Bug 191912 - www-servers/lighttpd < 1.4.18: remote code execution in FastCGI applications (CVE-2007-4727)
Bug#: 191912 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: hoffie@gentoo.org
Component: Vulnerabilities
URL:  http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
Summary: www-servers/lighttpd < 1.4.18: remote code execution in FastCGI applications (CVE-2007-4727)
Keywords:  
Status Whiteboard: B1 [glsa]
Opened: 2007-09-09 21:11 0000
Description:   Opened: 2007-09-09 21:11 0000 
lighttpd-1.4.18 got just released. It fixes a problem in mod_fastcgi which
could lead to remote code execution in FastCGI applications.
Patch:
http://www.lighttpd.net/download/lighttpd-1.4.x_mod_fastcgi_overrun.patch
Advisory: http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/
Release announcement: http://www.lighttpd.net/2007/9/9/1-4-18-speeding-up-a-bit

------- Comment #1 From Peter Weller 2007-09-09 22:21:57 0000 ------- 
Bumped, time for arches to stabilize...

------- Comment #2 From Thilo Bangert 2007-09-10 06:05:51 0000 ------- 
archs: please mark www-servers/lighttpd-1.4.18 stable 

target KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc ~sparc-fbsd
x86 ~x86-fbsd"

------- Comment #3 From Christian Faulhammer 2007-09-10 06:09:19 0000 ------- 
x86,amd64 already stable, really adding arches. :)

------- Comment #4 From Thilo Bangert 2007-09-10 06:11:54 0000 ------- 
thanks opfer - the back button killed me...

also it appears that there is another release on the way. from the release
announcement:
> For all the packagers: if you wonder what happened to lighttpd 2007-SA:11 and
> lighttpd 2007-SA:10, they will be released in the next days.

------- Comment #5 From Raúl Porcel 2007-09-10 10:35:54 0000 ------- 
alpha/ia64 stable

------- Comment #6 From Christian Hoffmann 2007-09-10 12:00:39 0000 ------- 
(In reply to comment #4)
> also it appears that there is another release on the way. from the release
> announcement:
> > For all the packagers: if you wonder what happened to lighttpd 2007-SA:11 and
> > lighttpd 2007-SA:10, they will be released in the next days.
No, only the advisories will get released in the next days. The bugs are
already fixed in 1.4.18 (I just contacted an upstream dev to clarify it :)).

------- Comment #7 From Jeroen Roovers 2007-09-10 12:54:01 0000 ------- 
Stable for HPPA.

------- Comment #8 From Tobias Scherbaum 2007-09-10 18:16:51 0000 ------- 
ppc stable

------- Comment #9 From Pierre-Yves Rofes 2007-09-12 08:31:05 0000 ------- 
Unless I missed something, this is exploitable without user intervention, so
rerating. Thanks for the report.

------- Comment #10 From Markus Rothe 2007-09-13 11:49:12 0000 ------- 
ppc64 stable

------- Comment #11 From Jeroen Roovers 2007-09-13 15:16:08 0000 ------- 
Stable for SPARC.

------- Comment #12 From Christian Faulhammer 2007-09-13 16:44:18 0000 ------- 
I request a GLSA request. :)  All security supported arches are done

------- Comment #13 From Pierre-Yves Rofes 2007-09-20 21:12:39 0000 ------- 
this one slipped through all the bugspam, sorry :/
anyway, glsa request filed.

------- Comment #14 From Pierre-Yves Rofes 2007-09-27 08:03:47 0000 ------- 
hoffie, is there a way to disable this mod fastcgi so we could add a workaround
in the GLSA?

------- Comment #15 From Christian Hoffmann 2007-09-27 13:52:40 0000 ------- 
(In reply to comment #14)
> hoffie, is there a way to disable this mod fastcgi so we could add a workaround
> in the GLSA?
Yes, it has to be removed from the server.modules list. On Gentoo, mod_fastcgi
is added to the list of modules in the config file
/etc/lighttpd/mod_fastcgi.conf.
lighttpd.conf (main lighttpd config file):
(line numbers not exact)
47:# uncomment for php/fastcgi support
48:#include "mod_fastcgi.conf"
So mod_fastcgi.conf and as such the module mod_fastcgi is not active by
default. If the user enabled it (i.e. removed the # in front of the include
line) then he could disable it again by adding a # of course.
Anyway, there are more possibilities to load mod_fastcgi (directly adding it to
server.modules in lighttpd.conf etc...) and having to do without mod_fastcgi is
a major loss of functionality.
Long story short: Yes, there is a workaround, but it will be a major loss of
functionality (using mod_cgi instead is usually not a valid alternative).


BTW, it should also probably be noted that the bug in lighttpd "only" allows
for injecting (broken) FastCGI protocol packets, there is no remote code
execution per se. The remote code execution vulnerability only exists when the
FastCGI application in question does not discard those invalid packets.
<php-5.2.4_p20070914 is known to accept those packets (bug 191034) and as such
allows for remote code execution (by changing CGI environment headers like
SCRIPT_FILENAME you can trick PHP into executing PHP code from any arbitrary
file e.g.).
So, if there is a remote code execution vulnerability the code is executed in
the context of the FastCGI application and not within lighttpd.

I hope this wasn't too confusing. ;)

------- Comment #16 From Pierre-Yves Rofes 2007-09-27 21:18:27 0000 ------- 
GLSA 200709-16, thanks all!

------- Comment #17 From Sune Kloppenborg Jeppesen 2007-09-27 21:28:11 0000 ------- 
Bah mid-air collission :(

Seems to me that this sounds more like a C issue? (Default config is not
vulnerable).

Anyway thanks for getting the GLSA out so soon:)

------- Comment #18 From Raphael Marichez 2007-09-30 20:25:26 0000 ------- 
(In reply to comment #17)
> Bah mid-air collission :(
> 
> Seems to me that this sounds more like a C issue? (Default config is not
> vulnerable).
> 
> Anyway thanks for getting the GLSA out so soon:)
> 

it depends whether you consider lighttpd to be a frequent package or not :)

btw it would have not changed GLSA severity (high)