Fedora Update for tarantool FEDORA-2016-2d0c8ba781
2016-12-23T00:00:00
ID OPENVAS:1361412562310872179 Type openvas Reporter Copyright (C) 2016 Greenbone Networks GmbH Modified 2019-03-15T00:00:00
Description
The remote host is missing an update for the
###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for tarantool FEDORA-2016-2d0c8ba781
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.872179");
script_version("$Revision: 14223 $");
script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
script_tag(name:"creation_date", value:"2016-12-23 06:07:03 +0100 (Fri, 23 Dec 2016)");
script_cve_id("CVE-2016-9036", "CVE-2016-9037");
script_tag(name:"cvss_base", value:"7.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_tag(name:"qod_type", value:"package");
script_name("Fedora Update for tarantool FEDORA-2016-2d0c8ba781");
script_tag(name:"summary", value:"The remote host is missing an update for the 'tarantool'
package(s) announced via the referenced advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"affected", value:"tarantool on Fedora 25");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_xref(name:"FEDORA", value:"2016-2d0c8ba781");
script_xref(name:"URL", value:"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TGJQR5FAMDNILDDEANZUK7ZZFIWGCF");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC25");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
if(release == "FC25")
{
if ((res = isrpmvuln(pkg:"tarantool", rpm:"tarantool~1.6.9.52~1.fc25", rls:"FC25")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310872179", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for tarantool FEDORA-2016-2d0c8ba781", "description": "The remote host is missing an update for the ", "published": "2016-12-23T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872179", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["2016-2d0c8ba781", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TGJQR5FAMDNILDDEANZUK7ZZFIWGCF"], "cvelist": ["CVE-2016-9037", "CVE-2016-9036"], "lastseen": "2019-05-29T18:35:06", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9037", "CVE-2016-9036"]}, {"type": "seebug", "idList": ["SSV:96591", "SSV:96590"]}, {"type": "nessus", "idList": ["FEDORA_2016-2D0C8BA781.NASL", "FEDORA_2016-BADD014AFE.NASL"]}, {"type": "fedora", "idList": ["FEDORA:75FFF60AA770", "FEDORA:DBAA06051B2D", "FEDORA:E5D1B6093946", "FEDORA:6A10F60AA76F"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310872181", "OPENVAS:1361412562310872180", "OPENVAS:1361412562310872177"]}, {"type": "talos", "idList": ["TALOS-2016-0254", "TALOS-2016-0255"]}], "modified": "2019-05-29T18:35:06", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2019-05-29T18:35:06", "rev": 2}, "vulnersScore": 6.6}, "pluginID": "1361412562310872179", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for tarantool FEDORA-2016-2d0c8ba781\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872179\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 06:07:03 +0100 (Fri, 23 Dec 2016)\");\n script_cve_id(\"CVE-2016-9036\", \"CVE-2016-9037\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for tarantool FEDORA-2016-2d0c8ba781\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tarantool'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"tarantool on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-2d0c8ba781\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TGJQR5FAMDNILDDEANZUK7ZZFIWGCF\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"tarantool\", rpm:\"tarantool~1.6.9.52~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}
{"cve": [{"lastseen": "2020-10-03T12:10:51", "description": "An exploitable incorrect return value vulnerability exists in the mp_check function of Tarantool's Msgpuck library 1.0.3. A specially crafted packet can cause the mp_check function to incorrectly return success when trying to check if decoding a map16 packet will read outside the bounds of a buffer, resulting in a denial of service vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-12-23T22:59:00", "title": "CVE-2016-9036", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9036"], "modified": "2019-10-09T23:20:00", "cpe": ["cpe:/a:tarantool:msgpuck:1.0.3"], "id": "CVE-2016-9036", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9036", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:tarantool:msgpuck:1.0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:51", "description": "An exploitable out-of-bounds array access vulnerability exists in the xrow_header_decode function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified key's value. This can lead to an out of bounds read within the context of the server. An attacker who exploits this vulnerability can cause a denial of service vulnerability on the server.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-12-23T22:59:00", "title": "CVE-2016-9037", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9037"], "modified": "2019-10-09T23:20:00", "cpe": ["cpe:/a:tarantool:tarantool:1.7.2"], "id": "CVE-2016-9037", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9037", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:tarantool:tarantool:1.7.2:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T11:57:05", "description": "### Summary\r\nAn exploitable incorrect return value vulnerability exists in the mpcheck function of Tarantool's Msgpuck library 1.0.3. A specially crafted packet can cause the mpcheck function to incorrectly return success when trying to check if decoding a map16 packet will read outside the bounds of a buffer, resulting in a denial of service vulnerability.\r\n### Tested Versions\r\nMsgpuck 1.0.3\r\n\r\n### Product URLs\r\nhttps://github.com/tarantool/msgpuck/tree/1.0.3\r\n\r\n### CVSSv3 Score\r\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\r\n\r\n### CWE\r\nCWE-125: Out-of-bounds Read\r\n\r\n### Details\r\nThe Msgpuck library is used to encode and decode data that is serialized with the MsgPack (http://msgpack.org) format. This library was originally implemented to be the default library used for serialization and deserialization for the Tarantool Application Server, but is also distributed as an independent library to provide support for the MsgPack format to other C or C++ applications.\r\n\r\nWhen deserializing data that is encoded with the MsgPack format, the Msgpuck library provides a function named mp_check that's used to validate the Msgpack data before it is decoded. This function takes two arguments, one to the beginning of the MsgPack data and another to the end of the data which is used to determine if decoding the packet will read outside the bounds of the data. An example of how this is intended to be used is as follows:\r\n```\r\n// Validate\r\nchar buf[1024];\r\nconst char* b = buf;\r\nif (!mp_check(&b, b+sizeof(buf)))\r\n return FAILURE;\r\n\r\n// Decode\r\nconst char* r = buf;\r\nuint32_t count = mp_decode_map(&r);\r\nfor (int i = 0; i < count; i++) {\r\n k = mp_decode_uint(&r);\r\n v = mp_decode_uint(&r);\r\n}\r\n...