{"id":2622,"date":"2017-08-03T02:32:08","date_gmt":"2017-08-02T17:32:08","guid":{"rendered":"http:\/\/blog.xcir.net\/?p=2622"},"modified":"2017-08-03T03:19:20","modified_gmt":"2017-08-02T18:19:20","slug":"varnish4-0-5-4-1-8-5-1-3%e3%81%8c%e3%83%aa%e3%83%aa%e3%83%bc%e3%82%b9%e3%81%95%e3%82%8c%e3%81%be%e3%81%97%e3%81%9f","status":"publish","type":"post","link":"https:\/\/blog.xcir.net\/?p=2622","title":{"rendered":"Varnish4.0.5 \/ 4.1.8 \/ 5.1.3\u304c\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u307e\u3057\u305f"},"content":{"rendered":"

Varnish\u306e\u8907\u6570\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u307e\u3057\u305f\u3002 [changelog<\/a>] [\u30d1\u30c3\u30b1\u30fc\u30b8DL<\/a>] [\u30bd\u30fc\u30b9DL<\/a>]<\/p>\n

\u4eca\u56de\u306e\u30ea\u30ea\u30fc\u30b9\u306f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u306b\u3088\u308b\u3082\u306e\u3067\u3001\u306a\u308b\u3060\u3051\u8fc5\u901f\u306b\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3001\u3082\u3057\u304f\u306f\u56de\u907fVCL\u3092\u5165\u308c\u308b\u3079\u304d\u3067\u3059\u3002
\n\u8a73\u3057\u304f\u306f\u516c\u5f0f\u60c5\u5831(VSV00001)<\/a>\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n

\u8106\u5f31\u6027\u306e\u5185\u5bb9<\/h4>\n

\u66f8\u304f\u304b\u5c11\u3057\u8ff7\u3063\u305f\u3093\u3067\u3059\u304c\u3001\u30c6\u30b9\u30c8\u30b3\u30fc\u30c9\u304c\u307e\u3093\u307e\u30b3\u30df\u30c3\u30c8\u3055\u308c\u3066\u308b\u306e\u3067\u89e3\u8aac\u3057\u307e\u3059\u30fb\u30fb
\n\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304cTransfer-Encoding: chunked\u304b\u3064chunk-size\u306e\u6307\u5b9a\u304c\u5185\u90e8\u306e\u5909\u6570\u3067MSB\u304c\u7acb\u3064\u3050\u3089\u3044\u5927\u304d\u306a\u6307\u5b9a\u3067\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u884c\u3063\u305f\u5834\u5408\u3001Assert\u3067Varnish\u304c\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002(DoS)<\/p>\n

