lighttpd multiple issues (setuid unchecked; FAM read after free)

2013-11-13 / 2013-11-22
Credit: Stefan Buhler
Risk: Medium
Local: No
Remote: Yes

I'd like to request CVE ids for the following issues in lighttpd: 1. setuid/setgid/setgroups return values are not checked If setuid() fails for any reason (RLIMIT_NPROC) lighttpd runs as root. http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt 2. If FAMMonitorDirectory fails, lighttpd reads a value from already free()d memory. http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt Both issues were found with clang static analyzer, so I assume the bad guys already know these. regards, Stefan commit d22f4164a9e26c252e1874a29ba658eec85a3ddc Author: Stefan Bhler <stbuehler@web.de> Date: Sun Nov 10 19:00:08 2013 +0100 [core] check success of setuid,setgid,setgroups diff --git a/src/server.c b/src/server.c index 2d825bb..e2b42eb 100644 --- a/src/server.c +++ b/src/server.c @@ -820,8 +820,14 @@ int main (int argc, char **argv) { * to /etc/group * */ if (NULL != grp) { - setgid(grp->gr_gid); - setgroups(0, NULL); + if (-1 == setgid(grp->gr_gid)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "setgid failed: ", strerror(errno)); + return -1; + } + if (-1 == setgroups(0, NULL)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "setgroups failed: ", strerror(errno)); + return -1; + } if (srv->srvconf.username->used) { initgroups(srv->srvconf.username->ptr, grp->gr_gid); } @@ -844,7 +850,10 @@ int main (int argc, char **argv) { #ifdef HAVE_PWD_H /* drop root privs */ if (NULL != pwd) { - setuid(pwd->pw_uid); + if (-1 == setuid(pwd->pw_uid)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "setuid failed: ", strerror(errno)); + return -1; + } } #endif #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)

References:

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
http://download.lighttpd.net/lighttpd/security/
http://seclists.org/oss-sec/2013/q4/263


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top