[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-serveez] Serveez Information Leak Vulnerability
From: |
Austin James Gadient |
Subject: |
Re: [bug-serveez] Serveez Information Leak Vulnerability |
Date: |
Thu, 7 Nov 2019 16:57:03 +0000 |
Hi Raimund,
Just following up. Have you had a chance to look at this?
Thanks,
Austin
________________________________________
From: bug-serveez <bug-serveez-bounces+agadient=address@hidden> on behalf of
Austin James Gadient <address@hidden>
Sent: Monday, November 4, 2019 12:42 PM
To: Raimund 'Raimi' Jacob-Blödorn; address@hidden
Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability
Hi Raimund,
Thank you for the reply!
That all sounds great. If you could reference CVE-2019-16200 when you make the
patch that would be awesome.
I haven't published anything for the CVE but will once the patch is made.
Anyway, here are the technical details:
There is a bug in the http_cgi_write function under http-cgi.c that causes an
information leak.
The issue occurs on line 269 with this check:
if (do_write > http->contentlength)
do_write = http->contentlength;
The content length field is passed as a parameter in the content-length header
of an http packet. However, the contentlength variable is an int, so it is
signed.
On the other hand, do_write is an unsigned value. If we are able to make
contentlength a negative value, the above check will pass but do_write will
be set to a huge unsigned value.
do_write is later used on line 280 for non-windows systems:
if ((num_written = write (sock->pipe_desc[SVZ_WRITE],
sock->recv_buffer, do_write)) == -1)
do_write is the length of the write system call.
A large value in do_write will cause write() to send an excessive amount of
data to the cgi process resulting in an information leak to that process or
possibly a segmentation fault.
We can set contentlength to a negative value by suppling a sufficiently large
unsigned value in a malicious http packet.
I recommend fixing this by changing the contentlength variable to an unsigned
value in line 78 of http-core.h.
I have attached a zip file that includes file that will let you reproduce the
bug. There is a README that explains how to use the files.
The zip also includes a prebuilt version of serveez compiled with address
sanitizer. serveez needs to be set up with a cgi-bin directory that includes
some script for the bug to be triggered.
Let me know if you have any questions!
Thanks,
Austin
________________________________________
From: Raimund 'Raimi' Jacob-Blödorn <address@hidden>
Sent: Monday, November 4, 2019 3:22 AM
To: Austin James Gadient; address@hidden
Subject: Re: [bug-serveez] Serveez Information Leak Vulnerability
On 11/4/19 3:20 AM, Austin James Gadient wrote:
Hello Austin,
What a surprise! To see someone actually having a look at serveez and
finding a bug.
> I am trying to contact the maintainer for Serveez version 0.2.2 because
> I have found an information leak vulnerability in the program. I
> am hoping to help them get a patch pushed.
I am not sure how much if a maintainer serveez currently really has. I
have not heard from Thien-Thi (ttn) for a long time. And all of the
original authors have stopped developing (and using) serveez.
However: I still have access to the git repo and I am willing to apply
any patch you may suggest:
http://git.savannah.gnu.org/cgit/serveez.git
I think the best way would be to patch against the "next" branch and
then make a 0.2.3 out of it.
I am also very curious what kind of problem you have discovered.
Raimund
PS: feel free to contact me directly as I am not sure how well the
mailing lists are currently working. sometimes they lag for many many hours.
- [bug-serveez] Serveez Information Leak Vulnerability, Austin James Gadient, 2019/11/03
- Re: [bug-serveez] Serveez Information Leak Vulnerability, Raimund 'Raimi' Jacob-Blödorn, 2019/11/04
- Re: [bug-serveez] Serveez Information Leak Vulnerability, Austin James Gadient, 2019/11/04
- Re: [bug-serveez] Serveez Information Leak Vulnerability,
Austin James Gadient <=
- Re: [bug-serveez] Serveez Information Leak Vulnerability, Raimund 'Raimi' Jacob-Blödorn, 2019/11/09
- Re: [bug-serveez] Serveez Information Leak Vulnerability, Austin James Gadient, 2019/11/09
- Re: [bug-serveez] Serveez Information Leak Vulnerability, Austin James Gadient, 2019/11/16
- Re: [bug-serveez] Serveez Information Leak Vulnerability, Austin James Gadient, 2019/11/22
- Re: [bug-serveez] Serveez Information Leak Vulnerability, Raimund 'Raimi' Jacob-Blödorn, 2019/11/23
- Re: [bug-serveez] Serveez Information Leak Vulnerability, Austin James Gadient, 2019/11/23