-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/16/2012 11:34 PM, Helmut Grohne wrote: > Hi Kurt, > > Please always CC the bug report when adding detail to it. Doing it > now for you. > > On Mon, Apr 16, 2012 at 01:19:32PM -0600, Kurt Seifried wrote: >>> [3] Remote users can fill /tmp filesystem: Red Hat would not >>> consider this to be a security flaw => no RH BTS entry. >>> >>> Original report: >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667 >> >> I reread this one a few times, I'm not clear on what: >> >> ========== printf 'GET >> /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo >> >> HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc >> localhost 80 >> >> Provided that the filename actually exists, munin will render the >> image ========== >> >> means exactly, does the file vmstat-day.png need to exist where? >> It seems like if the image is of any size (say 20k or more) the >> amplification (each get request = 20k of tmp space usage) and >> the files have to be deleted manually it might qualify as a DoS. >> >> hel...@subdivi.de can you shed more light on this? > > The basic requirement is that a plugin called vmstat is configured > for the node localhost.localdomain. I just picked it as an example, > cause it is present on my system. In practise any plugin for any > host will do.
Is this the default configuration? > In addition munin parses parts of the query string. You are allowed > to modify the size of the image. By choosing a path > "....png?size_x=20000&size_y=20000&uniquestuff" you can do the > same attack while simultaneously using a large image size. The raw > image would be 381M (assuming 8bits/pixel) in this case. A png > version will likely be smaller, say 4M? So now you have an > amplification of 4M/request. Note that this query can get a node > into swapping, because rrdtool needs to create the whole image in > main memory. > > Hope this helps Ouch. > Helmut - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPjkt4AAoJEBYNRVNeJnmTzqwQAKn7u4+dg9mYpMuAAC14fIYh JGQGLSRJ98s3IgH14dOO6q9nASErz5wBPhcTnTwOKOLAdbbFHU5Z1DKm+ARyLMXw XPIGHrdTb5TkWvsRKilA7iIbUhaXuMckELJj2WWi5LdHvzVLG8mEivQQKMtSY8b1 Wmp0JmDguHpqcToYq4uwYA1O22fHxwPjBFnsZ6A2HjLtMwCUkZ6WZZEuc85+v2C5 utfJm3AYSRgW1mI24kLxTIsige88txXZpUt44Bx3T26UkUz2X4ebbO/z5slqXt7n RLZ4IDWEs03yau8vJD6vuNtOvQ+p3SmQYeRr6GvEXYrem+mTPB6toKLUeRUr7fNR +RO4syrQ1KMoGfcAlNJ9ide2qZHsByXseriSJ02yb0VYKqYD1peUo1wR3Kw/EBnC lnWNfb54JmwJih4qzEpE/SKoVEgxTKfuJGT4QcZ1PDrABQSfOWc4v3bughgLNH6m c/voNTCuk7XI0//hCj4qF9jx/SPAB0xnnxnhqgmPTCBUVB3WHlSK0V335DV4KIGm 9c4GqdEJ0lxtKWJpwpZbNBU00LksXpHFQHMjcJ+0Bc0B1CrbaL0Hi9+1/kWH0aYG X+N6Ah6/eY1bP78B1rH91CqcSRm5fouIbY5QSraN7ZGvrKXAvrQrnRqdEj+XKYUL YTFUs403T/QOG6KuIGhg =/Jxz -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
