[erlang-bugs] Denial-of-service vulnerability in erlang's group.erl

Stefan Zegenhagen stefan.zegenhagen@REDACTED
Tue Jun 25 16:29:36 CEST 2013 

Dear all,

All input routines in lib/kernel/src/group.erl suffer from a
denial-of-service vulnerability that can easily be used by an attacker
to randomly crash erlang applications, the erlang VM or other system
processes on the same computer.

The group.erl I/O server offers line-editing functionality (using
edlin.erl) for all input. It therefore applies line-editing until a
newline character was received and the current input line is finished.
Only then the supplied end-of-input detection routines are called, that
differ for the get_chars, get_until, get_line, and get_password
commands.

Any attacker that has access to an input prompt serviced by group.erl
can send several megabytes of characters to the input prompt without a
newline in between. Thereby he can cause the Erlang VM to
     A.  consume all available memory and eventually have the Linux OOM
        (Out-Of-Memory) killer randomly kill system processes even other
        than the Erlang VM
     B. consume all available CPU power and slow the system down
     C. cause timeout errors in unrelated Erlang applications by the
        amount of garbage collection going on
     D. cause the Erlang VM to crash (was observed on a live system, but
        a crash dump could not be saved).

Currently, it is not possible to circumvent this behaviour (except by
re-implementing group.erl in any application using it). This is because
all of the end-of-input searching routines are only ever called *AFTER*
a complete, newline-terminated line has been read. Therefore, get_until
and get_chars won't help.

A meaningful solution is to allow users of group.erl to optionally limit
the maximum line length it will handle. If this maximum line length is
reached, group.erl should report an error response to the I/O request.
This would likely be implemented as a new set_opts option (although not
a global one affecting all group.erl process instances). This way, the
current behaviour would be retained and compatibility problems are not
to expect.

Please note that group.erl is *NOT EXCLUSIVELY* used by the erlang
shell. Erlang's SSH application uses group.erl as I/O server for its SSH
server implementation. Several devices may have a specific command line
interface (CLI) running on serial ports. Other uses of group.erl are
imaginable.


Kind regards,

-- 
Dr. Stefan Zegenhagen

arcutronix GmbH
Garbsener Landstr. 10
30419 Hannover
Germany

Tel:   +49 511 277-2734
Fax:   +49 511 277-2709
Email: stefan.zegenhagen@REDACTED
Web:   www.arcutronix.com

*Synchronize the Ethernet*

General Managers: Dipl. Ing. Juergen Schroeder, Dr. Josef Gfrerer -
Legal Form: GmbH, Registered office: Hannover, HRB 202442, Amtsgericht
Hannover; Ust-Id: DE257551767.

Please consider the environment before printing this message.

More information about the erlang-bugs mailing list