Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 191912 - www-servers/lighttpd < 1.4.18: remote code execution in FastCGI applications (CVE-2007-4727)
Summary: www-servers/lighttpd < 1.4.18: remote code execution in FastCGI applications ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.lighttpd.net/assets/2007/9...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-09 21:11 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-01-10 08:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2007-09-09 21:11:29 UTC
lighttpd-1.4.18 got just released. It fixes a problem in mod_fastcgi which could lead to remote code execution in FastCGI applications.
Patch: http://www.lighttpd.net/download/lighttpd-1.4.x_mod_fastcgi_overrun.patch
Advisory: http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/
Release announcement: http://www.lighttpd.net/2007/9/9/1-4-18-speeding-up-a-bit
Comment 1 Peter Weller (RETIRED) gentoo-dev 2007-09-09 22:21:57 UTC
Bumped, time for arches to stabilize...
Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2007-09-10 06:05:51 UTC
archs: please mark www-servers/lighttpd-1.4.18 stable 

target KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc ~sparc-fbsd x86 ~x86-fbsd"

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-10 06:09:19 UTC
x86,amd64 already stable, really adding arches. :)
Comment 4 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2007-09-10 06:11:54 UTC
thanks opfer - the back button killed me...

also it appears that there is another release on the way. from the release announcement:
> For all the packagers: if you wonder what happened to lighttpd 2007-SA:11 and
> lighttpd 2007-SA:10, they will be released in the next days.
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2007-09-10 10:35:54 UTC
alpha/ia64 stable
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-10 12:00:39 UTC
(In reply to comment #4)
> also it appears that there is another release on the way. from the release
> announcement:
> > For all the packagers: if you wonder what happened to lighttpd 2007-SA:11 and
> > lighttpd 2007-SA:10, they will be released in the next days.
No, only the advisories will get released in the next days. The bugs are already fixed in 1.4.18 (I just contacted an upstream dev to clarify it :)).
Comment 7 Jeroen Roovers gentoo-dev 2007-09-10 12:54:01 UTC
Stable for HPPA.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-10 18:16:51 UTC
ppc stable
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-12 08:31:05 UTC
Unless I missed something, this is exploitable without user intervention, so rerating. Thanks for the report.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-09-13 11:49:12 UTC
ppc64 stable
Comment 11 Jeroen Roovers gentoo-dev 2007-09-13 15:16:08 UTC
Stable for SPARC.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-13 16:44:18 UTC
I request a GLSA request. :)  All security supported arches are done
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-20 21:12:39 UTC
this one slipped through all the bugspam, sorry :/
anyway, glsa request filed.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-27 08:03:47 UTC
hoffie, is there a way to disable this mod fastcgi so we could add a workaround in the GLSA?
Comment 15 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-27 13:52:40 UTC
(In reply to comment #14)
> hoffie, is there a way to disable this mod fastcgi so we could add a workaround
> in the GLSA?
Yes, it has to be removed from the server.modules list. On Gentoo, mod_fastcgi is added to the list of modules in the config file /etc/lighttpd/mod_fastcgi.conf.
lighttpd.conf (main lighttpd config file):
(line numbers not exact)
47:# uncomment for php/fastcgi support
48:#include "mod_fastcgi.conf"
So mod_fastcgi.conf and as such the module mod_fastcgi is not active by default. If the user enabled it (i.e. removed the # in front of the include line) then he could disable it again by adding a # of course.
Anyway, there are more possibilities to load mod_fastcgi (directly adding it to server.modules in lighttpd.conf etc...) and having to do without mod_fastcgi is a major loss of functionality.
Long story short: Yes, there is a workaround, but it will be a major loss of functionality (using mod_cgi instead is usually not a valid alternative).


BTW, it should also probably be noted that the bug in lighttpd "only" allows for injecting (broken) FastCGI protocol packets, there is no remote code execution per se. The remote code execution vulnerability only exists when the FastCGI application in question does not discard those invalid packets. <php-5.2.4_p20070914 is known to accept those packets (bug 191034) and as such allows for remote code execution (by changing CGI environment headers like SCRIPT_FILENAME you can trick PHP into executing PHP code from any arbitrary file e.g.).
So, if there is a remote code execution vulnerability the code is executed in the context of the FastCGI application and not within lighttpd.

I hope this wasn't too confusing. ;)
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-27 21:18:27 UTC
GLSA 200709-16, thanks all! 
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-27 21:28:11 UTC
Bah mid-air collission :(

Seems to me that this sounds more like a C issue? (Default config is not vulnerable).

Anyway thanks for getting the GLSA out so soon:)
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-09-30 20:25:26 UTC
(In reply to comment #17)
> Bah mid-air collission :(
> 
> Seems to me that this sounds more like a C issue? (Default config is not
> vulnerable).
> 
> Anyway thanks for getting the GLSA out so soon:)
> 

it depends whether you consider lighttpd to be a frequent package or not :)

btw it would have not changed GLSA severity (high)