[<prev] [next>] [day] [month] [year] [list]
Message-ID: <552F505F.4040908@security-assessment.com>
Date: Thu, 16 Apr 2015 18:02:07 +1200
From: Denis Andzakovic <denis.andzakovic@...urity-assessment.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] Open Litespeed Use After Free Vulnerability
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Open Litespeed Use After Free Vulnerability
Affected versions: Open Litespeed <= 1.3.9
PDF:
http://www.security-assessment.com/files/documents/advisory/Open%20Litespeed%20Use%20After%20Free%20Vulnerability.pdf
+-----------+
|Description|
+-----------+
A use after free vulnerability was discovered within the header parser
of the Open Litespeed web server. This vulnerability can be successfully
exploited to trigger an out of bounds memory read, resulting in a
segmentation fault crashing the web server
+------------+
|Exploitation|
+------------+
By sending a crafted request, an attacker may trigger an out-of-bounds
memory read, crashing the web server. This is due to a portion of memory
being referenced by the application after being freed by a realloc() call.
The second parameter (p) to the memmove() call (line 741, httpreq.cpp)
within the HttpReq:newKeyValueBuf method results in an out of bound
memory read when the attacker submits a crafted requests contain a large
number of header rows. This is is due to the portion of memory the 'p'
parameter resides in being freed by a realloc() call. The reallocation
is performed by the allocate() method of the AutoBuf class. This is
triggered by the call to AutoBuf's grow() method within the
newKeyValueBuf method (line 736, httpreq.cpp). The newKeyValueBuf method
snippet is detailed below, showing the call to AutoBuf::Grow() and the
subsequent memmove() call:
735 if ( m_reqBuf.available() < total )
736 if ( m_reqBuf.grow( total ) )
737 return NULL;
738 char * pNewBuf = m_reqBuf.end();
739 m_reqBuf.used( total );
740 if ( orgSize > 0 )
741 memmove( pNewBuf, p, sizeof( int ) * 2 + sizeof(
key_value_pair ) * orgSize );
742 else
743 *( ((int *)pNewBuf) + 1 ) = 0;
Further information is available in the advisory PDF. POC exploit code
can be found at
http://www.security-assessment.com/files/documents/advisory/openlitespeed-1.3.9-UAF-DOS.c
+----------+
| Solution |
+----------+
Update to the latest version of the Open Litespeed web server
+-------------------+
|Disclosure Timeline|
+-------------------+
26/03/2015 - Advisory send to Litespeed
27/03/2015 - Response from Litespeed stating the vulnerability will be
fixed in the next release of Open Litespeed
10/04/2015 - Open Litespeed 1.3.10 released
14/04/2015 - Advisory PDF released
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is Australasia's leading team of Information
Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to
provide
the very best independent advice and a high level of technical expertise
while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their
release
of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists