Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 1 | Upstream-Status: Backport |
| 2 | CVE: CVE-2022-22707 |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 |
| 6 | From: povcfe <povcfe@qq.com> |
| 7 | Date: Wed, 5 Jan 2022 11:11:09 +0000 |
| 8 | Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) |
| 9 | |
| 10 | (thx povcfe) |
| 11 | |
| 12 | (edited: gstrauss) |
| 13 | |
| 14 | There is a potential remote denial of service in lighttpd mod_extforward |
| 15 | under specific, non-default and uncommon 32-bit lighttpd mod_extforward |
| 16 | configurations. |
| 17 | |
| 18 | Under specific, non-default and uncommon lighttpd mod_extforward |
| 19 | configurations, a remote attacker can trigger a 4-byte out-of-bounds |
| 20 | write of value '-1' to the stack. This is not believed to be exploitable |
| 21 | in any way beyond triggering a crash of the lighttpd server on systems |
| 22 | where the lighttpd server has been built 32-bit and with compiler flags |
| 23 | which enable a stack canary -- gcc/clang -fstack-protector-strong or |
| 24 | -fstack-protector-all, but bug not visible with only -fstack-protector. |
| 25 | |
| 26 | With standard lighttpd builds using -O2 optimization on 64-bit x86_64, |
| 27 | this bug has not been observed to cause adverse behavior, even with |
| 28 | gcc/clang -fstack-protector-strong. |
| 29 | |
| 30 | For the bug to be reachable, the user must be using a non-default |
| 31 | lighttpd configuration which enables mod_extforward and configures |
| 32 | mod_extforward to accept and parse the "Forwarded" header from a trusted |
| 33 | proxy. At this time, support for RFC7239 Forwarded is not common in CDN |
| 34 | providers or popular web server reverse proxies. It bears repeating that |
| 35 | for the user to desire to configure lighttpd mod_extforward to accept |
| 36 | "Forwarded", the user must also be using a trusted proxy (in front of |
| 37 | lighttpd) which understands and actively modifies the "Forwarded" header |
| 38 | sent to lighttpd. |
| 39 | |
| 40 | lighttpd natively supports RFC7239 "Forwarded" |
| 41 | hiawatha natively supports RFC7239 "Forwarded" |
| 42 | |
| 43 | nginx can be manually configured to add a "Forwarded" header |
| 44 | https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ |
| 45 | |
| 46 | A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) |
| 47 | in front of another 32-bit lighttpd will detect and reject a malicious |
| 48 | "Forwarded" request header, thereby thwarting an attempt to trigger |
| 49 | this bug in an upstream 32-bit lighttpd. |
| 50 | |
| 51 | The following servers currently do not natively support RFC7239 Forwarded: |
| 52 | nginx |
| 53 | apache2 |
| 54 | caddy |
| 55 | node.js |
| 56 | haproxy |
| 57 | squid |
| 58 | varnish-cache |
| 59 | litespeed |
| 60 | |
| 61 | Given the general dearth of support for RFC7239 Forwarded in popular |
| 62 | CDNs and web server reverse proxies, and given the prerequisites in |
| 63 | lighttpd mod_extforward needed to reach this bug, the number of lighttpd |
| 64 | servers vulnerable to this bug is estimated to be vanishingly small. |
| 65 | Large systems using reverse proxies are likely running 64-bit lighttpd, |
| 66 | which is not known to be adversely affected by this bug. |
| 67 | |
| 68 | In the future, it is desirable for more servers to implement RFC7239 |
| 69 | Forwarded. lighttpd developers would like to thank povcfe for reporting |
| 70 | this bug so that it can be fixed before more CDNs and web servers |
| 71 | implement RFC7239 Forwarded. |
| 72 | |
| 73 | x-ref: |
| 74 | "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" |
| 75 | https://redmine.lighttpd.net/issues/3134 |
| 76 | (not yet written or published) |
| 77 | CVE-2022-22707 |
| 78 | --- |
| 79 | src/mod_extforward.c | 2 +- |
| 80 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 81 | |
| 82 | diff --git a/src/mod_extforward.c b/src/mod_extforward.c |
| 83 | index ba957e04..fdaef7f6 100644 |
| 84 | --- a/src/mod_extforward.c |
| 85 | +++ b/src/mod_extforward.c |
| 86 | @@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c |
| 87 | while (s[i] == ' ' || s[i] == '\t') ++i; |
| 88 | if (s[i] == ';') { ++i; continue; } |
| 89 | if (s[i] == ',') { |
| 90 | - if (j >= (int)(sizeof(offsets)/sizeof(int))) break; |
| 91 | + if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; |
| 92 | offsets[++j] = -1; /*("offset" separating params from next proxy)*/ |
| 93 | ++i; |
| 94 | continue; |
| 95 | -- |
| 96 | 2.25.1 |
| 97 | |