Re: [bug-serveez] Serveez Information Leak Vulnerability

[Austin James Gadient]

Hi Raimund,

Thank you for the reply!
That all sounds great. If you could reference CVE-2019-16200 when you make the 
patch that would be awesome. 
I haven't published anything for the CVE but will once the patch is made.

Anyway, here are the technical details:

There is a bug in the http_cgi_write function under http-cgi.c that causes an 
information leak.
The issue occurs on line 269 with this check:

  if (do_write > http->contentlength)
    do_write = http->contentlength;

The content length field is passed as a parameter in the content-length header 
of an http packet. However, the contentlength variable is an int, so it is 
signed.
On the other hand, do_write is an unsigned value. If we are able to make 
contentlength a negative value, the above check will pass but do_write will
be set to a huge unsigned value.

do_write is later used on line 280 for non-windows systems:

    if ((num_written = write (sock->pipe_desc[SVZ_WRITE],
                             sock->recv_buffer, do_write)) == -1)

do_write is the length of the write system call.
A large value in do_write will cause write() to send an excessive amount of 
data to the cgi process resulting in an information leak to that process or 
possibly a segmentation fault.

We can set contentlength to a negative value by suppling a sufficiently large 
unsigned value in a malicious http packet.

I recommend fixing this by changing the contentlength variable to an unsigned 
value in line 78 of http-core.h.

I have attached a zip file that includes file that will let you reproduce the 
bug. There is a README that explains how to use the files.
The zip also includes a prebuilt version of serveez compiled with address 
sanitizer. serveez needs to be set up with a cgi-bin directory that includes 
some script for the bug to be triggered.

Let me know if you have any questions!

Thanks,
Austin
________________________________________
From: Raimund 'Raimi' Jacob-Blödorn <address@hidden>
Sent: Monday, November 4, 2019 3:22 AM
To: Austin James Gadient; address@hidden
Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability

On 11/4/19 3:20 AM, Austin James Gadient wrote:

Hello Austin,

What a surprise! To see someone actually having a look at serveez and
finding a bug.

> I am trying to contact the maintainer for Serveez version 0.2.2 because
> I have found an information leak vulnerability in the program. I
> am hoping to help them get a patch pushed. ​

I am not sure how much if a maintainer serveez currently really has. I
have not heard from Thien-Thi (ttn) for a long time. And all of the
original authors have stopped developing (and using) serveez.

However: I still have access to the git repo and I am willing to apply
any patch you may suggest:

http://git.savannah.gnu.org/cgit/serveez.git

I think the best way would be to patch against the "next" branch and
then make a 0.2.3 out of it.

I am also very curious what kind of problem you have discovered.

        Raimund

PS: feel free to contact me directly as I am not sure how well the
mailing lists are currently working. sometimes they lag for many many hours.

SERVEEZ-CVE-master.zip
Description: SERVEEZ-CVE-master.zip