\r\n```\r\n\r\nFor optimization purposes, each of the Msgpuck functions are inlined. When calling mpcheck, the following code will be executed. First the library will read a byte that determines the type. This type will then be used to determine how many more bytes are expected for the encoded type. When the type is a map16 type, the library will check to see if the sum of the current read position and the size of a uint16t seeks past the end pointer. Due to a typo, however, the library will incorrectly return false which is a result that's different from the function's failure result. One can see that the result of a map32 returns a constant 1 when that particular failure occurs. This means that if the 2 bytes determining the map16's length cause the sum to seek past the end pointer, the function will succeed. Later when the library tries to decode this data, the library will read outside the bounds of the source data buffer.\r\n```\r\nmsgpuck/msgpuck.h:1819\r\n\r\nMP_IMPL int\r\nmp_check(const char **data, const char *end)\r\n{\r\n int k;\r\n for (k = 1; k > 0; k--) {\r\n if (mp_unlikely(*data >= end))\r\n return 1;\r\n\r\n uint8_t c = mp_load_u8(data);\r\n int l = mp_parser_hint[c];\r\n if (mp_likely(l >= 0)) {\r\n *data += l;\r\n continue;\r\n } else if (mp_likely(l > MP_HINT)) {\r\n k -= l;\r\n continue;\r\n }\r\n\r\n uint32_t len;\r\n switch (l) {\r\n...\r\n case MP_HINT_MAP_16:\r\n /* MP_MAP (16) */\r\n if (mp_unlikely(*data + sizeof(uint16_t) > end))\r\n return false; // XXX: Should return 1 on failure.\r\n k += 2 * mp_load_u16(data);\r\n break;\r\n case MP_HINT_MAP_32:\r\n /* MP_MAP (32) */\r\n if (mp_unlikely(*data + sizeof(uint32_t) > end))\r\n return 1;\r\n k += 2 * mp_load_u32(data);\r\n break;\r\n...\r\n default:\r\n mp_unreachable();\r\n }\r\n }\r\n\r\n if (mp_unlikely(*data > end))\r\n return 1;\r\n\r\n return 0;\r\n}\r\n```\r\n\r\n### Crash Information\r\n```\r\n$ gdb --quiet --args ./poc-server.out 0.0.0.0:57005\r\n...\r\n\r\n\r\n\r\n$ python poc 127.0.0.1:57005\r\n\r\n\r\n\r\n...\r\nCatchpoint 4 (signal SIGSEGV), 0x0000000000402bdc in mp_load_u16 ()\r\n(gdb) x/i $pc\r\n=> 0x402bdc <mp_load_u16+15>: movzwl (%rax),%eax\r\n(gdb) i r rax\r\nrax 0x7ffff7ff6fff 0x7ffff7ff6fff\r\n```\r\n\r\n### Exploit Proof-of-Concept\r\nIn order to demonstrate the out-of-bounds read, a server that reads a MsgPack decoded map type is provided. This server allocates space for the source buffer followed by a guard-page to show the exact instruction that reads outside the allocated buffer. To compile this, simply copy the `poc-server.cc` file to the root of the Tarantool directory and type in the following. This will create a binary named `poc-server.out` which will run the MsgPack server. The arguments to this binary control which interface and port the server will bind to.\r\n```\r\n$ g++ -Wall -Isrc/lib/msgpuck src/lib/msgpuck/msgpuck.c -std=c++11 -o poc-server.out poc-server.cc\r\n$ ./poc-server.out\r\nUsage: ./poc-server.out host:port\r\n$ ./poc-server.out 0.0.0.0:57005\r\nListening on 0.0.0.0:57005\r\n...\r\n```\r\n\r\nOnce the server is running, the proof-of-concept can be executed against the server using python. This is done using a similar syntax. The proof-of-concept will send 5 packets. The first 3 packets that are sent will exercise the fixmap, map16, and map32 encoded types. The 4th packet will send a malformed map16 type. The 5th and last packet will trigger the vulnerability causing the out-of-bounds read.\r\n```\r\n$ python poc host:port\r\nSending a valid fixmap {1:1, 2:2, 3:3, 4:4, 5:5}\r\nSending a valid map16 {1:1, 2:2, 3:3, 4:4, 5:5}\r\nSending a valid map32 {1:1, 2:2, 3:3, 4:4, 5:5}\r\nSending a invalid map16 {1:1, 2:2, 3:3, 4:4, 5:5}\r\nSending a vulnerable map16 {1:1, 2:2, 3:3, 4:4, 5:5}\r\n```\r\n\r\n### Timeline\r\n* 2016-12-14 - Vendor Disclosure\r\n* 2016-12-16 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by the Cisco Talos Team", "published": "2017-09-26T00:00:00", "type": "seebug", "title": "Tarantool Msgpuck mp_check Denial Of Service Vulnerability(CVE-2016-9036)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9036"], "modified": "2017-09-26T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96590", "id": "SSV:96590", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T11:57:04", "description": "### Summary\r\nAn exploitable out-of-bounds array access vulnerability exists in the `xrow_header_decode` function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified key's value. This can lead to an out of bounds read within the context of the server. An attacker who exploits this vulnerability can cause a denial of service vulnerability on the server.\r\n\r\n### Tested Versions\r\nTarantool 1.7.2-0-g8e92715\r\n\r\n### Product URLs\r\nhttps://github.com/tarantool/tarantool\r\n\r\n### CVSSv3 Score\r\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\r\n\r\n### CWE\r\nCWE-125: Out-of-bounds Read\r\n\r\n### Details\r\nTarantool is an open-source lua-based application server. While primarily functioning as an application server, it is also capable of providing database-like features and providing an in-memory database which can be queried using a protocol based around the MsgPack serialization format. Tarantool is used by various service providers such as Mail.RU, or Badoo.\r\n\r\nTarantool's protocol is based around the MsgPack serialization format. This protocol is used to encode specific request types which are then made against the server. Inside the header of this protocol is data encoded as a map type in which each key is represented by integers. Each of these integers are used to index into an array which is used to determine the type of the key that was specified.\r\n\r\nIn the following code, the server will first read the length out of the MsgPack encoded packet. After reading the length, the server will create a new instance of a message using the `iproto_msg_new` function. Afterwards, this object will be passed onto the `iproto_decode_msg` function.\r\n```\r\nsrc/box/iproto.cc:601\r\n\r\n/** Enqueue all requests which were read up. */\r\nstatic inline void\r\niproto_enqueue_batch(struct iproto_connection *con, struct ibuf *in)\r\n{\r\n bool stop_input = false;\r\n while (con->parse_size && stop_input == false) {\r\n ...\r\n /* Read request length. */\r\n if (mp_typeof(*pos) != MP_UINT) {\r\n tnt_raise(ClientError, ER_INVALID_MSGPACK,\r\n \"packet length\");\r\n }\r\n if (mp_check_uint(pos, in->wpos) >= 0)\r\n break;\r\n uint32_t len = mp_decode_uint(&pos);\r\n const char *reqend = pos + len;\r\n ...