Lighttpd FastCGI Remote Vulnerability

2007.09.14
Credit: Mattias Bengtsson & Philip Olausson
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-4727
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

FastCGI header overrun in mod_fastcgi ======================================= Description ------------- Lighttpd is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application. For a detailed description of the bug see the external reference. This bug was found by Mattias Bengtsson <mattias@secweb.se> and Philip Olausson <po@secweb.se>. External reference: http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/ Affected versions ------------------- all previous versions. Solutions or Workaround ------------------------- upgrade to 1.4.18 or apply lighttpd-1.4.x_mod_fastcgi_overrun.patch This bug is tracked as CVE-2007-4727. ---- More details ------------- Issue: Lighttpd is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application. Description: Lighttpd (pronounced "lighty") is a web server which is designed to be secure, fast, standards-compliant, and flexible while being optimized for speed-critical environments. Details: fcgi_env_add_request_headers(srv, con, p); fcgi_header(&(header), FCGI_PARAMS, request_id, p->fcgi_env->used, 0); buffer_append_memory(b, (const char *)&header, sizeof(header)); buffer_append_memory(b, (const char *)p->fcgi_env->ptr, p->fcgi_env->used); The above code will read up all headers requested by the client and construct the fastcgi header, which will be sent to PHP. The code does not care if contentLength is more than 0xffff, and is therefore prone to a overrun. static int fcgi_header(FCGI_Header * header, unsigned char type, size_t request_id, int contentLength, unsigned char paddingLength) { ... header->contentLengthB0 = contentLength & 0xff; header->contentLengthB1 = (contentLength >> 8) & 0xff; ... While there are more data to send and PHP does not care how many packages it gets, it is possible to take control over the next package header and add/replace headers in PHP. For example SCRIPT_FILENAME which we will be using in the example exploit. Proof Of Concepts: Since 1.4.17 we are not allowed to use any character less then 0x20 as a value in an header which makes the exploitation of the vulnerability a little bit more complicated, but still possible. For the high risk of this vulnerability we have chosen not to release a exploit for 1.4.17, but instead a fully working exploit for <= 1.4.16 and PHP 5.2.X. Lighttpd FastCGI Remote Vulnerability Exploit Example: # ./exploit localhost 80 /etc/passwd or # wget --referer="<?php system('/usr/bin/id'); ?>" localhost # ./exploit localhost 80 /var/log/lighttpd/access.log Interested in a exploit for 1.4.17? Please contact us! Impact: The impact for this issue should be considered VERY HIGH! Solution: Upgrade to lighttpd 1.4.18 ---------------- END ---------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top