[Glass] security / dos attacks
Locked
 
|
Hi,
We've been getting some hacking / dos attempts on our sites. In some cases, we do get a successful crash of the FCGI server. I'm still trying to find those. In my hunt for this, I found that some requests create an Internal Server Error response. For example, a GET on /%C0%AE generates the following message: 'InterpreterError 2258: Primitive failed , selector <#'_unicodePrim:'> receiver <'À®'>' I'm worried that this somehow opens a gap to hack into the system, so I think it is better to respond with a 404 or something like that. Does this make sense? I was thinking that I should be chasing down 500 responses so that we can catch where they manage to break the server. Have you encountered this? Any ideas on solving it? Here's what I found so far: 1. The method WAFastCGIAdaptor | requestUrlFor: creates a WAUrl and then calls #decodeWith: on it, which breaks. 2. In the code that creates the WAUrl, it calls #decode: on the path segments, which decodes %C0 as a UTF8 character. (WAUrl | decode:). 3. doing this breaks: (String with: (Character codePoint: 192) with: (Character codePoint: 174)) decodeFromUTF8 Thanks Otto _______________________________________________ Glass mailing list [hidden email] http://lists.gemtalksystems.com/mailman/listinfo/glass |
|
|
Am 23.12.2013 14:36, schrieb Otto Behrens:
> (String with: (Character codePoint: 192) with: (Character codePoint: > 174)) decodeFromUTF8 But it throws an ArgumenError exception - which seems to be ok. A C0 is not used to define a valid UTF8 character. Marten -- Marten Feldtmann _______________________________________________ Glass mailing list [hidden email] http://lists.gemtalksystems.com/mailman/listinfo/glass |
|
|
In reply to this post by otto
Otto,
we've been seeing similar problems on VA Smalltalk. There were requests that seemed lik esomebody tries to check the server if it reacts to certain Strings. Unfortunately, the server came up with a debugger instead of either ignoring it or returning an HTML error message. I think we all agree that a server shouldn't crash if a request cannot be decoded or process. The whole thing, however is much more complicated than just returning an HTTP status code if a request cannot be decoded, and I have learned a little about this over the last few weeks. There are good reasons for your server to not react at all to the outside, so that possible attackers do not learn anything about your server, other than it didn't react in the way they'd hoped. So there are several possible things a server should do, and you need to have a way to configure that behaviour: * In development and test, you'd probably want to receive an HTTP error code if you send illegal requests to your Web Server (In your case Gemstone/S) * In pre-production and production, you'd better not get anything back from the server if you send requests that cannot be processed * You may need, however, to keep a log of such access attempts to understand a intrusion after the fact (I really hope I'll never be in that situation), so you may want to log those requests with as much information about where it came from and what happened before and after. You may have a vague idea by now that this is a very wide field and maybe this is not something that can or should be solved in Smalltalk. I guess there are people who have solved the issue better than any Smalltalk verndor ever could. I only have to find out what people usually do about this. So: first step sure is catching errors and responding with an appropriate HTTP status code, just to keep your server from crashing. But as you can see, that is neither a perfect nor complete solution. HTH, Joachim Am 23.12.13 14:36, schrieb Otto Behrens: > Hi, > > We've been getting some hacking / dos attempts on our sites. > > In some cases, we do get a successful crash of the FCGI server. I'm > still trying to find those. > > In my hunt for this, I found that some requests create an Internal > Server Error response. For example, a GET on /%C0%AE generates the > following message: 'InterpreterError 2258: Primitive failed , selector > <#'_unicodePrim:'> receiver <'À®'>' > > I'm worried that this somehow opens a gap to hack into the system, so > I think it is better to respond with a 404 or something like that. > Does this make sense? I was thinking that I should be chasing down 500 > responses so that we can catch where they manage to break the server. > > Have you encountered this? Any ideas on solving it? > > Here's what I found so far: > 1. The method WAFastCGIAdaptor | requestUrlFor: creates a WAUrl and > then calls #decodeWith: on it, which breaks. > 2. In the code that creates the WAUrl, it calls #decode: on the path > segments, which decodes %C0 as a UTF8 character. (WAUrl | decode:). > 3. doing this breaks: > > (String with: (Character codePoint: 192) with: (Character codePoint: > 174)) decodeFromUTF8 > > Thanks > Otto > _______________________________________________ > Glass mailing list > [hidden email] > http://lists.gemtalksystems.com/mailman/listinfo/glass > -- ----------------------------------------------------------------------- Objektfabrik Joachim Tuchel mailto:[hidden email] Fliederweg 1 http://www.objektfabrik.de D-71640 Ludwigsburg http://joachimtuchel.wordpress.com Telefon: +49 7141 56 10 86 0 Fax: +49 7141 56 10 86 1 _______________________________________________ Glass mailing list [hidden email] http://lists.gemtalksystems.com/mailman/listinfo/glass |
