lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <552F505F.4040908@security-assessment.com>
Date: Thu, 16 Apr 2015 18:02:07 +1200
From: Denis Andzakovic <denis.andzakovic@...urity-assessment.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] Open Litespeed Use After Free Vulnerability

(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

Open Litespeed Use After Free Vulnerability
Affected versions: Open Litespeed <= 1.3.9

PDF:
http://www.security-assessment.com/files/documents/advisory/Open%20Litespeed%20Use%20After%20Free%20Vulnerability.pdf

+-----------+
|Description|
+-----------+
A use after free vulnerability was discovered within the header parser
of the Open Litespeed web server. This vulnerability can be successfully
exploited to trigger an out of bounds memory read, resulting in a
segmentation fault crashing the web server

+------------+
|Exploitation|
+------------+
By sending a crafted request, an attacker may trigger an out-of-bounds
memory read, crashing the web server. This is due to a portion of memory
being referenced by the application after being freed by a realloc() call.

The second parameter (p) to the memmove() call (line 741, httpreq.cpp)
within the HttpReq:newKeyValueBuf method results in an out of bound
memory read when the attacker submits a crafted requests contain a large
number of header rows. This is is due to the portion of memory the 'p'
parameter resides in being freed by a realloc() call. The reallocation
is performed by the allocate() method of the AutoBuf class. This is
triggered by the call to AutoBuf's grow() method within the
newKeyValueBuf method (line 736, httpreq.cpp). The newKeyValueBuf method
snippet is detailed below, showing the call to AutoBuf::Grow() and the
subsequent memmove() call:

 735         if ( m_reqBuf.available() < total )
 736             if ( m_reqBuf.grow( total ) )
 737                 return NULL;
 738         char * pNewBuf = m_reqBuf.end();
 739         m_reqBuf.used( total );
 740         if ( orgSize > 0 )
 741             memmove( pNewBuf, p, sizeof( int ) * 2 + sizeof(
key_value_pair ) * orgSize );
 742         else
 743             *( ((int *)pNewBuf) + 1 ) = 0;

Further information is available in the advisory PDF. POC exploit code
can be found at
http://www.security-assessment.com/files/documents/advisory/openlitespeed-1.3.9-UAF-DOS.c



+----------+
| Solution |
+----------+
Update to the latest version of the Open Litespeed web server

+-------------------+
|Disclosure Timeline|
+-------------------+
26/03/2015 - Advisory send to Litespeed
27/03/2015 - Response from Litespeed stating the vulnerability will be
fixed in the next release of Open Litespeed
10/04/2015 - Open Litespeed 1.3.10 released
14/04/2015 - Advisory PDF released

+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is Australasia's leading team of Information
Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to
provide
the very best independent advice and a high level of technical expertise
while
creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their
release
of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings,
contact us:

Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