You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2017/09/08 16:26:19 UTC
[Bug 61511] New: htdigest: one byte stack buffer overflow on
malformed input file
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
Bug ID: 61511
Summary: htdigest: one byte stack buffer overflow on malformed
input file
Product: Apache httpd-2
Version: 2.4.27
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: support
Assignee: bugs@httpd.apache.org
Reporter: hanno@hboeck.de
Target Milestone: ---
Created attachment 35313
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35313&action=edit
poc file
The htdigest tool has a stack buffer overflow bug if you pass it an input file
with a long line. I'll attach a sample file (it simply consists of 766 times
"a".)
Usually I'd report this as a security vulnerability, but as it only affects a
rarely used command line tool I thought I can skip that. This bug was found
with afl.
When compiling with address sanitizer and passing that file (and any
realm/username) it will show the stack overflow:
==4285==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe5aa62f70 at pc 0x000000509cb6 bp 0x7ffe5aa623f0 sp 0x7ffe5aa623e8
WRITE of size 1 at 0x7ffe5aa62f70 thread T0
#0 0x509cb5 in getword /f/apache/httpd-2.4.27/support/htdigest.c:83:17
#1 0x509cb5 in main /f/apache/httpd-2.4.27/support/htdigest.c:264
#2 0x7ff1e92cc520 in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.25-r4/work/glibc-2.25/csu/../csu/libc-start.c:295
#3 0x419fa9 in _start (/r/apache/htdigest+0x419fa9)
Address 0x7ffe5aa62f70 is located in stack of thread T0 at offset 2928 in frame
#0 0x5087af in main /f/apache/httpd-2.4.27/support/htdigest.c:187
This frame has 13 object(s):
[32, 33) 'ch.i'
[48, 52) 'argc.addr'
[64, 72) 'argv.addr'
[96, 104) 'f'
[128, 132) 'rv'
[144, 164) 'tn'
[208, 216) 'dirname'
[240, 496) 'user'
[560, 816) 'realm'
[880, 1648) 'line'
[1776, 2544) 'l'
[2672, 2928) 'w' <== Memory access at offset 2928 overflows this variable
[2992, 3248) 'x'
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #6 from Luca Toscano <to...@gmail.com> ---
I added a new patch that is probably better, since the problem is getword() and
the MAX_STRING_LEN applies to it (so anything split by a ':'), not to the total
line length (that can be up to 3 * MAX_STRING_LEN).
The attached patch should emit an error and avoid the overflow. Still didn't
find a ton of time to test it, will do it in the following days.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #4 from hanno@hboeck.de ---
(In reply to Luca Toscano from comment #3)
> if (strlen(line) >= MAX_STRING_LEN) should probably be if (strlen(line) >
> MAX_STRING_LEN).
No, it needs to be >=, else the smaller poc will still trigger an overflow (I
assume it needs to consider a trailing null pointer). Probably it should me
MAX_STRING_LEN-1 in the error message.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #5 from Luca Toscano <to...@gmail.com> ---
Created attachment 35315
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35315&action=edit
htdigest patch
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #2 from Luca Toscano <to...@gmail.com> ---
Hi Hanno,
thanks a lot for the report. The following patch seems to work for me:
./support/htdigest poc try elukey
The following line is longer than the maximum allowed (256):
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
I am not familiar with the htdigest.c code so I'll need to take a deeper look.
Will wait for other people's comments too :)
Luca
Patch:
Index: support/htdigest.c
===================================================================
--- support/htdigest.c (revision 1807869)
+++ support/htdigest.c (working copy)
@@ -256,6 +256,11 @@
found = 0;
while (!(get_line(line, sizeof(line), f))) {
+ if (strlen(line) >= MAX_STRING_LEN) {
+ apr_file_printf(errfile, "The following line is longer than the "
+ "maximum allowed (%i): %s",
MAX_STRING_LEN, line);
+ cleanup_tempfile_and_exit(1);
+ }
if (found || (line[0] == '#') || (!line[0])) {
putline(tfp, line);
continue;
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #12 from Luca Toscano <to...@gmail.com> ---
Change backported to 2.4.x with http://svn.apache.org/r1808853, will be part of
the new release (2.4.28)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #10 from hanno@hboeck.de ---
(In reply to Luca Toscano from comment #9)
> I am not seeing anything related to htdigest in
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862, where did you
> find the mention of the CVE?
Sorry, that was incorrect.
I got confused by this bug report:
https://bugs.mageia.org/show_bug.cgi?id=10097
It references both the CVE and this bug, but it seems they are unrelated and
this bug report just discusses fixes for multiple unrelated security bugs.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #8 from hanno@hboeck.de ---
I just noted there's already been a patch for an issue that sounds very
similar:
https://svn.apache.org/viewvc?view=revision&revision=1475878
Even got a CVE: CVE-2013-1862
(I strongly suggest to add some of the poc files as test cases in order to
avoid future reappearing of the same bug type)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #3 from Luca Toscano <to...@gmail.com> ---
if (strlen(line) >= MAX_STRING_LEN) should probably be if (strlen(line) >
MAX_STRING_LEN).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #9 from Luca Toscano <to...@gmail.com> ---
(In reply to hanno from comment #8)
> I just noted there's already been a patch for an issue that sounds very
> similar:
> https://svn.apache.org/viewvc?view=revision&revision=1475878
Yep, different function (getline).
> Even got a CVE: CVE-2013-1862
I am not seeing anything related to htdigest in
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862, where did you
find the mention of the CVE?
> (I strongly suggest to add some of the poc files as test cases in order to
> avoid future reappearing of the same bug type)
Makes sense, will try to see what I can do in the testing framework.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #1 from hanno@hboeck.de ---
Created attachment 35314
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35314&action=edit
smaller poc
Alternative poc: 255 chars "a" and a newline
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #11 from Luca Toscano <to...@gmail.com> ---
Proposed the fix in http://svn.apache.org/r1808008 (trunk), waiting for the
review of other members of the httpd dev community.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61511] htdigest: one byte stack buffer overflow on malformed
input file
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61511
--- Comment #7 from Luca Toscano <to...@gmail.com> ---
Re-compiled trunk with -fsanitize=address and no overflow is registered:
$ ./support/htdigest poc try elukey
The following line contains a string longer than the allowed maximum size
(255):
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
$ ./support/htdigest smallerpoc try elukey
The following line contains a string longer than the allowed maximum size
(255):
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org