AppSec Blog

28 Feb 2011

Taming the Beast - The Floating Point DoS Vulnerability

0 comments Posted by jmanico
Filed under DoS, java, php

Originally posted as Taming the Beast

The recent multi-language numerical parsing DOS bug has been named the "Mark of the Beast". Some claim that this bug was first reported as early as 2001.This is a significant bug in (at least) PHP and Java. Similar issues have effected Ruby in the past. This bug has left a number of servers, web frameworks and custom web applications vulnerable to easily exploitable Denial of Service.

Oracle has patched this vuln but there are several non-Oracle JVM's that have yet to release a patch. Tactical patching may be prudent for environment.

Here are three approaches that may help you tame this beast of a bug.

1) ModSecurity Rules

Ryan Barnett deployed a series of ModSecurity rules and documented several options at http://blog.spiderlabs.com/2011/02/java-floating-point-dos-attack-protection.html

2) Java-based Blacklist Filter

Bryan Sullivan from Adobe came up with the following Java-based blacklist filter.

This rule is actually quite accurate in *rejecting input* in the DOSable JVM numeric range. This fix, while simple, does indeed reject a series of normally good values.

public static boolean containsMagicDoSNumber(String s) { return s.replace(".", "").contains("2225073858507201"); }

3) Double Parsing Code

The following Java "safe" Double parsing code was based on a proof of concept by Brian Chess at HP/Fortify. This approach detects the evil range before trying to call parseDouble and returns the IEEE official value ( 2.2250738585072014E-308 ) for any double in the dangerous range.
private static BigDecimal bigBad; private static BigDecimal smallBad; static { BigDecimal one = new BigDecimal(1); BigDecimal two = new BigDecimal(2); BigDecimal tiny = one.divide(two.pow(1022)); // 2^(-1022) 2^(-1076) bigBad = tiny.subtract(one.divide(two.pow(1076))); //2^(-1022) 2^(-1075) smallBad = tiny.subtract(one.divide(two.pow(1075))); } public static Double parseSafeDouble(String input) throws InvalidParameterException { if (input == null) throw new InvalidParameterException("input is null"); BigDecimal bd; try { bd = new BigDecimal(input); } catch (NumberFormatException e) { throw new InvalidParameterException("cant parse number"); } if (bd.compareTo(smallBad) >= 0 && bd.compareTo(bigBad) <= 0) { // if you get here you know you're looking at a bad value. The final // value for any double in this range is supposed to be the following safe # //return safe number System.out.println("BAD NUMBER DETECTED - returning 2.2250738585072014E-308"); return new Double("2.2250738585072014E-308"); } //safe number, return double value return bd.doubleValue(); }

Permalink | Comments RSS Feed - Post a comment | Trackback URL

Post a Comment






Captcha


* Indicates a required field.

Categories
Recent Posts
Archives
Links
Latest Blog Posts

2017 Application Security Survey is Live! [...]
June 19, 2017 - 6:20 PM

Taking Control of Your Application Security
April 18, 2017 - 1:34 AM

DOM-based XSS in the Wild
March 16, 2017 - 7:00 AM

View More »

Latest Tweets @sansappsec

Mobile #AppSec Trends and Techniques. https://t.co/DYGiQm4aK [...]
June 26, 2017 - 1:15 PM

Cross Origin Resource Sharing: Using CORS to secure AJAX, ht [...]
June 24, 2017 - 7:00 PM

Take our #AppSec SANS survey and enter to win a free pass to [...]
June 23, 2017 - 3:05 PM

Latest Papers

Testing Web Apps with Dynamic Scanning in Development and Operations
By Barbara Filkins

Security by Design: The Role of Vulnerability Scanning in Web App Security
By Barbara Filkins

Using Cloud Deployment to Jump-Start Application Security
By Adam Shostack

View More »

"Very practical. Something every developer should attend."
- Chris Yokley, Baldwin County Commission

"Wow, I had no idea, and I've been doing this for close to a decade."
- Michael Knopf, Abacus Technology

"When I get back to the office, I will use the knowledge I gained here for code review and design."
- James Guarnotta, Kinecta Federal Credit Union