting an
apr_status_t and then interpreting it as an HTTP error code.  This is going to
take a little time to sort out.
Comment 3 keilh 2006-02-20 20:13:36 UTC
I agree with you, about the implementation of  ssl_io_filter_connect(), etc.
and that it will take a while to clean it up. (Let me know if I can help you)

The other question is to make some point patch availabel? That could 
be required, since the server can be crashed quite easy. And maybe will, due to
the fact that the vulnerability is now public.
Comment 4 William A. Rowe Jr. 2018-11-07 21:09:54 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.