[jira] [Comment Edited] (TS-2954) cache poisoning due to proxy.config.http.use_client_target_addr = 1

Wed, 30 Jul 2014 09:23:37 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-2954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079429#comment-14079429
 ] 

Nikolai Gorchilov edited comment on TS-2954 at 7/30/14 4:21 PM:
----------------------------------------------------------------

Unfortunately, the following assert emerged just seconds after deployment in 
production:

{noformat}
FATAL: HttpTransactHeaders.cc:675: failed assert `header->presence(mask) == 
mask`
/z/bin/traffic_server - STACK TRACE: 
/z/lib/libtsutil.so.5(+0x1e837)[0x2b515c66d837]
/z/lib/libtsutil.so.5(+0x1d51f)[0x2b515c66c51f]
/z/bin/traffic_server[0x5d17f2]
/z/bin/traffic_server(HttpTransact::build_request(HttpTransact::State*, 
HTTPHdr*, HTTPHdr*, HTTPVersion)+0xa0)[0x5b28d0]
/z/bin/traffic_server(HttpTransact::HandleCacheOpenReadHit(HttpTransact::State*)+0x1f9)[0x5c89c9]
/z/bin/traffic_server(HttpSM::call_transact_and_set_next_state(void 
(*)(HttpTransact::State*))+0x66)[0x58e3a6]
/z/bin/traffic_server(HttpSM::state_api_callout(int, void*)+0x343)[0x599c43]
/z/bin/traffic_server(HttpSM::set_next_state()+0x1e8)[0x5a0518]
/z/bin/traffic_server(HttpSM::do_hostdb_lookup()+0x27a)[0x58e89a]
/z/bin/traffic_server(HttpSM::set_next_state()+0xcf8)[0x5a1028]
/z/bin/traffic_server(HttpSM::state_read_server_response_header(int, 
void*)+0x1df)[0x59b66f]
/z/bin/traffic_server(HttpSM::main_handler(int, void*)+0xd8)[0x59add8]
/z/bin/traffic_server[0x715245]
/z/bin/traffic_server(NetHandler::mainNetEvent(int, Event*)+0x1ed)[0x707a1d]
/z/bin/traffic_server(EThread::process_event(Event*, int)+0x91)[0x736361]
/z/bin/traffic_server(EThread::execute()+0x4fc)[0x736e1c]
/z/bin/traffic_server[0x7355fa]
/lib64/libpthread.so.0(+0x7034)[0x2b515dc73034]
/lib64/libc.so.6(clone+0x6d)[0x2b515e9bdb5d]
{noformat}

Could it be related to refresh check of already cached result?


was (Author: ngorchilov):
Unfortunately, the following assert emerged just seconds after deployment in 
production:

{noformat}
FATAL: HttpTransactHeaders.cc:675: failed assert `header->presence(mask) == 
mask`
/z/bin/traffic_server - STACK TRACE: 
/z/lib/libtsutil.so.5(+0x1e837)[0x2b515c66d837]
/z/lib/libtsutil.so.5(+0x1d51f)[0x2b515c66c51f]
/z/bin/traffic_server[0x5d17f2]
/z/bin/traffic_server(HttpTransact::build_request(HttpTransact::State*, 
HTTPHdr*, HTTPHdr*, HTTPVersion)+0xa0)[0x5b28d0]
/z/bin/traffic_server(HttpTransact::HandleCacheOpenReadHit(HttpTransact::State*)+0x1f9)[0x5c89c9]
/z/bin/traffic_server(HttpSM::call_transact_and_set_next_state(void 
(*)(HttpTransact::State*))+0x66)[0x58e3a6]
/z/bin/traffic_server(HttpSM::state_api_callout(int, void*)+0x343)[0x599c43]
/z/bin/traffic_server(HttpSM::set_next_state()+0x1e8)[0x5a0518]
/z/bin/traffic_server(HttpSM::do_hostdb_lookup()+0x27a)[0x58e89a]
/z/bin/traffic_server(HttpSM::set_next_state()+0xcf8)[0x5a1028]
/z/bin/traffic_server(HttpSM::state_read_server_response_header(int, 
void*)+0x1df)[0x59b66f]
/z/bin/traffic_server(HttpSM::main_handler(int, void*)+0xd8)[0x59add8]
/z/bin/traffic_server[0x715245]
/z/bin/traffic_server(NetHandler::mainNetEvent(int, Event*)+0x1ed)[0x707a1d]
/z/bin/traffic_server(EThread::process_event(Event*, int)+0x91)[0x736361]
/z/bin/traffic_server(EThread::execute()+0x4fc)[0x736e1c]
/z/bin/traffic_server[0x7355fa]
/lib64/libpthread.so.0(+0x7034)[0x2b515dc73034]
/lib64/libc.so.6(clone+0x6d)[0x2b515e9bdb5d]
{noformat}


> cache poisoning due to proxy.config.http.use_client_target_addr = 1
> -------------------------------------------------------------------
>
>                 Key: TS-2954
>                 URL: https://issues.apache.org/jira/browse/TS-2954
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Cache, DNS, Security, TProxy
>            Reporter: Nikolai Gorchilov
>            Assignee: Susan Hinrichs
>            Priority: Critical
>             Fix For: 5.1.0
>
>         Attachments: ts-2954.patch
>
>
> Current implementation of proxy.config.http.use_client_target_addr opens a 
> very simple attack vector for cache poisoning in transparent forwarding mode.
> An attacker (or malware installed on innocent end-user computer) puts a fake 
> IP for popular website like www.google.com or www.facebook.com in hosts file 
> on PC behind the proxy. Once an infected PC requests the webpage in question, 
> a cacheable fake response poisons the cache.
> In order to prevent such scenarios (as well as [some 
> others|http://www.kb.cert.org/vuls/id/435052]) Squid have implemented a 
> mechanism known as [Host Header Forgery 
> Detection|http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery].
> In short, while requesting an URL from origin server IP as hinted by the 
> client, proxy makes independent DNS query in parallel in order to determine 
> if client supplied IP belongs to requested domain name. In case of 
> discrepancy between DNS and client IP, the transaction shall be flagged as 
> non-cacheable to avoid possible cache poisoning, while still serving the 
> origin response to the client.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to