[erlang-bugs] Erlang OTP's httpc module denial of service

[Seba]

Hi list!

 I've found a vulnerability in the httpc module. I'm sorry I can't provide
a patch (I can't code much erlang yet), I'm attaching a proof of concept
though.

Let me know if you need further details.

Regards,

Sebastián Tello


Summary
=======

Using httpc to connect to an untrusted server can cause the system to run
out of memory and crash.


Description
===========

When requesting a URL from an untrusted source using the httpc OTP module,
if the server:
 - accepts the connection
 - does not read from the socket
 - and indefinitely writes bytes in the socket.

Then the client will keep on allocating memory until the system crashes.


Proof of concept
================

Server-side (attacker):

Start the malicious server (use the attached module).

1> httpc_dos:server(5678).


Client-side (httpc), connect to the server:

$ erl
Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10]
[hipe] [kernel-poll:false]

Eshell V6.0  (abort with ^G)
1> application:start(inets).
ok
2> httpc:request("http://SERVER_IP:5678").

Crash dump was written to: erl_crash.dump
eheap_alloc: Cannot allocate 1167696400 bytes of memory (of type "heap").

Tested on
=========
OTP 17
Ubuntu 12.04 x86_64

Workaround
==========

I haven't been able to reproduce the issue using lhttpc (
https://github.com/esl/lhttpc) as the call will crash when the response
size is too large.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20140502/26480310/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpc_dos.erl
Type: text/x-erlang
Size: 392 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20140502/26480310/attachment.bin>