Jump to content
H4CK

Apache 2 MOD_Proxy_uwsgi不正确的请求处理漏洞攻击

Recommended Posts

Apache2: Incorrect handling of large requests in mod_proxy_uwsgi
 
mod_proxy_uwsgi as included in current versions of Apache httpd incorrectly handles large
HTTP requests. The UWSGI line protocol uses uint16_t length values for both header name/values 
and the overall packet size, but mod_proxy_uwsgi does not verify that these size fields do not overflow:
 
// modules/proxy/mod_proxy_uwsgi.c
static int uwsgi_send_headers(request_rec *r, proxy_conn_rec * conn)
{
  char *buf, *ptr;
 
  const apr_array_header_t *env_table;
  const apr_table_entry_t *env;
 
  apr_size_t headerlen = 4;
  apr_uint16_t pktsize, keylen, vallen;
 
  [...]
 
  env_table = apr_table_elts(r->subprocess_env);
  env = (apr_table_entry_t *) env_table->elts;
 
  for (j = 0; j < env_table->nelts; ++j) {
    headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val); 
  }
 
  ptr = buf = apr_palloc(r->pool, headerlen);
 
  ptr += 4;
 
  for (j = 0; j < env_table->nelts; ++j) {
    keylen = strlen(env[j].key); ** A ** 
    *ptr++ = (apr_byte_t) (keylen & 0xff);
    *ptr++ = (apr_byte_t) ((keylen >> 8) & 0xff);
    memcpy(ptr, env[j].key, keylen);
    ptr += keylen;
 
    vallen = strlen(env[j].val); ** B **
    *ptr++ = (apr_byte_t) (vallen & 0xff);
    *ptr++ = (apr_byte_t) ((vallen >> 8) & 0xff);
    memcpy(ptr, env[j].val, vallen);
    ptr += vallen;
  }
 
  pktsize = headerlen - 4; ** C **
 
  buf[0] = 0;
  buf[1] = (apr_byte_t) (pktsize & 0xff);
  buf[2] = (apr_byte_t) ((pktsize >> 8) & 0xff);
  buf[3] = 0;
 
  return uwsgi_send(conn, buf, headerlen, r);
}
 
A malicious request can easily overflow pktsize (C) by sending
a small amount of headers with a length that is close to the LimitRequestFieldSize
default value of 8190. This can be used to trick UWSGI into parsing parts of 
the serialized subprocess environment as part of the POST body. 
In most configurations the security impact of this seems to be limited. However,
an attacker might be able to leak sensitive environment variables as part of the POST body and/or 
strip security sensitive headers from the request. 
If UWSGI is explicitly configured in persistent mode (puwsgi), this can
also be used to smuggle a second UWSGI request leading to remote code execution.
(In its standard configuration UWSGI only supports a single request per connection, 
making request smuggling impossible)
 
RCE against a standard UWSGI config is possible if an attacker can put a controlled 
name or value into subprocess_env that is longer than 0xFFFF bytes: 
This would overflow the size calculation in (A) or (B) and
makes it possible to inject malicious key/value pairs into the UWSGI request. This can be turned
into code execution by setting a malicious UWSGI_FILE var 
(see https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md)
 
Using an oversized HTTP header for this attack requires a LimitRequestFieldSize 
bypass and should not be possible in normal configurations. 
However, mod_http2 incorrectly enforced LimitRequestFieldSize before 
R1863276 (https://svn.apache.org/viewvc?view=revision&revision=1863276) so systems 
without this commit can be exploited easily. Other config dependent attack vectors might exist. 
 
 
Credits: 
Felix Wilhelm of Google Project Zero
 
This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report 
will become visible to the public. The scheduled disclosure date is 2020-07-23. 
Disclosure at an earlier date is also possible if agreed upon by all parties.
 
Related CVE Numbers: CVE-2020-11984.
 

 

Link to post
Share on other sites

Follow: 世界中文黑客论坛由CNHACKTEAM[CHT]创建,汇集国内外技术人员,这是一群研究网安黑客攻防技术领域的专家.

法务要求丨Legal丨закон丨القانون

请在学习期间遵守所在国家相关法律,否则后果自负!

Пожалуйста, соблюдайте законы страны, в которой вы находитесь, во время обучения, или будут последствия!

勉強期間中に該当する国の法律を守ってください。そうでなければ結果は自己責任です。

Please abide by the relevant laws of your country during your study, or you will be responsible for the consequences!

官方旗下项目丨About our project

声明:为净化国内外网络安全请勿发布违反国家国定的文章,团队不参与任何涉及黑色产业/攻击/渗透各国正规网站活动,只做网络安全研究,研究网络攻防技术。

世界中文黑客论坛由CNHACKTEAM(CHT)创建,汇集国内外技术人员,这是一群研究网络安全、黑客攻防技术领域的专家,你也可以加入我们!

黑客攻防  技术问答  0day  Hack News  CHT Team  使用指南  商城/Mall  商城订单查询  捐赠/donations  在线用户  X  联系邮箱email:[email protected]

友情链接丨Link丨Связь дружбы

CNHACKTEAM   CHT team official website     www.hac-ker.com     hacked.com.cn     www.77169.net     www.ddosi.com

申请或请未补上链接者联系我们的邮箱,谢谢!

×
×
  • Create New...

Important Information

Please use your computer to visit our website; Please agree to our website rules!Guidelines