\n\r\n$ sudo varnishadm panic.show|head\r\nPanic at: Wed, 02 Aug 2017 16:45:40 GMT\r\nAssert error in v1f_pull_chunked(), http1\/cache_http1_vfp.c line 172:\r\n  Condition((vfe->priv2) == 0) not true.\r\nversion = varnish-5.1.2 revision 6ece695, vrt api = 6.\r\n0\r\n...\r\n\n<\/pre>\n
\u5bfe\u8c61\u30d0\u30fc\u30b8\u30e7\u30f3<\/h4>\n
Transfer-Encoding: chunked\u306b\u5bfe\u5fdc\u3057\u305f\u306e\u306f4.0.1<\/a>\u304b\u3089\u306a\u306e\u3067\u305d\u308c\u4ee5\u964d\u306e\u3059\u3079\u3066\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n\n\n\n
\u30d0\u30fc\u30b8\u30e7\u30f3\u7cfb<\/th>\n\u5f71\u97ff\u3092\u53d7\u3051\u308b\u30d0\u30fc\u30b8\u30e7\u30f3<\/th>\n\u4fee\u6b63\u30d0\u30fc\u30b8\u30e7\u30f3<\/th>\n\u30d1\u30c3\u30b1\u30fc\u30b8DL\u5148<\/th>\n<\/tr>\n
4.0.x<\/td>\n4.0.1~4.0.4<\/td>\n4.0.5<\/td>\nlink<\/a><\/td>\n<\/tr>\n
4.1.x<\/td>\n4.1.0~4.1.7<\/td>\n4.1.8<\/td>\nlink<\/a><\/td>\n<\/tr>\n
5.0.x<\/td>\n5.0.0<\/td>\n5.1.3\u307e\u3067\u4e0a\u3052\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059<\/td>\nlink<\/a><\/td>\n<\/tr>\n
5.1.x<\/td>\n5.1.0~5.1.2<\/td>\n5.1.3<\/td>\nlink<\/a><\/td>\n<\/tr>\n<\/table>\n
4.0.0\u53ca\u30733.0.x\u306f\u5148\u306b\u8ff0\u3079\u305f\u901a\u308a\u3001\u305d\u3082\u305d\u3082\u4eca\u56de\u306e\u6a5f\u80fd\u304c\u306a\u3044\u306e\u3067\u5bfe\u8c61\u5916\u3067\u3059\u3002<\/p>\n
\u56de\u907f\u65b9\u6cd5(VCL)<\/h4>\n
VCL\u3067\u306e\u66ab\u5b9a\u7684\u306a\u56de\u907f\u65b9\u6cd5\u304c\u3042\u308a\u307e\u3059\u3002
\n\u3053\u308c\u3089\u306fchunked\u3067\u30ea\u30af\u30a8\u30b9\u30c8\u3057\u3066\u304d\u305f\u3082\u306e\u3092503\u3067\u843d\u3068\u3059\u3053\u3068\u3067\u56de\u907f\u3057\u307e\u3059\u3002
\n\u5927\u62b5\u306e\u30d6\u30e9\u30a6\u30b6\u306e\u5834\u5408\u306fTransfer-Encoding\u3092\u6307\u5b9a\u3057\u305f\u30ea\u30af\u30a8\u30b9\u30c8\u306f\u884c\u308f\u306a\u3044\u4e8b\u304c\u591a\u3044\u306e\u3067\u3059\u304c\u3001\u5ff5\u306e\u305f\u3081\u78ba\u8a8d\u3059\u308b\u3068\u826f\u3044\u3067\u3057\u3087\u3046\u3002
\nvarnishlog -cq ReqHeader:Transfer-Encoding -i ReqMethod -i ReqURL<\/code>
\n\u3053\u308c\u3067\u4f55\u304b\u3057\u3089\u51fa\u3066\u304d\u3066\u3001\u6b63\u898f\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u5834\u5408\u306fVCL\u3067\u306e\u56de\u907f\u306f\u4e0d\u53ef\u80fd\u3067\u3059\u306e\u3067\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u4e0a\u3052\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n
\u306a\u304a\u3053\u3053\u3067\u7d39\u4ecb\u3057\u3066\u3044\u308b\u56de\u907f\u30b3\u30fc\u30c9\u306f\u516c\u5f0f\u305d\u306e\u307e\u307e\u306a\u306e\u3067\u516c\u5f0f\u3082\u53c2\u8003\u306b\u3057\u3066\u304f\u3060\u3055\u3044(VSV00001)<\/a>
\n4.0.x\u5411\u3051<\/strong>
\n\u30a4\u30f3\u30e9\u30a4\u30f3C\u3092\u5229\u7528\u3057\u307e\u3059\u3002
\n\u305d\u306e\u305f\u3081vcc_allow_inline_c\u3092true\u306b\u8a2d\u5b9a\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059
\n\u8d77\u52d5\u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u5834\u5408\u306f
\n-pvcc_allow_inline_c=true<\/code>
\nvarnishadm\u3067\u6307\u5b9a\u3059\u308b\u5834\u5408\u306f
\nvarnishadm param.set vcc_allow_inline_c true<\/code>
\n\u3067\u53ef\u80fd\u3067\u3059
\nVCL\u306f\u4ee5\u4e0b\u306e\u901a\u308a\u3067\u3059\u3002<\/p>\n
\n\r\nsub exploit_workaround_4_0 {\r\n        # This needs to come before your vcl_recv function\r\n        # The following code is only valid for Varnish Cache and\r\n        # Varnish Cache Plus versions 4.0.x\r\n        if (req.http.transfer-encoding ~ "(?i)chunked") {\r\n                C{\r\n                struct dummy_req {\r\n                        unsigned magic;\r\n                        int restarts;\r\n                        int esi_level;\r\n                        int disable_esi;\r\n                        char hash_ignore_busy;\r\n                        char hash_always_miss;\r\n                        void *sp;\r\n                        void *wrk;\r\n                        int req_step;\r\n                        struct {\r\n                                void *a;\r\n                                void *b;\r\n                        };\r\n                        int req_body_status;\r\n                };\r\n                ((struct dummy_req *)ctx->req)->req_body_status = 6;\r\n                }C\r\n\r\n                return (synth(503, "Bad request"));\r\n        }\r\n}\r\n\r\nsub vcl_recv {\r\n        # Call this early in your vcl_recv function\r\n        call exploit_workaround_4_0;\r\n}\r\n\n<\/pre>\n
4.1.x\u30685.0.0\u5411\u3051<\/strong>
\n\u540c\u3058\u304f\u30a4\u30f3\u30e9\u30a4\u30f3C\u3092\u5229\u7528\u3057\u307e\u3059\u306e\u30674.0.x\u3067\u6709\u52b9\u306b\u3057\u305f\u3088\u3046\u306b\u6307\u5b9a\u304c\u5fc5\u8981\u3067\u3059\u3002<\/p>\n
\n\r\nsub exploit_workaround_4_1 {\r\n        # This needs to come before your vcl_recv function\r\n        # The following code is only valid for Varnish Cache and\r\n        # Varnish Cache Plus versions 4.1.x and 5.0.0\r\n        if (req.http.transfer-encoding ~ "(?i)chunked") {\r\n                C{\r\n                struct dummy_req {\r\n                        unsigned magic;\r\n                        int step;\r\n                        int req_body_status;\r\n                };\r\n                ((struct dummy_req *)ctx->req)->req_body_status = 5;\r\n                }C\r\n\r\n                return (synth(503, "Bad request"));\r\n        }\r\n}\r\n\r\nsub vcl_recv {\r\n        # Call this early in your vcl_recv function\r\n        call exploit_workaround_4_1;\r\n}\r\n\n<\/pre>\n
5.1.x\u5411\u3051<\/strong>
\n\u30a4\u30f3\u30e9\u30a4\u30f3C\u306f\u4f7f\u7528\u3057\u307e\u305b\u3093\u3002<\/p>\n
\n\r\nsub vcl_recv {\r\n        if (req.http.transfer-encoding ~ "(?i)chunked") {\r\n                return (fail);\r\n        }\r\n}\r\n\n<\/pre>\n
\u305d\u306e\u4ed6<\/h4>\n
\u5b9f\u306f\u4eca\u56de\u306e\u8106\u5f31\u6027\u306b\u3064\u3044\u3066\u6982\u8981\u3068\u516c\u958b\u4e88\u5b9a\u6642\u523b\u3092\u4e8b\u524d\u306b\u6559\u3048\u3066\u3082\u3089\u3063\u3066\u3044\u307e\u3057\u305f\uff08\u653b\u6483\u306b\u306f\u4f7f\u7528\u3067\u304d\u306a\u3044\u3050\u3089\u3044\u306e\u8352\u3044\u60c5\u5831\u3067\u3059\u304c\uff09
\n\u304a\u9670\u3067\u516c\u958b\u5f8c\u306b\u5373\u5bfe\u51e6\u3059\u308b\u3053\u3068\u304c\u51fa\u6765\u305f\u306e\u3067\u3059\u304c\u3001VIVU – Very Important Varnish Users<\/a>\u3067\u89e6\u308c\u3089\u308c\u3066\u3044\u308b\u3088\u3046\u306bVML\u3092\u8cb7\u3046<\/a>\u3068\u6559\u3048\u3066\u3082\u3089\u3048\u308b\u3088\u3046\u306a\u306e\u3067(\u20ac1000\/\u5e74)
\n\u4f01\u696d\u3067Varnish\u3092\u4f7f\u3063\u3066\u3044\u308b\u3053\u308d\u306f\u8cb7\u3063\u3066\u307f\u308b\u3068\u826f\u3044\u306e\u3067\u306f\u306a\u3044\u3067\u3057\u3087\u3046\u304b\uff1f<\/p>\n
        
