Mongrel users - Mar 2007 - bad URI(is not URI?): c:\boot.ini

Please note this message is not related to my previous one from 
yesterday, this is on a different server (textdrive server).
I have only one mongrel application running but ''randomly'' it
will go
down, the mongrel.log file shows:

ERROR: undefined method ''request_uri'' for
#<URI::Generic:0x5383948 URL:*>
ERROR: bad URI(is not URI?): c:\boot.ini
[FATAL] failed to allocate memory

This is on a FreeBSD server. What does the above mean please?

Mongrel 1.0.1

On Thu, 8 Mar 2007, Kris Leech wrote:
> Please note this message is not related to my previous one from
> yesterday, this is on a different server (textdrive server).
> I have only one mongrel application running but
''randomly'' it will go
> down, the mongrel.log file shows:
>
> ERROR: undefined method ''request_uri'' for
#<URI::Generic:0x5383948 URL:*>
> ERROR: bad URI(is not URI?): c:\boot.ini
> [FATAL] failed to allocate memory
someone is trying to read the partition boot of your windows. OH, it''s
a
freebsd machine? I thing they didn''t found anything then :D

This fatal error occurs just after the request?
>
> This is on a FreeBSD server. What does the above mean please?
>
> Mongrel 1.0.1
>
>
filipe {
  @             icewall.org
  GPG        1024D/A6BA423E
  Jabber  lautert at jabber.ru
}

On Thu, 08 Mar 2007 10:57:06 +0000
Kris Leech <krisleech at interkonect.com> wrote:
> Please note this message is not related to my previous one from 
> yesterday, this is on a different server (textdrive server).
> I have only one mongrel application running but
''randomly'' it will go
> down, the mongrel.log file shows:
> 
> ERROR: undefined method ''request_uri'' for
#<URI::Generic:0x5383948 URL:*>
> ERROR: bad URI(is not URI?): c:\boot.ini
> [FATAL] failed to allocate memory
Dammit, THIS is why I refused to add support for those idiots who
insist on making GET requests with a full URL.  It''s just one more
attack vector and I can''t validate the code in Ruby''s URI
parsing.

I''ll probably make this optional then for those people who
don''t care
about IE on a localhost setup.

-- 
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://www.awprofessional.com/title/0321483502 -- The Mongrel Book
http://mongrel.rubyforge.org/

> -----Original Message-----
> From: mongrel-users-bounces at rubyforge.org 
> [mailto:mongrel-users-bounces at rubyforge.org] On Behalf Of Zed A. Shaw
> Sent: Thursday, March 08, 2007 11:11 AM
> To: mongrel-users at rubyforge.org
> Subject: Re: [Mongrel] bad URI(is not URI?): c:\boot.ini
> 
> 
> On Thu, 08 Mar 2007 10:57:06 +0000
> Kris Leech <krisleech at interkonect.com> wrote:
> 
> > Please note this message is not related to my previous one from
> > yesterday, this is on a different server (textdrive server).
> > I have only one mongrel application running but
''randomly''
> it will go 
> > down, the mongrel.log file shows:
> > 
> > ERROR: undefined method ''request_uri'' for
#<URI::Generic:0x5383948
> > URL:*>
> > ERROR: bad URI(is not URI?): c:\boot.ini
> > [FATAL] failed to allocate memory
> 
> Dammit, THIS is why I refused to add support for those idiots 
> who insist on making GET requests with a full URL.  It''s just 
> one more attack vector and I can''t validate the code in 
> Ruby''s URI parsing.
> 
> I''ll probably make this optional then for those people who 
> don''t care about IE on a localhost setup.
Is this something that needs to be fixed in the URI module, i.e.
handling Windows-style file URL''s? Or should I just nevermind?

Dan


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

On Thu, 8 Mar 2007 13:33:11 -0600
"Berger, Daniel" <Daniel.Berger at Qwest.com> wrote:
> > I''ll probably make this optional then for those people who 
> > don''t care about IE on a localhost setup.
> 
> Is this something that needs to be fixed in the URI module, i.e.
> handling Windows-style file URL''s? Or should I just nevermind?
No, it''s more of an opening for an attack based on malformed URLs than
anything.