\r\n struct iproto_msg *msg = iproto_msg_new(con);\r\n ...\r\n msg->len = reqend - reqstart; /* total request length */\r\n\r\n try {\r\n iproto_decode_msg(msg, &pos, reqend, &stop_input);\r\n cpipe_push_input(&tx_pipe, guard.release());\r\n } catch (Exception *e) {\r\n ...\r\n }\r\n ...\r\n }\r\n ...\r\n}\r\n```\r\n\r\nAt the very beginning of the `iproto_decode_msg` function, the server will call a wrapper named `xrow_header_decode_xc`. This wrapper will simply chain into the `xrow_header_decode` function.\r\n```\r\nsrc/box/iproto.cc:601\r\n\r\nstatic void\r\niproto_decode_msg(struct iproto_msg *msg, const char **pos, const char *reqend,\r\n bool *stop_input)\r\n{\r\n xrow_header_decode_xc(&msg->header, pos, reqend); // XXX: Call xrow_header_decode_xc wrapper\r\n assert(*pos == reqend);\r\n request_create(&msg->request, msg->header.type);\r\n msg->request.header = &msg->header;\r\n\r\n ...\r\n}\r\n\r\n\r\nsrc/box/xrow.h:152\r\n\r\nstatic inline void\r\nxrow_header_decode_xc(struct xrow_header *header, const char **pos,\r\n const char *end)\r\n{\r\n if (xrow_header_decode(header, pos, end) < 0) // XXX: Continue onto xrow_header_decode\r\n diag_raise();\r\n}\r\n```\r\n\r\nWhen inside the `xrow_header_decode` function, the server will first check to see if the MsgPack encoded data is not malformed in anyway. Once this is performed, the next part of the packet will be checked to see if it is of the MP_MAP type. Afterwards, the server will enter a loop which will iterate over the number of values that are stored within the map type. For each entry within the map type, the server will decode a key from the map and then use it as an index to a global array named `iproto_key_type`. This array contains 0x31 elements. If one of the keys that are encoded are an integer that is larger than this array, then the server will access an element outside the bounds of said array.\r\n```\r\nsrc/box/xrow.cc:46\r\n\r\nint\r\nxrow_header_decode(struct xrow_header *header, const char **pos,\r\n const char *end)\r\n{\r\n memset(header, 0, sizeof(struct xrow_header));\r\n const char *tmp = *pos;\r\n if (mp_check(&tmp, end) != 0) {\r\nerror:\r\n diag_set(ClientError, ER_INVALID_MSGPACK, \"packet header\");\r\n return -1;\r\n }\r\n\r\n if (mp_typeof(**pos) != MP_MAP)\r\n goto error;\r\n\r\n uint32_t size = mp_decode_map(pos);\r\n for (uint32_t i = 0; i < size; i++) {\r\n if (mp_typeof(**pos) != MP_UINT)\r\n goto error;\r\n unsigned char key = mp_decode_uint(pos); // XXX: Read integer from packet\r\n if (iproto_key_type[key] != mp_typeof(**pos)) // XXX: Use integer as element for array\r\n goto error;\r\n ...\r\n }\r\n ...\r\n}\r\n```\r\n\r\n### Crash Information\r\n```\r\n$ ASAN_OPTIONS=halt_on_error=0 /usr/local/bin/tarantool\r\n/usr/local/bin/tarantool: version 1.7.2-0-g8e92715\r\ntype 'help' for interactive help\r\ntarantool> box.cfg{listen=57005}\r\n2016-11-27 01:23:41.848 [61276] main/101/interactive C> version 1.7.2-0-g8e92715\r\n2016-11-27 01:23:41.848 [61276] main/101/interactive C> log level 5\r\n2016-11-27 01:23:41.848 [61276] main/101/interactive I> mapping 1073741824 bytes for tuple arena...\r\n2016-11-27 01:23:41.990 [62486] iproto/102/iproto I> binary: started\r\n2016-11-27 01:23:41.991 [62486] iproto/102/iproto I> binary: bound to 0.0.0.0:57005\r\n2016-11-27 01:23:42.261 [62486] main/101/interactive I> initializing an empty data directory\r\n2016-11-27 01:23:42.314 [62595] snapshot/101/main I> creating `./00000000000000000000.snap.inprogress'\r\n2016-11-27 01:23:42.315 [62595] snapshot/101/main I> saving snapshot `./00000000000000000000.snap.inprogress'\r\n2016-11-27 01:23:42.507 [62595] snapshot/101/main I> done\r\n2016-11-27 01:23:42.697 [61276] main/101/interactive I> ready to accept requests\r\n---\r\n...\r\n\r\ntarantool> =================================================================\r\n==61276==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001192b72 at pc 0x4e522a bp 0x7f091c8f1fd0 sp 0x7f091c8f1fc8\r\nREAD of size 1 at 0x000001192b72 thread T1 (iproto)\r\n #0 0x4e5229 in xrow_header_decode(xrow_header*, char const**, char const*) /user/tarantool/src/box/xrow.cc:65\r\n #1 0x4ca63a in iproto_enqueue_batch(iproto_connection*, ibuf*) /user/tarantool/src/box/iproto.cc:515\r\n #2 0x4c3ac3 in iproto_connection_on_input(ev_loop*, ev_io*, int) /user/tarantool/src/box/iproto.cc:635\r\n #3 0x113dd6e in ev_invoke_pending /user/tarantool/third_party/libev/ev.c:3176\r\n #4 0x114071b in ev_run /user/tarantool/third_party/libev/ev.c:3576\r\n #5 0xbc09af in cord_costart_thread_func /user/tarantool/src/fiber.c:1004\r\n #6 0xbbafcf in cord_thread_func /user/tarantool/src/fiber.c:810\r\n #7 0x7f09207dddc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)\r\n #8 0x7f091fceacec in __clone (/lib64/libc.so.6+0xf6cec)\r\n\r\n0x000001192b72 is located 46 bytes to the left of global variable '.str' from '/user/tarantool/src/box/iproto_constants.c' (0x1192ba0) of size 7\r\n '.str' is ascii string 'SELECT'\r\n0x000001192b72 is located 0 bytes to the right of global variable 'iproto_key_type' from '/user/tarantool/src/box/iproto_constants.c' (0x1192b40) of size 50\r\nSUMMARY: AddressSanitizer: global-buffer-overflow /user/tarantool/src/box/xrow.cc:65 xrow_header_decode(xrow_header*, char const**, char const*)\r\nShadow bytes around the buggy address:\r\n 0x00008022a510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x00008022a520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x00008022a530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x00008022a540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x00008022a550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x00008022a560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]f9\r\n 0x00008022a570: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9\r\n 0x00008022a580: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9\r\n 0x00008022a590: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9\r\n 0x00008022a5a0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9\r\n 0x00008022a5b0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07\r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\nThread T1 (iproto) created by T0 here:\r\n #0 0x47d542 in pthread_create (/usr/local/bin/tarantool+0x47d542)\r\n\r\n==61276==ABORTING\r\n```\r\n\r\n### Exploit Proof-of-Concept\r\nWhen first running the Tarantool application server, start a server by typing the following at the Tarantool prompt. This will start a server bound to TCP port 57005.