|
|
In reply to this post by otto
Turns out that this was a vulnerability scan from
https://www.qualys.com/, requested by a customer. Useful anyway to see where we don't respond appropriately. On Mon, Dec 23, 2013 at 3:36 PM, Otto Behrens <[hidden email]> wrote: > Hi, > > We've been getting some hacking / dos attempts on our sites. > > In some cases, we do get a successful crash of the FCGI server. I'm > still trying to find those. > > In my hunt for this, I found that some requests create an Internal > Server Error response. For example, a GET on /%C0%AE generates the > following message: 'InterpreterError 2258: Primitive failed , selector > <#'_unicodePrim:'> receiver <'À®'>' > > I'm worried that this somehow opens a gap to hack into the system, so > I think it is better to respond with a 404 or something like that. > Does this make sense? I was thinking that I should be chasing down 500 > responses so that we can catch where they manage to break the server. > > Have you encountered this? Any ideas on solving it? > > Here's what I found so far: > 1. The method WAFastCGIAdaptor | requestUrlFor: creates a WAUrl and > then calls #decodeWith: on it, which breaks. > 2. In the code that creates the WAUrl, it calls #decode: on the path > segments, which decodes %C0 as a UTF8 character. (WAUrl | decode:). > 3. doing this breaks: > > (String with: (Character codePoint: 192) with: (Character codePoint: > 174)) decodeFromUTF8 > > Thanks > Otto Glass mailing list [hidden email] http://lists.gemtalksystems.com/mailman/listinfo/glass |
Re: [Glass] security / dos attacks
|
|
In reply to this post by otto
Otto,
----- Original Message ----- | From: "Otto Behrens" <[hidden email]> | To: [hidden email] | Cc: [hidden email] | Sent: Monday, December 23, 2013 5:36:50 AM | Subject: [Glass] security / dos attacks | | Hi, | | We've been getting some hacking / dos attempts on our sites. | | In some cases, we do get a successful crash of the FCGI server. I'm | still trying to find those. Yes, let's hunt the server crashes down ... | | In my hunt for this, I found that some requests create an Internal | Server Error response. For example, a GET on /%C0%AE generates the | following message: 'InterpreterError 2258: Primitive failed , | selector | <#'_unicodePrim:'> receiver <'À®'>' "Internal Server Errors" are thrown from parts of the system where it is believed that we cannot return a valid HTTP response ... In the particular cases where the error is coming from interpretation of the data of the request, I think it does make sense to return an appropriate HTTP erro response ... | | I'm worried that this somehow opens a gap to hack into the system, so | I think it is better to respond with a 404 or something like that. | Does this make sense? I was thinking that I should be chasing down | 500 | responses so that we can catch where they manage to break the server. | I don't think that errors that lead to walkbacks pose a security threat to the system ... Smalltalk walkbacks don't open holes ... vm level crashes on the other hand could ... depending upon the failure mechanism. | Have you encountered this? Any ideas on solving it? | | Here's what I found so far: | 1. The method WAFastCGIAdaptor | requestUrlFor: creates a WAUrl and | then calls #decodeWith: on it, which breaks. | 2. In the code that creates the WAUrl, it calls #decode: on the path | segments, which decodes %C0 as a UTF8 character. (WAUrl | decode:). | 3. doing this breaks: | | (String with: (Character codePoint: 192) with: (Character codePoint: | 174)) decodeFromUTF8 I would think that WAFastCGIAdaptor>>internalServerMalfunction: could be modified to so that you could chose to respond with a 500 or 400 error depending upon the type of problem you are hitting .. | | Thanks | Otto | _______________________________________________ | Glass mailing list | [hidden email] | http://lists.gemtalksystems.com/mailman/listinfo/glass | _______________________________________________ Glass mailing list [hidden email] http://lists.gemtalksystems.com/mailman/listinfo/glass |
|
|
In reply to this post by jtuchel
Hi list, Hi Otto, Hi Dale,