Normally, let''s say you do a request for:

GET /<something horrible>/../c:\system.ini HTTP/1.1

Then Mongrel will take the <something horrible> and reject it since it
most likely is a parsing error.  This is why mongrel so easily defends
against a lot of attacks.  Not because it''s actively trying, but just
by being strict.

The problem comes from an ambiguity in the RFC that says requests with:

GET http://localhost:3000/<something horrible>/../c:\system.ini HTTP/1.1

Are not valid, but still need to be processed by servers since clients
still try to use it.  The above line is intended for proxy servers
only, not end point web servers.  Mongrel isn''t a proxy server, so all
this host information is useless.  The RFC is also ambiguous on which
host specification should win when this and a Host: header is given.

What happens is IE for various weird reasons insists on sending this as
its GET request.  Since people running rails on IE typically don''t put
it behind a proxying server these requests aren''t scrubbed so they blow
up.  Nothing they can do, and the only fix is to either reject these
outright or try parsing the requested URI to pull off the path and
request portions dropping the host and protocol junk.

Well, that''s where the trouble lurks.  If the quality of cgi.rb is any
indicator, Ruby''s URI parsing could have all sorts of
vulnerabilities.  It''s not written using a parser so it''s not
easy to
validate correctness (you can look at mongrel''s parser and check it
right away against the RFC).  Now that there''s some attack available
for these kinds of URLs that only IE and Windows servers process
validly I begin to worry how long it''ll be before there''s an
attack.

Then again I''m paranoid, but my paranoia has paid off for many people
and been right many times before.

So, long story short, there''s nothing you can do unless you can fix
IE.  Only thing I''m going to do is add an option to reject these kinds
of URLs with the full host as attacks, and then see what happens. 

-- 
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://www.awprofessional.com/title/0321483502 -- The Mongrel Book
http://mongrel.rubyforge.org/

Filipe wrote:
> On Thu, 8 Mar 2007, Kris Leech wrote:
>
>   
>> Please note this message is not related to my previous one from
>> yesterday, this is on a different server (textdrive server).
>> I have only one mongrel application running but
''randomly'' it will go
>> down, the mongrel.log file shows:
>>
>> ERROR: undefined method ''request_uri'' for
#<URI::Generic:0x5383948 URL:*>
>> ERROR: bad URI(is not URI?): c:\boot.ini
>> [FATAL] failed to allocate memory
>>     
>
> someone is trying to read the partition boot of your windows. OH,
it''s a
> freebsd machine? I thing they didn''t found anything then :D
>
> This fatal error occurs just after the request?
>   
I''m not  really sure when its happening its kinda random in that the 
site is up and working and then I''ll get an email saying its down
again.
There is no clear pattern to it going down. Not that I can currently see 
anyway. And yes its FreeBSD.
So you are saying this is a hack attack of sorts? It is a very new site, 
not even in google etc. yet, but maybe because it is on textdrive it is 
being targeted. Having said that they would know Textdrive is on FreeBSD 
and not Windows, so my guess is some kind of automated attack?
Is there anything I can do to stop it actually bringing the server
down?
>   
>> This is on a FreeBSD server. What does the above mean please?
>>
>> Mongrel 1.0.1
>>
>>
>>     
>
> filipe {
>   @             icewall.org
>   GPG        1024D/A6BA423E
>   Jabber  lautert at jabber.ru
> }
>
>
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>
>
>
>

Zed A. Shaw wrote:
> On Thu, 08 Mar 2007 10:57:06 +0000
> Kris Leech <krisleech at interkonect.com> wrote:
>
>   
>> Please note this message is not related to my previous one from 
>> yesterday, this is on a different server (textdrive server).
>> I have only one mongrel application running but
''randomly'' it will go
>> down, the mongrel.log file shows:
>>
>> ERROR: undefined method ''request_uri'' for
#<URI::Generic:0x5383948 URL:*>
>> ERROR: bad URI(is not URI?): c:\boot.ini
>> [FATAL] failed to allocate memory
>>     
>
> Dammit, THIS is why I refused to add support for those idiots who
> insist on making GET requests with a full URL.  It''s just one more
> attack vector and I can''t validate the code in Ruby''s URI
parsing.
>
> I''ll probably make this optional then for those people who
don''t care
> about IE on a localhost setup.
>   
Hi Zed, I''m not sure what your getting at...
Is this a common or unique problem?

Thanks for your time.

Zed A. Shaw wrote:
> On Thu, 8 Mar 2007 13:33:11 -0600
> "Berger, Daniel" <Daniel.Berger at Qwest.com> wrote:
>
>   
>>> I''ll probably make this optional then for those people who
>>> don''t care about IE on a localhost setup.
>>>       
>> Is this something that needs to be fixed in the URI module, i.e.
>> handling Windows-style file URL''s? Or should I just nevermind?
>>     
>
> No, it''s more of an opening for an attack based on malformed URLs
than
> anything.
>
> Normally, let''s say you do a request for:
>
> GET /<something horrible>/../c:\system.ini HTTP/1.1
>
> Then Mongrel will take the <something horrible> and reject it since
it
> most likely is a parsing error.  This is why mongrel so easily defends
> against a lot of attacks.  Not because it''s actively trying, but
just
> by being strict.
>
> The problem comes from an ambiguity in the RFC that says requests with:
>
> GET http://localhost:3000/<something horrible>/../c:\system.ini
HTTP/1.1
>
> Are not valid, but still need to be processed by servers since clients
> still try to use it.  The above line is intended for proxy servers
> only, not end point web servers.  Mongrel isn''t a proxy server, so
all
> this host information is useless.  The RFC is also ambiguous on which
> host specification should win when this and a Host: header is given.
>
> What happens is IE for various weird reasons insists on sending this as
> its GET request.  Since people running rails on IE typically don''t
put
> it behind a proxying server these requests aren''t scrubbed so they
blow
> up.  Nothing they can do, and the only fix is to either reject these
> outright or try parsing the requested URI to pull off the path and
> request portions dropping the host and protocol junk.
>
> Well, that''s where the trouble lurks.  If the quality of cgi.rb is
any
> indicator, Ruby''s URI parsing could have all sorts of
> vulnerabilities.  It''s not written using a parser so it''s
not easy to
> validate correctness (you can look at mongrel''s parser and check
it
> right away against the RFC).  Now that there''s some attack
available
> for these kinds of URLs that only IE and Windows servers process
> validly I begin to worry how long it''ll be before there''s
an attack.
>
> Then again I''m paranoid, but my paranoia has paid off for many
people
> and been right many times before.
>
> So, long story short, there''s nothing you can do unless you can
fix
> IE.  Only thing I''m going to do is add an option to reject these
kinds
> of URLs with the full host as attacks, and then see what happens. 
>   
Now I see. At current this can be used as a DOS attack since it actually 
brings Mongrel down.

Kris Leech wrote:
> Please note this message is not related to my previous one from 
> yesterday, this is on a different server (textdrive server).
> I have only one mongrel application running but
''randomly'' it will go
> down, the mongrel.log file shows:
>
> ERROR: undefined method ''request_uri'' for
#<URI::Generic:0x5383948 URL:*>
> ERROR: bad URI(is not URI?): c:\boot.ini
> [FATAL] failed to allocate memory
>
> This is on a FreeBSD server. What does the above mean please?
>   
Its bringing my server down everyday. Is there anything I can do to 
protect myself until Mongrel has the patch added?
> Mongrel 1.0.1
>
>
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>
>
>
>

I started using webrick for the time being, here is a sample of URI''s
Im
getting:

/cgi-bin/yERX6Basjg5G.cfm

And basically loads of random letters/numbers with different extensions, 
php, chtm etc.

NessusTest141144291.html

/../../../../../../../boot.ini

/SProtectLinux/showpage.cgi

All from one IP: 209.67.114.37

Anyone else getting this?

Nessus is a tool for detecting open holes in your system, looks like someone
is trying to exploit your web server.

On 3/19/07, Kris Leech <krisleech at interkonect.com>
wrote:
>
> I started using webrick for the time being, here is a sample of
URI''s Im
> getting:
>
> /cgi-bin/yERX6Basjg5G.cfm
>
> And basically loads of random letters/numbers with different extensions,
> php, chtm etc.
>
> NessusTest141144291.html
>
> /../../../../../../../boot.ini
>
> /SProtectLinux/showpage.cgi
>
> All from one IP: 209.67.114.37
>
> Anyone else getting this?
>
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/mongrel-users/attachments/20070319/b04858cf/attachment.html