\r\n```\r\ntarantool> box.cfg {listen=57005}\r\n```\r\n\r\nTo run the provided proof-of-concept, simply run it with python as;\r\n```\r\n$ python poc host:port\r\n```\r\n\r\nWhen connecting to port 57005 on the server, Tarantool will first send a 128 byte greeting that has the following format:\r\n```\r\n<class greeting>\r\n[0] <instance pstr.string<char_t>[64] 'tarantool'> u'Tarantool 1.7.2 (Binary) 84ed9e83-f99c-478a-8357-02edb833e091 \\n'\r\n[40] <instance pstr.string<char_t>[44] 'salt'> u'UT4DBDrpVTD9h0bl7utdZvAA79Go5EOKLV/F8P4yyJ0='\r\n[6c] <instance pstr.string<char_t>[20] 'null'> u' \\n'\r\n```\r\n\r\nAfter receiving this packet, one can then send the MsgPack encoded message that triggers the vulnerability. The MsgPack format has the capacity of encoding various atomic types such as integers, booleans, and strings as well as different container types such as arrays or map (key/value) types. When encoding a type, the first byte will dictate the type+size followed by the data representing the value. The first byte is a binary structure that determines the size of the type. For integral types, this structure may be one of the following. If the type is positive-fixint, then the bottom 7-bits represent the integer value. If the type is negative-fixint, then the bottom 5-bits represent the integer value.\r\n```\r\npositive-fixint(7b) negative-fixint(5b) type-enumeration(5b)\r\n0xxxxxxx 111xxxxx 110xxxxx\r\n```\r\n\r\nIf the integer type is larger than 7 bits, then the following enumerations will occupy the bottom 5 bits. Depending on the enumeration type, the next number of bytes will contain the integer encoded in big-endian form.\r\n```\r\nuint8 uint16 uint32 uint64\r\nxxx01100 xxx01101 xxx01110 xxx01111\r\n\r\n\r\n\r\nsint8 sint16 sint32 sint64\r\nxxx10000 xxx10001 xxx10010 xxx10011\r\n```\r\n\r\nIf a container type such as a mapping-type is being specified, then it will have one of the following formats. If it's of a mapfix-type, then the bottom 4 bits represent the number of key/value pairs that follow. If a map16 or map32 is specified, then the first 3 bits will represent the type enumeration (110), and then the next 5 bits will represent one of the following enumerations. Immediately following the map16 or map32 byte will then be either a uint16 ot uint32 (respectively) that is encoded in big-endian form. Each of these container types will then be followed with a number of MsgPack encoded values. This number specifies the number of pairs (key/value) that compose the mapping type.\r\n```\r\nmapfix map16 map32\r\n1000xxxx xxx11110 xxx11111\r\n```\r\n\r\nTarantool's protocol first begins with a MsgPack encoded integer which dictates the number of bytes that compose the header and body that follow. This integer can be encoded within any of the previous defined integral types. Within the provided proof-of-concept, the size has the following format:\r\n```\r\n<class mp.packet> 'size'\r\n[0] <instance mp.t_packet 'type'> {bits=8} mp.d_uint32 (0xce, 8)\r\n[1] <instance mp.d_uint32 'data'> {Value=+0x00000004 (4)}\r\n```\r\n\r\nImmediately following the size, are two MsgPack encoded mapping types. Within Tarantool's protocol, the mapping type will contain pairs of key/values where the keys are are MsgPack encoded integer types and can be any one of the previously defined types (mapfix, map16, map32). Within the provided proof-of-concept, the header will look like the following map:\r\n```\r\n<class mp.packet> 'header'\r\n[5] <instance mp.t_packet 'type'> {bits=8} mp.d_fixmap (0x81, 8)\r\n[6] <instance mp.d_fixmap 'data'> \"\\x32\\xcc\\x00\"\r\n```\r\n\r\nThe data of this type contains a list of pairs. If the key of any one of these pairs is larger than the length of the iprotokeytype global variable (0x31), then this vulnerability is being triggered.\r\n```\r\n<class mp.d_fixmap> 'data'\r\n[6] <instance mp.PackedIntegerHolder 'Length'> {ZeroSizedFixType=1} 1 (+0x1)\r\n[6] <instance dynamic.array(mp.packet,2) 'Value'> mp.packet[2] \"\\x32\\xcc\\x00\"\r\n```\r\n\r\nIn the provided proof-of-concept, this key is set to a positive-fixint of 0x32. It is prudent to note, that the type can be any one of the aforementioned integer types (positive-fixint, negative-fixint, uint8, uint16, uint32, uint64, sint8, sint16, sint32, sint64).\r\n```\r\nKey:\r\n\r\n<class mp.packet> '0'\r\n[6] <instance mp.t_packet 'type'> {bits=8} mp.d_positive_fixint (0x32, 8)\r\n[7] <instance mp.d_positive_fixint 'data'> {Value=50 (+0x32)} // XXX: Must be out-of-bounds of the iproto_key_type array.\r\n\r\n\r\nValue:\r\n\r\n<class mp.packet> '1'\r\n[7] <instance mp.t_packet 'type'> {bits=8} mp.d_uint8 (0xcc, 8)\r\n[8] <instance mp.d_uint8 'data'> {Value=+0x00 (0)}\r\n```\r\n\r\n### Timeline\r\n* 2016-12-14 - Vendor Disclosure\r\n* 2016-12-16 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by the Cisco Talos Team", "published": "2017-09-26T00:00:00", "type": "seebug", "title": "Tarantool Key-type Denial Of Service Vulnerability(CVE-2016-9037)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9037"], "modified": "2017-09-26T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96591", "id": "SSV:96591", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9036", "CVE-2016-9037"], "description": "MsgPack is a binary-based efficient object serialization library. It enables to exchange structured objects between many languages like JSON. But unlike JSON, it is very fast and small. msgpuck is very lightweight header-only library designed to be embedded to your application by the C/C++ compiler. The library is fully documented and covered by unit tests. ", "modified": "2016-12-22T05:25:55", "published": "2016-12-22T05:25:55", "id": "FEDORA:E5D1B6093946", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: msgpuck-1.1.3-1.fc25", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9036", "CVE-2016-9037"], "description": "Tarantool is a high performance in-memory NoSQL database and Lua application server. Tarantool supports replication, online backup and stored procedures in Lua. This package provides the server daemon and admin tools. ", "modified": "2016-12-22T05:25:55", "published": "2016-12-22T05:25:55", "id": "FEDORA:DBAA06051B2D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: tarantool-1.6.9.52-1.fc25", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9036", "CVE-2016-9037"], "description": "Tarantool is a high performance in-memory NoSQL database and Lua application server. Tarantool supports replication, online backup and stored procedures in Lua. This package provides the server daemon and admin tools. ", "modified": "2016-12-22T06:50:02", "published": "2016-12-22T06:50:02", "id": "FEDORA:6A10F60AA76F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: tarantool-1.6.9.52-1.fc24", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9036", "CVE-2016-9037"], "description": "MsgPack is a