<div dir="ltr"><div><div>Hi list!<br><br></div> I've found a vulnerability in the httpc module. I'm sorry I can't provide a patch (I can't code much erlang yet), I'm attaching a proof of concept though.<br>
<br></div>Let me know if you need further details.<br><br>Regards,<br><br>Sebastián Tello<br><div><br><br>Summary<br>=======<br><br>Using httpc to connect to an untrusted server can cause the system to run out of memory and crash.<br>
<br><br>Description<br>===========<br><br>When requesting a URL from an untrusted source using the httpc OTP module, if the server:<br> - accepts the connection<br> - does not read from the socket<br> - and indefinitely writes bytes in the socket.<br>
<br>Then the client will keep on allocating memory until the system crashes.<br><br><br>Proof of concept<br>================<br><br>Server-side (attacker):<br><br>Start the malicious server (use the attached module).<br><br>
1> httpc_dos:server(5678).<br><br><br>Client-side (httpc), connect to the server:<br><br>$ erl<br>Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false]<br><br>Eshell V6.0 (abort with ^G)<br>
1> application:start(inets).<br>ok<br>2> httpc:request("<a href="http://SERVER_IP:5678">http://SERVER_IP:5678</a>").<br><br>Crash dump was written to: erl_crash.dump<br>eheap_alloc: Cannot allocate 1167696400 bytes of memory (of type "heap").<br>
<br>Tested on<br>=========<br>OTP 17<br>Ubuntu 12.04 x86_64<br><br>Workaround<br>==========<br><br>I haven't been able to reproduce the issue using lhttpc (<a href="https://github.com/esl/lhttpc">https://github.com/esl/lhttpc</a>) as the call will crash when the response size is too large.<br>
<br><br></div></div>