| Summary: | <dev-db/redis-3.2.5: Redis CONFIG SET client-output-buffer-limit Code Execution Vulnerability (CVE-2016-8339) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | bugs, proxy-maint, robbat2, ultrabug |
| Priority: | Normal | Flags: | kensington:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.talosintelligence.com/reports/TALOS-2016-0206/ | ||
| Whiteboard: | B1 [glsa cve] | ||
| Package list: |
=dev-db/redis-3.2.5
|
Runtime testing required: | --- |
| Bug Depends on: | 589044 | ||
| Bug Blocks: | 585646, 593134 | ||
From upstream changelog (https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES): ================================================================================ Redis 3.2.4 Released Mon Sep 26 08:58:21 CEST 2016 ================================================================================ Upgrade urgency CRITICAL: Redis 3.2 and unstable contained a security vulnerability fixed by this release. Hello Redis Wizards of the Memory Stores Empire, this is a Redis critical release in order to fix a security issue which is documented clearly here: https://github.com/antirez/redis/commit/6d9f8e2462fc2c426d48c941edeb78e5df7d2977 Thanks to Cory Duplantis of Cisco Talos for reporting the issue. IMPACT: The gist is that using CONFIG SET calls (or by manipulating redis.conf) an attacker is able to compromise certain fields of the "server" global structure, including the aof filename pointer, that could be made pointing to something else. In turn the AOF name is used in different contexts such as logging, rename(2) and open(2) syscalls, leading to potential problems. Please note that since having access to CONFIG SET also means to be able to change the AOF filename (and many other things) directly, this issue actual real world impact is quite small, so I would not panik: if you have CONFIG SET level of access, you can do more and more easily. AFFECTED VERSIONS: All Redis 3.2.x versions are affected. [...] CVE-2016-8339 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8339): A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. An out of bounds write vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write potentially resulting in code execution. @ Arches, please test and mark stable: =dev-db/redis-3.2.5 Stable target(s): amd64 hppa ppc64 x86 amd64 stable x86 stable ppc64 stable Stable for HPPA. New GLSA request filed. 3.2.x branch is clean. This issue was resolved and addressed in GLSA 201702-16 at https://security.gentoo.org/glsa/201702-16 by GLSA coordinator Thomas Deutschmann (whissi). |
From $URL: Summary: ======== An out of bounds write vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write potentially resulting in code execution. Details: ======== Redis is a simple in-memory data structure store using a key-value model. Redis has been growing in popularity due to its ability to handle problems that other databases can’t solve or are inherently slow at. An out of bounds write vulnerability exists during the modification of the client-output-buffer-limit option using the CONFIG SET command. The required syntax for setting the client-output-buffer-limit option is shown below. CONFIG SET client-output-buffer-limit <class> <hard limit> <soft limit> <soft seconds> This option sets the limits for disconnecting clients of a certain class. This option is set using the following code: src/config.c 849 /* Finally set the new config */ 850 for (j = 0; j < vlen; j += 4) { 851 int class; 852 unsigned long long hard, soft; 853 int soft_seconds; 854 855 class = getClientTypeByName(v[j]); 856 hard = strtoll(v[j+1],NULL,10); 857 soft = strtoll(v[j+2],NULL,10); 858 soft_seconds = strtoll(v[j+3],NULL,10); 859 860 server.client_obuf_limits[class].hard_limit_bytes = hard; 861 server.client_obuf_limits[class].soft_limit_bytes = soft; 862 server.client_obuf_limits[class].soft_limit_seconds = soft_seconds; 863 } src/networking.c 1747 int getClientTypeByName(char *name) { 1748 if (!strcasecmp(name,"normal")) return CLIENT_TYPE_NORMAL; // 0 1749 else if (!strcasecmp(name,"slave")) return CLIENT_TYPE_SLAVE; // 1 1750 else if (!strcasecmp(name,"pubsub")) return CLIENT_TYPE_PUBSUB; // 2 1751 else if (!strcasecmp(name,"master")) return CLIENT_TYPE_MASTER; // 3 1752 else return -1; 1753 } In the parsing of client-output-buffer-limit a call to getClientTypeByName is used to retrieve the corresponding class’s type. In this case, getClientTypeByName returns a value in the set of [-1, 3]. Looking at the declaration of the client_obuf_limits array, we see that the size of the array is 3. src/server.h 704 struct redisServer { ... 796 clientBufferLimitsConfig client_obuf_limits[CLIENT_TYPE_OBUF_COUNT]; ... 980 } src/server.h 292 #define CLIENT_TYPE_OBUF_COUNT 3 /* Number of clients to expose to output Although client-output-buffer-limit is only expecting clients of types normal, slave, and pubsub, master is also a valid client. By providing a client type of master, the client_obufs_limit array is overflown and subsequent structure variables are overwritten. A sample command exercising this vulnerability is below: CONFIG SET client-output-buffer-limit "master 3735928559 3405691582 373529054" Credit: ======= Discovered by Cory Duplantis of Cisco Talos Timeline: ========= 2016-09-22 - Vendor Disclosure 2016—09-26 - Public Release