binary-based efficient object serialization library. It enables to exchange structured objects between many languages like JSON. But unlike JSON, it is very fast and small. msgpuck is very lightweight header-only library designed to be embedded to your application by the C/C++ compiler. The library is fully documented and covered by unit tests. ", "modified": "2016-12-22T06:50:02", "published": "2016-12-22T06:50:02", "id": "FEDORA:75FFF60AA770", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: msgpuck-1.1.3-1.fc24", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:35:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9037", "CVE-2016-9036"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-23T00:00:00", "id": "OPENVAS:1361412562310872180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872180", "type": "openvas", "title": "Fedora Update for msgpuck FEDORA-2016-2d0c8ba781", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for msgpuck FEDORA-2016-2d0c8ba781\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872180\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 06:07:04 +0100 (Fri, 23 Dec 2016)\");\n script_cve_id(\"CVE-2016-9036\", \"CVE-2016-9037\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for msgpuck FEDORA-2016-2d0c8ba781\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'msgpuck'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"msgpuck on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-2d0c8ba781\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3NQT3WJV4ICH6SUZSTIZSB7ZT5FIWFKP\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"msgpuck\", rpm:\"msgpuck~1.1.3~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9037", "CVE-2016-9036"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-23T00:00:00", "id": "OPENVAS:1361412562310872181", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872181", "type": "openvas", "title": "Fedora Update for tarantool FEDORA-2016-badd014afe", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for tarantool FEDORA-2016-badd014afe\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872181\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 06:07:06 +0100 (Fri, 23 Dec 2016)\");\n script_cve_id(\"CVE-2016-9036\", \"CVE-2016-9037\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for tarantool FEDORA-2016-badd014afe\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tarantool'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"tarantool on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-badd014afe\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D673YNFETHV55YZMZ4X3CB4EUFGWUN7V\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"tarantool\", rpm:\"tarantool~1.6.9.52~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9037", "CVE-2016-9036"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-23T00:00:00", "id": "OPENVAS:1361412562310872177", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872177", "type": "openvas", "title": "Fedora Update for msgpuck FEDORA-2016-badd014afe", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for msgpuck FEDORA-2016-badd014afe\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872177\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 06:07:00 +0100 (Fri, 23 Dec 2016)\");\n script_cve_id(\"CVE-2016-9036\", \"CVE-2016-9037\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for msgpuck FEDORA-2016-badd014afe\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'msgpuck'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"msgpuck on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-badd014afe\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A67E5PLTWJUXAG65HNSPG2PO32C72U4T\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"msgpuck\", rpm:\"msgpuck~1.1.3~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2021-01-12T10:14:44", "description": "Security fix for CVE-2016-9036, CVE-2016-9037\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-12-22T00:00:00", "title": "Fedora 24 : msgpuck / tarantool (2016-badd014afe)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9037", "CVE-2016-9036"], "modified": "2016-12-22T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:msgpuck", "cpe:/o:fedoraproject:fedora:24", "p-cpe:/a:fedoraproject:fedora:tarantool"], "id": "FEDORA_2016-BADD014AFE.NASL", "href": "https://www.tenable.com/plugins/nessus/96056", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-badd014afe.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96056);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9036\", \"CVE-2016-9037\");\n script_xref(name:\"FEDORA\", value:\"2016-badd014afe\");\n\n script_name(english:\"Fedora 24 : msgpuck / tarantool (2016-badd014afe)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-9036, CVE-2016-9037\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-badd014afe\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected msgpuck and / or tarantool packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:msgpuck\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:tarantool\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"msgpuck-1.1.3-1.fc24\")) flag++;\nif (rpm_check(release:\"FC24\", reference:\"tarantool-1.6.9.52-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"msgpuck / tarantool\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-12T10:14:04", "description": "Security fix for CVE-2016-9036, CVE-2016-9037\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-12-22T00:00:00", "title": "Fedora 25 : msgpuck / tarantool (2016-2d0c8ba781)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9037", "CVE-2016-9036"], "modified": "2016-12-22T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:msgpuck", "cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:tarantool"], "id": "FEDORA_2016-2D0C8BA781.NASL", "href": "https://www.tenable.com/plugins/nessus/96055", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-2d0c8ba781.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96055);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9036\", \"CVE-2016-9037\");\n script_xref(name:\"FEDORA\", value:\"2016-2d0c8ba781\");\n\n script_name(english:\"Fedora 25 : msgpuck / tarantool (2016-2d0c8ba781)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-9036, CVE-2016-9037\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-2d0c8ba781\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected msgpuck and / or tarantool packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:msgpuck\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:tarantool\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"msgpuck-1.1.3-1.fc25\")) flag++;\nif (rpm_check(release:\"FC25\", reference:\"tarantool-1.6.9.52-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"msgpuck / tarantool\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "talos": [{"lastseen": "2020-07-01T21:25:20", "bulletinFamily": "info", "cvelist": ["CVE-2016-9036"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0254\n\n## Tarantool Msgpuck mp_check Denial Of Service Vulnerability\n\n##### December 16, 2016\n\n##### CVE Number\n\nCVE-2016-9036\n\n### Summary\n\nAn exploitable incorrect return value vulnerability exists in the mp_check function of Tarantool\u2019s Msgpuck library 1.0.3. A specially crafted packet can cause the mp_check function to incorrectly return success when trying to check if decoding a map16 packet will read outside the bounds of a buffer, resulting in a denial of service vulnerability.