Project

General

Profile

Actions

Bug #3069

closed

Illegal Instruction through sending Malformed Digest Authentication Data

Added by axe34 9 months ago. Updated 8 months ago.

Status:
Invalid
Priority:
Low
Category:
mod_auth
Target version:
-
ASK QUESTIONS IN Forums:
No

Description

I am using 32bit lighttpd 1.4.59 on Ubuntu 20.04.
Here is the http request that triggers the illegal instruction.

GET /auth2/index.html HTTP/1.0
Authorization: Digest username="lemon", realm="Authorized", nonce=b602219d1:651fb02517d9c54df776c991042897a8", uri="/auth2/index.html", algorithm=MD5, response="7a8e716336ba7d066afe90d266fbce99", qop=auth, nc=00000002, cnonce="fada60ebb2a97c46" 


The full stack trace for this is
0xf35c4ce9 in mod_auth_check_digest (r=0xee603880, p_d=0xf4a03a90, require=0xf46009c0, backend=0xf6f460 <http_auth_backends>) at mod_auth.c:1389
1389                            ts = (ts << 4) + hex2int(nonce_uns[i]);
(gdb) bt full
#0  0xf35c4ce9 in mod_auth_check_digest (r=0xee603880, p_d=0xf4a03a90, require=0xf46009c0, backend=0xf6f460 <http_auth_backends>) at mod_auth.c:1389
        ts = 190849561
        nonce_uns = 0xefa03c6c "b602219d1:651fb02517d9c54df776c991042897a8\"" 
        cur_ts = 0
        vb = 0xf4a060a8
        username = 0xefa03c4a "lemon" 
        realm = 0xefa03c59 "Authorized" 
        nonce = 0xefa03c6c "b602219d1:651fb02517d9c54df776c991042897a8\"" 
        uri = 0xefa03c9e "/auth2/index.html" 
        algorithm = 0xefa03cbc "MD5" 
        qop = 0xefa03cf2 "auth" 
        cnonce = 0xefa03d0d "fada60ebb2a97c46" 
        nc = 0xefa03cfb "00000002" 
        respons = 0xefa03ccb "7a8e716336ba7d066afe90d266fbce99" 
        e = 0xefa03d1d "" 
        c = 0xefa03d1e "" 
        i = 7
        b = 0xf5604f10
        ai = {dalgo = 2, dlen = 16, username = 0xefa03c4a "lemon", ulen = 5, realm = 0xefa03c59 "Authorized", rlen = 10,
          digest = "徻\367\377mS\000\370\305\377\377\350ۖ\000\344\306\377\377\004\000\000\000\000\000\000\000\000\000\000"}
        rdigest = "z\216qc6\272}\006j\376\220\322f\373Ι\344\306\377\377&\272\375\367\201G\361\367\034\327A" 
        dkv = {{key = 0xf35b6ec0 <str> "username=", key_len = 9, ptr = 0xffffc510}, {key = 0xf35b6f00 <str> "realm=", key_len = 6, ptr = 0xffffc520}, {
            key = 0xf35b6f40 <str> "nonce=", key_len = 6, ptr = 0xffffc530}, {key = 0xf35b6f80 <str> "uri=", key_len = 4, ptr = 0xffffc540}, {
            key = 0xf35b6fc0 <str> "algorithm=", key_len = 10, ptr = 0xffffc550}, {key = 0xf35b7000 <str> "qop=", key_len = 4, ptr = 0xffffc560}, {
            key = 0xf35b7040 <str> "cnonce=", key_len = 7, ptr = 0xffffc570}, {key = 0xf35b7080 <str> "nc=", key_len = 3, ptr = 0xffffc580}, {
            key = 0xf35b70c0 <str> "response=", key_len = 9, ptr = 0xffffc590}, {key = 0x0, key_len = 0, ptr = 0x0}}
        send_nextnonce = -165604320
        rc = HANDLER_UNSET
        p = 0xaa8e5000
        sptree = 0x0
        ae = 0x2
        ndx = -165604320
        m = 0xffffc848 "\a" 
#1  0xf35de3d2 in mod_auth_uri_handler (r=0xee603880, p_d=0xf4a03a90) at mod_auth.c:678
        scheme = 0xf6f3ec <http_auth_schemes+12>
        p = 0xf4a03a90
        dauth = 0xf4e001c0
#2  0x00800b0d in plugins_call_fn_req_data (r=0xee603880, e=0) at plugin.c:276
        plugin_slots = 0xf2003980
        offset = 40
        plfd = 0xf20039a8
        rc = HANDLER_GO_ON
#3  0x0080043d in plugins_call_handle_uri_clean (r=0xee603880) at plugin.c:326
No locals.
#4  0x0057a51c in http_response_prepare (r=0xee603880) at response.c:433
--Type <RET> for more, q to quit, c to continue without paging--c
        rc = HANDLER_GO_ON
#5  0x00576359 in http_response_handler (r=0xee603880) at response.c:1025
        p = 0x0
        rc = 1
#6  0x005adc26 in connection_state_machine_loop (r=0xee603880, con=0xee603880) at connections.c:1097
        ostate = CON_STATE_HANDLE_REQUEST
#7  0x005ac253 in connection_state_machine_h1 (r=0xee603880, con=0xee603880) at connections.c:1418
        log_state_handling = 0
#8  0x005a8143 in connection_state_machine (con=0xee603880) at connections.c:1436
        r = 0xee603880
#9  0x0062452d in network_server_handle_fdevent (context=0xf4203030, revents=1) at network.c:66
        srv_socket = 0xf4203030
        srv = 0xf5403c40
        con = 0xee603880
        loops = 100
#10 0x00839fef in fdevent_linux_sysepoll_poll (ev=0xee603c80, timeout_ms=1000) at fdevent_linux_sysepoll.c:43
        fdn = 0xf4e00190
        revents = 1
        i = 0
        n = 1
#11 0x0076abdf in fdevent_poll (ev=0xee603c80, timeout_ms=1000) at fdevent.c:436
        n = 1
#12 0x0055e0c3 in server_main_loop (srv=0xf5403c40) at server.c:1902
        min_ts = 1613243185
        joblist = 0xf5403c64
        last_active_ts = 1613243185
#13 0x0054b26e in main (argc=6, argv=0xffffcd04) at server.c:2032
        srv = 0xf5403c40
        rc = 1
(gdb)

From reading the stack trace, there are illegal characters in digest which probably causes this illegal instruction.

Actions #1

Updated by axe34 9 months ago

I forgot to attach my configuration file. Here it is.

$HTTP["url"] =~ "^/auth2/" {
auth.require = ( "/auth2" =>
        (
                "method" => "digest",
                "realm" => "Authorized",
                "require" => "user=lemon" 
        )
        )
auth.backend = "htdigest",
auth.backend.htdigest.userfile = "/home/foo/digest" 
}

Actions #2

Updated by gstrauss 8 months ago

  • Status changed from New to Invalid
  • Priority changed from Normal to Low
  • Target version deleted (1.4.x)

As in #3067, you are probably still compiling with -fsanitize=address,undefined
It is extremely irresponsible not to include such information in your report.

No, your request did not trigger an illegal instruction in normal usage. The illegal instruction is called by the -fsanitize instrumentation.

Have you read the documentation about -fsanitize so that you get error trace instead of a forced crash via illegal instruction? Have you tried to understand what the error is and what the impact might be?

Please re-read my last post in #3067#note-31

Actions

Also available in: Atom