I did a bit of research and found that there are tools for filtering the output of a web application like Apache's mod_security. So we shouldn't bother about the "keep it a secret" stuff on the Smalltalk side. This can be handled by your frontend http server. This means it is important for Seaside or better the http adaptors beneath it (Zinc, KOM, Server Smalltalk in VAST, whatever) to do proper error handling and respond with codes in the 4xx-5xx range. Everything else is somebody else's problem. Joachim Am 23.12.13 16:04, schrieb [hidden email]: > Otto, > > we've been seeing similar problems on VA Smalltalk. There were > requests that seemed lik esomebody tries to check the server if it > reacts to certain Strings. Unfortunately, the server came up with a > debugger instead of either ignoring it or returning an HTML error > message. > > I think we all agree that a server shouldn't crash if a request cannot > be decoded or process. > > The whole thing, however is much more complicated than just returning > an HTTP status code if a request cannot be decoded, and I have learned > a little about this over the last few weeks. There are good reasons > for your server to not react at all to the outside, so that possible > attackers do not learn anything about your server, other than it > didn't react in the way they'd hoped. So there are several possible > things a server should do, and you need to have a way to configure > that behaviour: > > * In development and test, you'd probably want to receive an HTTP > error code if you send illegal requests to your Web Server (In your > case Gemstone/S) > * In pre-production and production, you'd better not get anything back > from the server if you send requests that cannot be processed > * You may need, however, to keep a log of such access attempts to > understand a intrusion after the fact (I really hope I'll never be in > that situation), so you may want to log those requests with as much > information about where it came from and what happened before and after. > > You may have a vague idea by now that this is a very wide field and > maybe this is not something that can or should be solved in Smalltalk. > I guess there are people who have solved the issue better than any > Smalltalk verndor ever could. I only have to find out what people > usually do about this. > > So: first step sure is catching errors and responding with an > appropriate HTTP status code, just to keep your server from crashing. > But as you can see, that is neither a perfect nor complete solution. > > HTH, > > Joachim > > > Am 23.12.13 14:36, schrieb Otto Behrens: >> Hi, >> >> We've been getting some hacking / dos attempts on our sites. >> >> In some cases, we do get a successful crash of the FCGI server. I'm >> still trying to find those. >> >> In my hunt for this, I found that some requests create an Internal >> Server Error response. For example, a GET on /%C0%AE generates the >> following message: 'InterpreterError 2258: Primitive failed , selector >> <#'_unicodePrim:'> receiver <'À®'>' >> >> I'm worried that this somehow opens a gap to hack into the system, so >> I think it is better to respond with a 404 or something like that. >> Does this make sense? I was thinking that I should be chasing down 500 >> responses so that we can catch where they manage to break the server. >> >> Have you encountered this? Any ideas on solving it? >> >> Here's what I found so far: >> 1. The method WAFastCGIAdaptor | requestUrlFor: creates a WAUrl and >> then calls #decodeWith: on it, which breaks. >> 2. In the code that creates the WAUrl, it calls #decode: on the path >> segments, which decodes %C0 as a UTF8 character. (WAUrl | decode:). >> 3. doing this breaks: >> >> (String with: (Character codePoint: 192) with: (Character codePoint: >> 174)) decodeFromUTF8 >> >> Thanks >> Otto >> _______________________________________________ >> Glass mailing list >> [hidden email] >> http://lists.gemtalksystems.com/mailman/listinfo/glass >> > > -- ----------------------------------------------------------------------- Objektfabrik Joachim Tuchel mailto:[hidden email] Fliederweg 1 http://www.objektfabrik.de D-71640 Ludwigsburg http://joachimtuchel.wordpress.com Telefon: +49 7141 56 10 86 0 Fax: +49 7141 56 10 86 1 _______________________________________________ Glass mailing list [hidden email] http://lists.gemtalksystems.com/mailman/listinfo/glass |
|
|
> I did a bit of research and found that there are tools for filtering the
> output of a web application like Apache's mod_security. > So we shouldn't bother about the "keep it a secret" stuff on the Smalltalk > side. This can be handled by your frontend http server. > This means it is important for Seaside or better the http adaptors beneath > it (Zinc, KOM, Server Smalltalk in VAST, whatever) to do proper error > handling and respond with codes in the 4xx-5xx range. Everything else is > somebody else's problem. +1 _______________________________________________ Glass mailing list [hidden email] http://lists.gemtalksystems.com/mailman/listinfo/glass |
«
Return to GLASS
|
1 view|%1 views
| Free forum by Nabble | Edit this page |