\n\n### Tested Versions\n\nMsgpuck 1.0.3\n\n### Product URLs\n\n<https://github.com/tarantool/msgpuck/tree/1.0.3>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-125: Out-of-bounds Read\n\n### Details\n\nThe Msgpuck library is used to encode and decode data that is serialized with the MsgPack (http://msgpack.org) format. This library was originally implemented to be the default library used for serialization and deserialization for the Tarantool Application Server, but is also distributed as an independent library to provide support for the MsgPack format to other C or C++ applications.\n\nWhen deserializing data that is encoded with the MsgPack format, the Msgpuck library provides a function named mp_check that\u2019s used to validate the Msgpack data before it is decoded. This function takes two arguments, one to the beginning of the MsgPack data and another to the end of the data which is used to determine if decoding the packet will read outside the bounds of the data. An example of how this is intended to be used is as follows:\n \n \n // Validate\n char buf[1024];\n const char* b = buf;\n if (!mp_check(&b, b+sizeof(buf)))\n return FAILURE;\n \n // Decode\n const char* r = buf;\n uint32_t count = mp_decode_map(&r);\n for (int i = 0; i < count; i++) {\n k = mp_decode_uint(&r);\n v = mp_decode_uint(&r);\n }\n ...\n \n\nFor optimization purposes, each of the Msgpuck functions are inlined. When calling mp_check, the following code will be executed. First the library will read a byte that determines the type. This type will then be used to determine how many more bytes are expected for the encoded type. When the type is a map16 type, the library will check to see if the sum of the current read position and the size of a uint16_t seeks past the end pointer. Due to a typo, however, the library will incorrectly return false which is a result that\u2019s different from the function\u2019s failure result. One can see that the result of a map32 returns a constant `1` when that particular failure occurs. This means that if the 2 bytes determining the map16\u2019s length cause the sum to seek past the end pointer, the function will succeed. Later when the library tries to decode this data, the library will read outside the bounds of the source data buffer.\n \n \n msgpuck/msgpuck.h:1819\n \n MP_IMPL int\n mp_check(const char **data, const char *end)\n {\n int k;\n for (k = 1; k > 0; k--) {\n if (mp_unlikely(*data >= end))\n return 1;\n \n uint8_t c = mp_load_u8(data);\n int l = mp_parser_hint[c];\n if (mp_likely(l >= 0)) {\n *data += l;\n continue;\n } else if (mp_likely(l > MP_HINT)) {\n k -= l;\n continue;\n }\n \n uint32_t len;\n switch (l) {\n ...\n case MP_HINT_MAP_16:\n /* MP_MAP (16) */\n if (mp_unlikely(*data + sizeof(uint16_t) > end))\n return false; // XXX: Should return 1 on failure.\n k += 2 * mp_load_u16(data);\n break;\n case MP_HINT_MAP_32:\n /* MP_MAP (32) */\n if (mp_unlikely(*data + sizeof(uint32_t) > end))\n return 1;\n k += 2 * mp_load_u32(data);\n break;\n ...\n default:\n mp_unreachable();\n }\n }\n \n if (mp_unlikely(*data > end))\n return 1;\n \n return 0;\n }\n \n\n### Crash Information\n \n \n $ gdb --quiet --args ./poc-server.out 0.0.0.0:57005\n ...\n \n \n \n $ python poc 127.0.0.1:57005\n \n \n \n ...\n Catchpoint 4 (signal SIGSEGV), 0x0000000000402bdc in mp_load_u16 ()\n (gdb) x/i $pc\n => 0x402bdc <mp_load_u16+15>: movzwl (%rax),%eax\n (gdb) i r rax\n rax 0x7ffff7ff6fff 0x7ffff7ff6fff\n \n\n### Exploit Proof-of-Concept\n\nIn order to demonstrate the out-of-bounds read, a server that reads a MsgPack decoded map type is provided. This server allocates space for the source buffer followed by a guard-page to show the exact instruction that reads outside the allocated buffer. To compile this, simply copy the `poc-server.cc` file to the root of the Tarantool directory and type in the following. This will create a binary named `poc-server.out` which will run the MsgPack server. The arguments to this binary control which interface and port the server will bind to.\n \n \n $ g++ -Wall -Isrc/lib/msgpuck src/lib/msgpuck/msgpuck.c -std=c++11 -o poc-server.out poc-server.cc\n $ ./poc-server.out\n Usage: ./poc-server.out host:port\n $ ./poc-server.out 0.0.0.0:57005\n Listening on 0.0.0.0:57005\n ...\n \n\nOnce the server is running, the proof-of-concept can be executed against the server using python. This is done using a similar syntax. The proof-of-concept will send 5 packets. The first 3 packets that are sent will exercise the fixmap, map16, and map32 encoded types. The 4th packet will send a malformed map16 type. The 5th and last packet will trigger the vulnerability causing the out-of-bounds read.\n \n \n $ python poc host:port\n Sending a valid fixmap {1:1, 2:2, 3:3, 4:4, 5:5}\n Sending a valid map16 {1:1, 2:2, 3:3, 4:4, 5:5}\n Sending a valid map32 {1:1, 2:2, 3:3, 4:4, 5:5}\n Sending a invalid map16 {1:1, 2:2, 3:3, 4:4, 5:5}\n Sending a vulnerable map16 {1:1, 2:2, 3:3, 4:4, 5:5}\n \n\n### Timeline\n\n2016-12-14 - Vendor Disclosure \n2016-12-16 - Public Release\n\n##### Credit\n\nDiscovered by the Cisco Talos Team\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0260\n\nPrevious Report\n\nTALOS-2016-0255\n", "edition": 11, "modified": "2016-12-16T00:00:00", "published": "2016-12-16T00:00:00", "id": "TALOS-2016-0254", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0254", "title": "Tarantool Msgpuck mp_check Denial Of Service Vulnerability", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:25:18", "bulletinFamily": "info", "cvelist": ["CVE-2016-9037"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0255\n\n## Tarantool Key-type Denial Of Service Vulnerability\n\n##### December 16, 2016\n\n##### CVE Number\n\nCVE-2016-9037\n\n### Summary\n\nAn exploitable out-of-bounds array access vulnerability exists in the `xrow_header_decode` function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified key\u2019s value. This can lead to an out of bounds read within the context of the server. An attacker who exploits this vulnerability can cause a denial of service vulnerability on the server.