Issue 14001: CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/58209

classification

Title:	CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request
Type:	security	Stage:	resolved
Components:	Library (Lib), XML	Versions:	Python 3.1

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	Nosy List:	Arfrever, dmalcolm, ezio.melotti, flox, iankko, loewis, neologix, orsenthil, pitrou, python-dev, rosslagerwall, schmir
Priority:	normal	Keywords:	patch

Created on 2012年02月13日 13:45 by iankko, last changed 2022年04月11日 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
xmlrpc_loop.diff	neologix, 2012年02月13日 20:27	review
xmlrpc_loop-1.diff	neologix, 2012年02月14日 18:27	review

Messages (10)
msg153267 - (view)	Author: Jan Lieskovsky (iankko)	Date: 2012年02月13日 13:45
A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU. Credit: Issue reported by Daniel Callaghan References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=789790 Steps to reproduce: ------------------ A) for v3.2.2 version: 1) start server: cat s.py #!/usr/local/bin/python3 from xmlrpc.server import SimpleXMLRPCServer server = SimpleXMLRPCServer(('127.0.0.1', 12345)) server.serve_forever() 2) # top 3) issue request from client: echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' \| nc localhost 12345 Return to 'top' screen and see, how CPU consumption on particular host quickly moves to 100%. B) for v2.7.2 version: 1) start server: cat s.py #!/usr/bin/python from SimpleXMLRPCServer import SimpleXMLRPCServer server = SimpleXMLRPCServer(('127.0.0.1', 12345)) server.serve_forever() Steps 2) and 3) for v2.7.2 version are identical to those for v3.2.2 version.
msg153270 - (view)	Author: Jan Lieskovsky (iankko)	Date: 2012年02月13日 14:06
CVE request: [2] http://www.openwall.com/lists/oss-security/2012/02/13/3
msg153296 - (view)	Author: Charles-François Natali (neologix) * (Python committer)	Date: 2012年02月13日 20:27
SimpleXMLRPCRequestHandler.do_POST() is simply looping on EOF. The patch attached fixes this (the server doesn't seem to generate an error in response to this partial request though).
msg153336 - (view)	Author: Jan Lieskovsky (iankko)	Date: 2012年02月14日 11:25
The CVE identifier of CVE-2012-0845 has been assigned to this issue: [3] http://www.openwall.com/lists/oss-security/2012/02/13/4
msg153356 - (view)	Author: Charles-François Natali (neologix) * (Python committer)	Date: 2012年02月14日 18:27
With test. test_xmlrpc has a timeout detection code which is simply broken (and it's actually documented): I just removed it, so if the server loops, the test will block. I think it's acceptable since other tests behave in the same way, and those days we have faulthandler that can be used to pinpoint such deadlocks/loops easily. Also, I've noticed that people are more inclined to fix tests that block than mere failing tests :-)
msg153375 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2012年02月14日 22:34
The patch looks ok to me.
msg153396 - (view)	Author: Martin v. Löwis (loewis) * (Python committer)	Date: 2012年02月15日 08:29
As a security issue, it applies to 2.6 and 3.1 as well.
msg153431 - (view)	Author: Charles-François Natali (neologix) * (Python committer)	Date: 2012年02月15日 20:16
The test fails on 2.6 and 2.7, because of a EPIPE, which is normal in this case (well, at least expected): """ test_partial_post (test.test_xmlrpc.SimpleServerTestCase) ... ---------------------------------------- Exception happened during processing of request from ('127.0.0.1', 47844) Traceback (most recent call last): File "/home/cf/python/cpython/Lib/SocketServer.py", line 283, in _handle_request_noblock self.process_request(request, client_address) File "/home/cf/python/cpython/Lib/SocketServer.py", line 309, in process_request self.finish_request(request, client_address) File "/home/cf/python/cpython/Lib/SocketServer.py", line 322, in finish_request self.RequestHandlerClass(request, client_address, self) File "/home/cf/python/cpython/Lib/SocketServer.py", line 617, in __init__ self.handle() File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 329, in handle self.handle_one_request() File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 323, in handle_one_request method() File "/home/cf/python/cpython/Lib/SimpleXMLRPCServer.py", line 490, in do_POST self.send_response(200) File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 384, in send_response self.send_header('Server', self.version_string()) File "/home/cf/python/cpython/Lib/BaseHTTPServer.py", line 390, in send_header self.wfile.write("%s: %s\r\n" % (keyword, value)) File "/home/cf/python/cpython/Lib/socket.py", line 318, in write self.flush() File "/home/cf/python/cpython/Lib/socket.py", line 297, in flush self._sock.sendall(buffer(data, write_offset, buffer_size)) error: [Errno 32] Broken pipe """ What should I do? Remove the test?
msg153644 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2012年02月18日 14:03
New changeset 24244a744d01 by Charles-François Natali in branch '2.6': Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer http://hg.python.org/cpython/rev/24244a744d01 New changeset 0c02f30b2538 by Charles-François Natali in branch '2.7': Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer http://hg.python.org/cpython/rev/0c02f30b2538 New changeset 4dd5a94fd3e3 by Charles-François Natali in branch '3.1': Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer http://hg.python.org/cpython/rev/4dd5a94fd3e3 New changeset cd67740ce653 by Charles-François Natali in branch '3.2': Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer http://hg.python.org/cpython/rev/cd67740ce653 New changeset 5756b295b6fb by Charles-François Natali in branch 'default': Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer http://hg.python.org/cpython/rev/5756b295b6fb
msg153696 - (view)	Author: Charles-François Natali (neologix) * (Python committer)	Date: 2012年02月19日 10:23
Committed, thanks!

