Univention Bugzilla – Bug 52699
DoS: malicious request can crash the UMC Server
Last modified: 2021-02-03 15:04:07 CET
UCS 4.4.7 errata863 UMC server crashes with following traceback: 22.01.21 20:11:05.378 PARSER ( ERROR ) : Error parsing UMCP message header: u'GET / HTTP/1.0\r' 22.01.21 20:11:05.378 MAIN ( PROCESS ) : Parse error: ParseError(551, u'Unverst\xe4ndlicher nachrichtenkopf') 22.01.21 20:13:48.986 PARSER ( ERROR ) : Error parsing UMCP message header: u'\x02\x01\x00\x00\x00\x00\x00\x08version' 22.01.21 20:13:48.986 MAIN ( PROCESS ) : Parse error: ParseError(551, u'Unverst\xe4ndlicher nachrichtenkopf') 22.01.21 20:13:54.001 PARSER ( ERROR ) : Error parsing UMCP message header: u'version' 22.01.21 20:13:54.001 MAIN ( PROCESS ) : Parse error: ParseError(551, u'Unverst\xe4ndlicher nachrichtenkopf') 22.01.21 20:13:59.069 SSL ( WARN ) : The socket was closed by the client. 22.01.21 20:14:09.087 MAIN ( WARN ) : Shutting down all open connections 22.01.21 20:14:09.184 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/sbin/univention-management-console-server", line 285, in <module> umc_daemon.do_action() File "/usr/lib/python2.7/dist-packages/daemon/runner.py", line 267, in do_action func(self) File "/usr/lib/python2.7/dist-packages/daemon/runner.py", line 186, in _start self.app.run() File "/usr/sbin/univention-management-console-server", line 232, in run notifier.loop() File "/usr/lib/python2.7/dist-packages/notifier/nf_generic.py", line 304, in loop step() File "/usr/lib/python2.7/dist-packages/notifier/nf_generic.py", line 290, in step if cond & condition and fd in __sockets[cond] and not __sockets[cond][fd](sock_obj): File "/usr/lib/python2.7/dist-packages/univention/management/console/protocol/server.py", line 152, in _receive state.buffer = msg.parse(state.buffer) File "/usr/lib/python2.7/dist-packages/univention/management/console/protocol/message.py", line 233, in parse PARSER.error('Error decoding UMCP message header: %r' % (header[:100],)) UnboundLocalError: local variable 'header' referenced before assignment The server is directly connected to the internet. There are lots of such invalid requests, just like these: 08.01.21 15:22:39.279 SSL ( ERROR ) : SSL error in _receive: [('SSL routines', 'ssl_get_prev_session', 'session id context uninitialized')]. 08.01.21 15:22:39.319 PARSER ( ERROR ) : Error parsing UMCP message header: u'GET / HTTP/1.0\r' 08.01.21 15:22:39.319 MAIN ( PROCESS ) : Parse error: ParseError(551, u'Unverst\xe4ndlicher nachrichtenkopf') 08.01.21 15:22:39.343 SSL ( ERROR ) : SSL error in _receive: [('SSL routines', 'ssl_get_prev_session', 'session id context uninitialized')]. 08.01.21 15:22:39.382 PARSER ( ERROR ) : Error parsing UMCP message header: u'OPTIONS / HTTP/1.0\r' 08.01.21 15:22:39.382 MAIN ( PROCESS ) : Parse error: ParseError(551, u'Unverst\xe4ndlicher nachrichtenkopf') 08.01.21 15:22:39.404 SSL ( ERROR ) : SSL error in _receive: [('SSL routines', 'ssl_get_prev_session', 'session id context uninitialized')]. 08.01.21 15:22:39.446 PARSER ( ERROR ) : Error parsing UMCP message header: u'OPTIONS / RTSP/1.0\r' 08.01.21 15:22:39.446 MAIN ( PROCESS ) : Parse error: ParseError(551, u'Unverst\xe4ndlicher nachrichtenkopf') 08.01.21 15:22:39.472 SSL ( ERROR ) : SSL error in _receive: [('SSL routines', 'ssl_get_prev_session', 'session id context uninitialized')]. 08.01.21 15:22:39.510 PARSER ( ERROR ) : Error decoding UMCP message header: '\x80\x00\x00(r\xfe\x1d\x13\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x01\x97|\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 08.01.21 15:22:39.510 MAIN ( PROCESS ) : Parse error: ParseError(551, u'Ung\xfcltige Nachrichtenkopf-Kodierung.') Most of them are recognized and handled, but some of them killed the UMC server. Apache+SSL config was not changed away from default. What can be done here?