\n\n### Tested Versions\n\nTarantool 1.7.2-0-g8e92715\n\n### Product URLs\n\n<https://github.com/tarantool/tarantool>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-125: Out-of-bounds Read\n\n### Details\n\nTarantool is an open-source lua-based application server. While primarily functioning as an application server, it is also capable of providing database-like features and providing an in-memory database which can be queried using a protocol based around the MsgPack serialization format. Tarantool is used by various service providers such as Mail.RU, or Badoo.\n\nTarantool\u2019s protocol is based around the MsgPack serialization format. This protocol is used to encode specific request types which are then made against the server. Inside the header of this protocol is data encoded as a map type in which each key is represented by integers. Each of these integers are used to index into an array which is used to determine the type of the key that was specified.\n\nIn the following code, the server will first read the length out of the MsgPack encoded packet. After reading the length, the server will create a new instance of a message using the `iproto_msg_new` function. Afterwards, this object will be passed onto the `iproto_decode_msg` function.\n \n \n src/box/iproto.cc:601\n \n /** Enqueue all requests which were read up. */\n static inline void\n iproto_enqueue_batch(struct iproto_connection *con, struct ibuf *in)\n {\n bool stop_input = false;\n while (con->parse_size && stop_input == false) {\n ...\n /* Read request length. */\n if (mp_typeof(*pos) != MP_UINT) {\n tnt_raise(ClientError, ER_INVALID_MSGPACK,\n \"packet length\");\n }\n if (mp_check_uint(pos, in->wpos) >= 0)\n break;\n uint32_t len = mp_decode_uint(&pos);\n const char *reqend = pos + len;\n ...\n struct iproto_msg *msg = iproto_msg_new(con);\n ...\n msg->len = reqend - reqstart; /* total request length */\n \n try {\n iproto_decode_msg(msg, &pos, reqend, &stop_input);\n cpipe_push_input(&tx_pipe, guard.release());\n } catch (Exception *e) {\n ...\n }\n ...\n }\n ...\n }\n \n\nAt the very beginning of the `iproto_decode_msg` function, the server will call a wrapper named `xrow_header_decode_xc`. This wrapper will simply chain into the `xrow_header_decode` function.\n \n \n src/box/iproto.cc:601\n \n static void\n iproto_decode_msg(struct iproto_msg *msg, const char **pos, const char *reqend,\n bool *stop_input)\n {\n xrow_header_decode_xc(&msg->header, pos, reqend); // XXX: Call xrow_header_decode_xc wrapper\n assert(*pos == reqend);\n request_create(&msg->request, msg->header.type);\n msg->request.header = &msg->header;\n \n ...\n }\n \n \n src/box/xrow.h:152\n \n static inline void\n xrow_header_decode_xc(struct xrow_header *header, const char **pos,\n const char *end)\n {\n if (xrow_header_decode(header, pos, end) < 0) // XXX: Continue onto xrow_header_decode\n diag_raise();\n }\n \n\nWhen inside the `xrow_header_decode` function, the server will first check to see if the MsgPack encoded data is not malformed in anyway. Once this is performed, the next part of the packet will be checked to see if it is of the MP_MAP type. Afterwards, the server will enter a loop which will iterate over the number of values that are stored within the map type. For each entry within the map type, the server will decode a key from the map and then use it as an index to a global array named `iproto_key_type`. This array contains 0x31 elements. If one of the keys that are encoded are an integer that is larger than this array, then the server will access an element outside the bounds of said array.\n \n \n src/box/xrow.cc:46\n \n int\n xrow_header_decode(struct xrow_header *header, const char **pos,\n const char *end)\n {\n memset(header, 0, sizeof(struct xrow_header));\n const char *tmp = *pos;\n if (mp_check(&tmp, end) != 0) {\n error:\n diag_set(ClientError, ER_INVALID_MSGPACK, \"packet header\");\n return -1;\n }\n \n if (mp_typeof(**pos) != MP_MAP)\n goto error;\n \n uint32_t size = mp_decode_map(pos);\n for (uint32_t i = 0; i < size; i++) {\n if (mp_typeof(**pos) != MP_UINT)\n goto error;\n unsigned char key = mp_decode_uint(pos); // XXX: Read integer from packet\n if (iproto_key_type[key] != mp_typeof(**pos)) // XXX: Use integer as element for array\n goto error;\n ...\n }\n ...\n }\n \n\n### Crash Information\n \n \n $ ASAN_OPTIONS=halt_on_error=0 /usr/local/bin/tarantool\n /usr/local/bin/tarantool: version 1.7.2-0-g8e92715\n type 'help' for interactive help\n tarantool> box.cfg{listen=57005}\n 2016-11-27 01:23:41.848 [61276] main/101/interactive C> version 1.7.2-0-g8e92715\n 2016-11-27 01:23:41.848 [61276] main/101/interactive C> log level 5\n 2016-11-27 01:23:41.848 [61276] main/101/interactive I> mapping 1073741824 bytes for tuple arena...\n 2016-11-27 01:23:41.990 [62486] iproto/102/iproto I> binary: started\n 2016-11-27 01:23:41.991 [62486] iproto/102/iproto I> binary: bound to 0.0.0.0:57005\n 2016-11-27 01:23:42.261 [62486] main/101/interactive I> initializing an empty data directory\n 2016-11-27 01:23:42.314 [62595] snapshot/101/main I> creating `./00000000000000000000.snap.inprogress'\n 2016-11-27 01:23:42.315 [62595] snapshot/101/main I> saving snapshot `./00000000000000000000.snap.inprogress'\n 2016-11-27 01:23:42.507 [62595] snapshot/101/main I> done\n 2016-11-27 01:23:42.697 [61276] main/101/interactive I> ready to accept requests\n ---\n ...\n \n tarantool> =================================================================\n ==61276==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001192b72 at pc 0x4e522a bp 0x7f091c8f1fd0 sp 0x7f091c8f1fc8\n READ of size 1 at 0x000001192b72 thread T1 (iproto)\n #0 0x4e5229 in xrow_header_decode(xrow_header*, char const**, char const*) /user/tarantool/src/box/xrow.cc:65\n #1 0x4ca63a in iproto_enqueue_batch(iproto_connection*, ibuf*) /user/tarantool/src/box/iproto.cc:515\n #2 0x4c3ac3 in iproto_connection_on_input(ev_loop*, ev_io*, int) /user/tarantool/src/box/iproto.cc:635\n #3 0x113dd6e in ev_invoke_pending /user/tarantool/third_party/libev/ev.c:3176\n #4 0x114071b in ev_run /user/tarantool/third_party/libev/ev.c:3576\n #5 0xbc09af in cord_costart_thread_func /user/tarantool/src/fiber.c:1004\n #6 0xbbafcf in cord_thread_func /user/tarantool/src/fiber.c:810\n #7 0x7f09207dddc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)\n #8 0x7f091fceacec in __clone (/lib64/libc.so.6+0xf6cec)\n \n 0x000001192b72 is located 46 bytes to the left of global variable '.str' from '/user/tarantool/src/box/iproto_constants.c' (0x1192ba0) of size 7\n '.str' is ascii string 'SELECT'\n 0x000001192b72 