Technical explaination 0m-19m or so, part about nodejs at 40m or so.
Basically, because v8 uses weak hashes for objects, you can fill up
one slot of the hashtable with many entries, e.g. using a POST
containing a querystring with many keys with the same hash. Operating
on those keys (inserting and reading) then becomes slow as hell which
allows you to bring a nodejs server to 100% CPU usage for a long time
(blocking the event loop completely) with one moderately large POST
request. This is bad.
Those guys say they told Google October 18th, they got through to the
v8 guys in November, and they said they don't care sooo much about DoS
attacks on v8 because they're mainly interested in browserside stuff.
This is bad for us.
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+un...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
Well... but what max size? With a dead-simple collision that produces
very long keys, I got 7-10s for creating the object. With keys of the
same length that don't collide, it only took less than 0.5s. Both with
10000 entries in the object. If we assume that an attacker can find
collisions with a length of 8 bytes, he'll need maybe 10 bytes per
entry in the querystring or so (yes, I know, I'm somewhat guessing
around now). So, a string of 100kB might already be sufficient to
block the server for ten seconds.
What usecase needs more than a 100 POST arguments?
I see how this is a vulnerability produced by hashfunctions, but it is
not a problem which has to be fixed in the hashfunctions itself.
This is the solution. I know that V8 has very fast hashes. And to
overwrite a large object's key does not mean that V8 iterates over a
long list. I think the whole story is overrated. Just give your post
body size a limit that makes sense (can be very small depending on
what you expect), then try to parse the string. I think it's no
problem to deal with this issue.
But it's important to set the limit!
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
On Thu, Dec 29, 2011 at 1:39 PM, Mark Hahn <ma...@hahnca.com> wrote:
>> That is the most disgusting thing I've ever heard.
>
> I've heard woise. And I'd do this in a heartbeat if I was being attacked.
>
>
>
Yep. Hang tight. v0.6.7 is coming up soon.
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
http://packetstormsecurity.org/files/108294/HashtablePOC.py.txt
--
RMA.
Even if you compile with snapshots one has to guess seed embedded into _your_ snapshot to generate colliding data.
--
Vyacheslav Egorov
Of course, and by the way - most linux systems save and restore their
random seed, which is, as I understand, used by most of the
applications out there, unless one desires to implement a more tricky
thing - pick up a second of noise from a sound card for example and do
some computation on that.
As a side question, can this fix possibly be implemented in C++ OR as
an exclusive piece of javascript, i.e. that will be not included in
the snapshot?
... or may one could simply reload this implementation and hence
redefine the functions, am I correct on this?
>> pick up a second of noise from a sound card for example
>
> that would be..so..cool.
Of course not all physical or virtual servers have sound hardware.