Perhaps I made a mistake while creating this bug: I cannot set the support-related flags (Enterprise, School, ISV etc) to "No". My choice "security bug" means: if server is exposed to the internet, a malicious request can crash the server.
Thank you Frank for reporting this. This should not occur under normal circumstances. Why is your UMC client calling HTTP against the UMC-Server (Port 6670) instead of against the UMC-Web-Server (Port 8090)? Or did you do a security test on purpose? This is a regression by git:2d905760023097a04e162272c4d77ff91af9a0b0. A patch is: commit 3902a3bf1aeb7f75db2796fbfe47d7e2ccd5d714 Author: Florian Best <best@univention.de> Date: Tue Jan 26 15:20:46 2021 +0100 fixup! Bug #52194 umcd: Add/fox PEP 484 type annotations diff --git management/univention-management-console/src/univention/management/console/protocol/message.py management/univention-management-console/src/univention/management/console/protocol/message.py index 36732037db..c52c126db7 100644 --- management/univention-management-console/src/univention/management/console/protocol/message.py +++ management/univention-management-console/src/univention/management/console/protocol/message.py @@ -230,7 +230,7 @@ class Message(object): try: header = _header.decode('utf-8') except ValueError: - PARSER.error('Error decoding UMCP message header: %r' % (header[:100],)) + PARSER.error('Error decoding UMCP message header: %r' % (_header[:100],)) raise ParseError(UMCP_ERR_UNPARSABLE_HEADER, _('Invalid message header encoding.')) # is the format of the header line valid?
Fixed in: univention-management-console.yaml 46a245247630 | Bug #52699: fix crashing of UMC-Server on malicious requests univention-management-console (11.0.6-6) 46a245247630 | Bug #52699: fix crashing of UMC-Server on malicious requests Merge to UCS 5: univention-management-console (12.0.6-3) 3902a3bf1aeb | fixup! Bug #52194 umcd: Add/fox PEP 484 type annotations
OK: 46a245247630 | Bug #52699: fix crashing of UMC-Server on malicious requests OK: 3902a3bf1aeb | fixup! Bug #52194 umcd: Add/fox PEP 484 type annotations OK: errata-announce -V --only univention-management-console.yaml OK: univention-management-console.yaml OK: apt-get -t apt install univention-management-console FYI: Unable to trigger the bug with curl -k -v -H "$(printf 'Junk: \xee')" https://localhost:6670/univention/
> Why is your UMC client calling HTTP against the UMC-Server > (Port 6670) instead of against the UMC-Web-Server (Port 8090)? > Or did you do a security test on purpose? Not me. Somebody(TM) did: 34.107.38.194 - - [22/Jan/2021:20:10:59 +0100] "GET /main.asp HTTP/1.1" 301 609 "-" "cyberscan.io" 34.107.38.194 - - [22/Jan/2021:20:10:59 +0100] "GET /index.asp HTTP/1.1" 301 611 "-" "cyberscan.io" 34.107.38.194 - - [22/Jan/2021:20:10:59 +0100] "GET /index.htm HTTP/1.1" 301 611 "-" "cyberscan.io" 34.107.38.194 - - [22/Jan/2021:20:10:59 +0100] "GET /default.html HTTP/1.1" 301 617 "-" "cyberscan.io" 34.107.38.194 - - [22/Jan/2021:20:12:31 +0100] "\x16\x03\x01" 400 0 "-" "-" 34.107.38.194 - - [22/Jan/2021:20:17:48 +0100] "\x16\x03\x01\x03\xa1\x01" 400 0 "-" "-" 34.107.38.194 - - [22/Jan/2021:20:17:48 +0100] "\x16\x03\x01\x03\xb9\x01" 400 0 "-" "-" 34.107.38.194 - - [22/Jan/2021:20:17:48 +0100] "\x16\x03\x02\x03\xa1\x01" 400 0 "-" "-" 34.107.38.194 - - [22/Jan/2021:20:17:48 +0100] "\x16\x03\x02\x03\xb9\x01" 400 0 "-" "-" 34.107.38.194 - - [22/Jan/2021:20:17:48 +0100] "\x16\x03\x03\x03\xc7\x01" 400 0 "-" "-" 34.107.38.194 - - [22/Jan/2021:20:17:48 +0100] "\x16\x03\x03\x03\xdf\x01" 400 0 "-" "-" 34.107.38.194 - - [22/Jan/2021:20:17:51 +0100] "\x16\x03" 400 0 "-" "-" Glad you found it. Many thanks for the quick reaction + fix.
<https://errata.software-univention.de/#/?erratum=4.4x883>