is located 0 bytes to the right of global variable 'iproto_key_type' from '/user/tarantool/src/box/iproto_constants.c' (0x1192b40) of size 50\n SUMMARY: AddressSanitizer: global-buffer-overflow /user/tarantool/src/box/xrow.cc:65 xrow_header_decode(xrow_header*, char const**, char const*)\n Shadow bytes around the buggy address:\n 0x00008022a510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x00008022a520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x00008022a530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x00008022a540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x00008022a550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n =>0x00008022a560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]f9\n 0x00008022a570: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9\n 0x00008022a580: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9\n 0x00008022a590: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9\n 0x00008022a5a0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9\n 0x00008022a5b0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Heap right redzone: fb\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack partial redzone: f4\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n ASan internal: fe\n Thread T1 (iproto) created by T0 here:\n #0 0x47d542 in pthread_create (/usr/local/bin/tarantool+0x47d542)\n \n ==61276==ABORTING\n \n\n### Exploit Proof-of-Concept\n\nWhen first running the Tarantool application server, start a server by typing the following at the Tarantool prompt. This will start a server bound to TCP port 57005.\n \n \n tarantool> box.cfg {listen=57005}\n \n\nTo run the provided proof-of-concept, simply run it with python as;\n \n \n $ python poc host:port\n \n\nWhen connecting to port 57005 on the server, Tarantool will first send a 128 byte greeting that has the following format:\n \n \n <class greeting>\n [0] <instance pstr.string<char_t>[64] 'tarantool'> u'Tarantool 1.7.2 (Binary) 84ed9e83-f99c-478a-8357-02edb833e091 \\n'\n [40] <instance pstr.string<char_t>[44] 'salt'> u'UT4DBDrpVTD9h0bl7utdZvAA79Go5EOKLV/F8P4yyJ0='\n [6c] <instance pstr.string<char_t>[20] 'null'> u' \\n'\n \n\nAfter receiving this packet, one can then send the MsgPack encoded message that triggers the vulnerability. The MsgPack format has the capacity of encoding various atomic types such as integers, booleans, and strings as well as different container types such as arrays or map (key/value) types. When encoding a type, the first byte will dictate the type+size followed by the data representing the value. The first byte is a binary structure that determines the size of the type. For integral types, this structure may be one of the following. If the type is positive-fixint, then the bottom 7-bits represent the integer value. If the type is negative-fixint, then the bottom 5-bits represent the integer value.\n \n \n positive-fixint(7b) negative-fixint(5b) type-enumeration(5b)\n 0xxxxxxx 111xxxxx 110xxxxx\n \n\nIf the integer type is larger than 7 bits, then the following enumerations will occupy the bottom 5 bits. Depending on the enumeration type, the next number of bytes will contain the integer encoded in big-endian form.\n \n \n uint8 uint16 uint32 uint64\n xxx01100 xxx01101 xxx01110 xxx01111\n \n \n \n sint8 sint16 sint32 sint64\n xxx10000 xxx10001 xxx10010 xxx10011\n \n\nIf a container type such as a mapping-type is being specified, then it will have one of the following formats. If it\u2019s of a mapfix-type, then the bottom 4 bits represent the number of key/value pairs that follow. If a map16 or map32 is specified, then the first 3 bits will represent the type enumeration (110), and then the next 5 bits will represent one of the following enumerations. Immediately following the map16 or map32 byte will then be either a uint16 ot uint32 (respectively) that is encoded in big-endian form. Each of these container types will then be followed with a number of MsgPack encoded values. This number specifies the number of pairs (key/value) that compose the mapping type.\n \n \n mapfix map16 map32\n 1000xxxx xxx11110 xxx11111\n \n\nTarantool\u2019s protocol first begins with a MsgPack encoded integer which dictates the number of bytes that compose the header and body that follow. This integer can be encoded within any of the previous defined integral types. Within the provided proof-of-concept, the size has the following format:\n \n \n <class mp.packet> 'size'\n [0] <instance mp.t_packet 'type'> {bits=8} mp.d_uint32 (0xce, 8)\n [1] <instance mp.d_uint32 'data'> {Value=+0x00000004 (4)}\n \n\nImmediately following the size, are two MsgPack encoded mapping types. Within Tarantool\u2019s protocol, the mapping type will contain pairs of key/values where the keys are are MsgPack encoded integer types and can be any one of the previously defined types (mapfix, map16, map32). Within the provided proof-of-concept, the header will look like the following map:\n \n \n <class mp.packet> 'header'\n [5] <instance mp.t_packet 'type'> {bits=8} mp.d_fixmap (0x81, 8)\n [6] <instance mp.d_fixmap 'data'> \"\\x32\\xcc\\x00\"\n \n\nThe data of this type contains a list of pairs. If the key of any one of these pairs is larger than the length of the iproto_key_type global variable (0x31), then this vulnerability is being triggered.\n \n \n <class mp.d_fixmap> 'data'\n [6] <instance mp.PackedIntegerHolder 'Length'> {ZeroSizedFixType=1} 1 (+0x1)\n [6] <instance dynamic.array(mp.packet,2) 'Value'> mp.packet[2] \"\\x32\\xcc\\x00\"\n \n\nIn the provided proof-of-concept, this key is set to a positive-fixint of 0x32. It is prudent to note, that the type can be any one of the aforementioned integer types (positive-fixint, negative-fixint, uint8, uint16, uint32, uint64, sint8, sint16, sint32, sint64).\n \n \n Key:\n \n <class mp.packet> '0'\n [6] <instance mp.t_packet 'type'> {bits=8} mp.d_positive_fixint (0x32, 8)\n [7] <instance mp.d_positive_fixint 'data'> {Value=50 (+0x32)} // XXX: Must be out-of-bounds of the iproto_key_type array.\n \n \n Value:\n \n <class mp.packet> '1'\n [7] <instance mp.t_packet 'type'> {bits=8} mp.d_uint8 (0xcc, 8)\n [8] <instance mp.d_uint8 'data'> {Value=+0x00 (0)}\n \n\n### Timeline\n\n2016-12-14 - Vendor Disclosure \n2016-12-16 - Public Release\n\n##### Credit\n\nDiscovered by the Cisco Talos Team\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0254\n\nPrevious Report\n\nTALOS-2016-0257\n", "edition": 10, "modified": "2016-12-16T00:00:00", "published": "2016-12-16T00:00:00", "id": "TALOS-2016-0255", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0255", "title": "Tarantool Key-type Denial Of Service Vulnerability", "type": "talos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}