History
Date	User	Action	Args
2022年04月11日 14:57:26	admin	set	github: 58209
2021年11月04日 14:29:45	erlendaasland	set	nosy: + loewis, orsenthil, pitrou, schmir, ezio.melotti, Arfrever, iankko, flox, dmalcolm, neologix, rosslagerwall, python-dev, - barry, r.david.murray, ahmedsayeed1982 components: + Library (Lib), XML, - email
2021年11月04日 14:29:11	erlendaasland	set	messages: - msg405710
2021年11月04日 12:12:43	ahmedsayeed1982	set	versions: - Python 2.6, Python 2.7, Python 3.2, Python 3.3 nosy: + barry, ahmedsayeed1982, r.david.murray, - loewis, orsenthil, pitrou, schmir, ezio.melotti, Arfrever, iankko, flox, dmalcolm, neologix, rosslagerwall, python-dev messages: + msg405710 components: + email, - Library (Lib), XML
2012年02月19日 10:23:55	neologix	set	status: open -> closed resolution: fixed messages: + msg153696 stage: patch review -> resolved
2012年02月18日 14:03:11	python-dev	set	nosy: + python-dev messages: + msg153644
2012年02月15日 20:16:13	neologix	set	messages: + msg153431
2012年02月15日 08:29:27	loewis	set	messages: + msg153396 versions: + Python 2.6, Python 3.1
2012年02月14日 22:34:38	pitrou	set	nosy: + pitrou messages: + msg153375
2012年02月14日 18:27:42	neologix	set	files: + xmlrpc_loop-1.diff messages: + msg153356
2012年02月14日 13:54:55	pitrou	set	stage: needs patch -> patch review
2012年02月14日 12:29:24	orsenthil	set	nosy: + orsenthil
2012年02月14日 11:25:30	iankko	set	messages: + msg153336 title: Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request -> CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request
2012年02月13日 21:26:21	Arfrever	set	nosy: + Arfrever
2012年02月13日 20:27:47	neologix	set	files: + xmlrpc_loop.diff nosy: + neologix messages: + msg153296 keywords: + patch
2012年02月13日 16:37:29	dmalcolm	set	nosy: + dmalcolm
2012年02月13日 16:30:48	rosslagerwall	set	nosy: + rosslagerwall
2012年02月13日 14:18:50	flox	set	nosy: + flox components: + XML versions: + Python 3.3
2012年02月13日 14:06:26	iankko	set	messages: + msg153270
2012年02月13日 13:54:05	ezio.melotti	set	nosy: + loewis, ezio.melotti stage: needs patch
2012年02月13日 13:48:51	schmir	set	nosy: + schmir
2012年02月13日 13:45:33	iankko	create

homepage