Author Topic: [NEWS] Cloudflare Reverse Proxy leaking Uninitalized Memory. (Read 2642 times)

Trymos · February 23, 2017, 08:59:57 PM

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Quote

On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn't match what I had been expecting. It's not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data...but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.

It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data. The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time. That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare - a major cdn service.

A while later, we figured out how to reproduce the problem. It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I'll explain later). My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.

We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

https://news.ycombinator.com/item?id=13718752

holy forget

Ad Bot · Advertisement

Ipquarx · February 23, 2017, 09:04:15 PM

they responsibly disclosed this right

RIGHT?

edit: they did, good

Master Matthew� · February 23, 2017, 09:05:52 PM

Tales from 4chan: Anon Works IT Part 5

Trymos · February 23, 2017, 09:06:36 PM

Quote from: Ipquarx on February 23, 2017, 09:04:15 PM

they responsibly disclosed this right

RIGHT?

this was ongoing for months

patched a week ago

didn't tell anybody outside of their special mailing lists until today

this was so noticeable that google and friends were literally caching the data and they had to work with them to get the data purged

Quote from: Master Matthew� on February 23, 2017, 09:05:52 PM

Tales from 4chan: Anon Works IT Part 5

except this is real

Punished Toxicology · February 23, 2017, 09:07:09 PM

Quote from: Master Matthew� on February 23, 2017, 09:05:52 PM

Tales from 4chan: Anon Works IT Part 5

jesus christ why do you do this

Decepticon · February 23, 2017, 09:12:49 PM

Quote from: Trymos on February 23, 2017, 09:06:36 PM

this was ongoing for months

patched a week ago

didn't tell anybody outside of their special mailing lists until today

this was so noticeable that google and friends were literally caching the data and they had to work with them to get the data purged

that's pretty forgeted

Quote from: Master Matthew² on February 23, 2017, 09:05:52 PM

Tales from 4chan: Anon Works IT Part 5

why are you like this

torin� · February 23, 2017, 09:34:16 PM

Quote from: Master Matthew� on February 23, 2017, 09:05:52 PM

Tales from 4chan: Anon Works IT Part 5

what is wrong with you

Foxscotch · February 23, 2017, 09:51:18 PM

Quote from: torin� on February 23, 2017, 09:34:16 PM

what is wrong with you

there are not words in the english language to answer this question

torin� · February 23, 2017, 10:07:33 PM

Quote from: Foxscotch on February 23, 2017, 09:51:18 PM

there are not words in the english language to answer this question

oh there are words but i'd much rather not get banned for flaming again

Kochieboy · February 23, 2017, 10:54:13 PM

https://github.com/pirate/sites-using-cloudflare

The list of sites affected is genuinely horrifying. If you haven't had an excuse to change your passwords in the past, here it is now.

Shift Kitty · February 23, 2017, 11:03:26 PM

This includes blockland.us

Metario · February 23, 2017, 11:09:07 PM

Quote from: Shift Kitty on February 23, 2017, 11:03:26 PM

This includes blockland.us

I mean, this could be the reason behind the forum breaches as well. Who knows.

Gamefandan · February 23, 2017, 11:11:19 PM

forget me and cuck me

Trogtor · February 23, 2017, 11:15:21 PM

i like how this page on cloudflares website just shows freaking metallica as one of their 5 million websites

https://www.cloudflare.com/under-attack-hotline/

SUSHI · February 24, 2017, 02:23:42 AM

Quote from: https://hackerone.com/cloudflare

For each eligible vulnerability report, the reporter will receive:

Recognition on our Hall of Fame.
A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.
12 months of CloudFlare's Pro or 1 month of Business service on us.

Monetary compensation is not currently offered under this program.

lol