\u3053\u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u3092\u306f\u3066\u306a\u30d6\u30c3\u30af\u30de\u30fc\u30af\u306b\u8ffd\u52a0<\/a><\/div>        
\u306f\u3066\u306a\u30d6\u30c3\u30af\u30de\u30fc\u30af - Varnish4.0.5 \/ 4.1.8 \/ 5.1.3\u304c\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u307e\u3057\u305f<\/a><\/div>        
Facebook \u306b\u30b7\u30a7\u30a2<\/a><\/div>        
LinkedIn \u306b\u30b7\u30a7\u30a2<\/a><\/div>        
Tweet<\/a><\/div><\/div>\n
\n","protected":false},"excerpt":{"rendered":"
Varnish\u306e\u8907\u6570\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u307e\u3057\u305f\u3002 [changelog] [\u30d1\u30c3\u30b1\u30fc\u30b8DL] [\u30bd\u30fc\u30b9DL] \u4eca\u56de\u306e\u30ea\u30ea\u30fc\u30b9\u306f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u306b\u3088\u308b\u3082\u306e\u3067\u3001\u306a\u308b\u3060\u3051\u8fc5\u901f\u306b\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3001\u3082\u3057\u304f\u306f\u56de\u907fVCL\u3092\u5165\u308c\u308b\u3079\u304d […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[5,78,79,80,81,32],"class_list":["post-2622","post","type-post","status-publish","format-standard","hentry","category-3","tag-varnish","tag-varnish4-0-5","tag-varnish4-1-8","tag-varnish5-1-3","tag-vsv","tag-32","category-3-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/blog.xcir.net\/index.php?rest_route=\/wp\/v2\/posts\/2622","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.xcir.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.xcir.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.xcir.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.xcir.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2622"}],"version-history":[{"count":26,"href":"https:\/\/blog.xcir.net\/index.php?rest_route=\/wp\/v2\/posts\/2622\/revisions"}],"predecessor-version":[{"id":2648,"href":"https:\/\/blog.xcir.net\/index.php?rest_route=\/wp\/v2\/posts\/2622\/revisions\/2648"}],"wp:attachment":[{"href":"https:\/\/blog.xcir.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.xcir.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.xcir.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}