Mongoose HTTPS server (compiled with OpenSSL support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
Incorrect handling of the value returned by calloc in mg_tls_init may lead to:
out-of-bound write attempt and segmentation fault error in case of restrictive memory protection,
near NULL pointer overwrite in case of limited memory restrictions (e.g. in embedded environments).
Memory allocations are triggered during handling of each HTTPS requests, so the allocation error can be caused remotely by flooding with requests until exhausting the memory.
In some embedded environments near zero memory areas are used to store device configuration, so in this case such configuration can be overwritten remotely.
Open in the browser following URL (where <MONGOOSE_ADDR> is address of tested Mongoose instance):
https://<MONGOOSE_ADDR>:8000
You should receive similar output:
process 10544 is executing new program: mongoose/examples/http-restful-server-openssl/example
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
2021-01-21 00:00:00 I sock.c:461:mg_listen 1 accepting on https://localhost:8000
Program received signal SIGSEGV, Segmentation fault.
0x0000555555560d6a in mg_tls_init (c=0x555555768780, opts=0x7fffffffdbf0) at src/tls.c:209
209 src/tls.c: No such file or directory.
#0 0x0000555555560d6a in mg_tls_init (c=0x555555768780, opts=0x7fffffffdbf0) at src/tls.c:209
#1 0x0000555555563860 in fn (c=0x555555768780, ev=4, ev_data=0x0, fn_data=0x0) at main.c:28
#2 0x0000555555557d11 in mg_call (c=0x555555768780, ev=4, ev_data=0x0) at src/event.c:9
#3 0x000055555555fa1d in accept_conn (mgr=0x7fffffffdd10, lsn=0x555555769500) at src/sock.c:398
#4 0x00005555555603bd in mg_mgr_poll (mgr=0x7fffffffdd10, ms=1000) at src/sock.c:551
#5 0x00005555555639bb in main () at main.c:49
The text was updated successfully, but these errors were encountered:
Mongoose HTTPS server (compiled with OpenSSL support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
Incorrect handling of the value returned by calloc in mg_tls_init may lead to:
Memory allocations are triggered during handling of each HTTPS requests, so the allocation error can be caused remotely by flooding with requests until exhausting the memory.
In some embedded environments near zero memory areas are used to store device configuration, so in this case such configuration can be overwritten remotely.
Vulnerable code (mongoose.c):
See following recommendations for details (especially the calloc example):
https://wiki.sei.cmu.edu/confluence/display/c/ERR33-C.+Detect+and+handle+standard+library+errors
The issue can be reproduced and tested using ErrorSanitizer (https://gitlab.com/ErrorSanitizer/ErrorSanitizer).
Reproduction steps:
Install gdb
Download and unpack code of ErrorSanitizer (https://gitlab.com/ErrorSanitizer/ErrorSanitizer)
Perform compilation of ErrorSanitizer according to the manual (https://gitlab.com/ErrorSanitizer/ErrorSanitizer#compilation)
cd ErrorSanitizer; make
Set ESAN to the path of ErrorSanitizer directory
export ESAN=/opt/...
Download and unzip attached map temp_2.cur_input
temp_2.cur_input.zip
Install OpenSSL library
Download, unzip and compile mongoose example "http-restful-server" with define OPENSSL_DIR set for OpenSSL directory and debug symbols (-g)
Run Mongoose "http-restful-server" example with ErrorSanitizer in gdb using:
gdb -batch -ex='run' -ex='backtrace' --args env LD_PRELOAD="$ESAN/error_sanitizer_preload.so" ./example temp_2.cur_input
Open in the browser following URL (where <MONGOOSE_ADDR> is address of tested Mongoose instance):
https://<MONGOOSE_ADDR>:8000
You should receive similar output:
The text was updated successfully, but these errors were encountered: