SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

Lighttpd FastCGI Remote Vulnerability


Arrow  SecurityAlert : 3127
Arrow  CVE : CVE-2007-4727
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : Mattias Bengtsson & Philip Olausson
Arrow  Published : 14.09.2007

Arrow  Affected Software : mod_fastcgi extension in lighttpd before 1.4.18



Arrow  Advisory Content :  

FastCGI header overrun in mod_fastcgi
=======================================

Description
-------------

Lighttpd is prone to a header overflow when using the mod_fastcgi
extension,
this can lead to arbitrary code execution in the fastcgi application.

For a detailed description of the bug see the external reference.

This bug was found by Mattias Bengtsson <mattias@secweb.se> and
Philip Olausson <po@secweb.se>.

External reference:
http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/

Affected versions
-------------------

all previous versions.

Solutions or Workaround
-------------------------

upgrade to 1.4.18 or apply
lighttpd-1.4.x_mod_fastcgi_overrun.patch

This bug is tracked as CVE-2007-4727.

---- More details -------------
Issue:

Lighttpd is prone to a header overflow when using the mod_fastcgi
extension, this can lead to arbitrary code execution in the fastcgi
application.

Description:

Lighttpd (pronounced "lighty") is a web server which is designed to be
secure, fast, standards-compliant, and flexible while being optimized for
speed-critical environments.

Details:

fcgi_env_add_request_headers(srv, con, p);
fcgi_header(&(header), FCGI_PARAMS, request_id, p->fcgi_env->used, 0);
buffer_append_memory(b, (const char *)&header, sizeof(header));
buffer_append_memory(b, (const char *)p->fcgi_env->ptr,
p->fcgi_env->used);

The above code will read up all headers requested by the client and
construct the fastcgi header, which will be sent to PHP. The code does not
care if contentLength is more than 0xffff, and is therefore prone to a
overrun.

static int fcgi_header(FCGI_Header * header, unsigned char type, size_t
request_id, int contentLength, unsigned char paddingLength) {
...
header->contentLengthB0 = contentLength & 0xff;
header->contentLengthB1 = (contentLength >> 8) & 0xff;
...

While there are more data to send and PHP does not care how many packages
it gets, it is possible to take control over the next package header and
add/replace headers in PHP. For example SCRIPT_FILENAME which we will be
using in the example exploit.

Proof Of Concepts:

Since 1.4.17 we are not allowed to use any character less then 0x20 as a
value in an header which makes the exploitation of the vulnerability a
little bit more complicated, but still possible. For the high risk of this
vulnerability we have chosen not to release a exploit for 1.4.17, but
instead a fully working exploit for <= 1.4.16 and PHP 5.2.X.

Lighttpd FastCGI Remote Vulnerability Exploit

Example:
# ./exploit localhost 80 /etc/passwd
or
# wget --referer="<?php system('/usr/bin/id'); ?>" localhost
# ./exploit localhost 80 /var/log/lighttpd/access.log

Interested in a exploit for 1.4.17? Please contact us!

Impact:

The impact for this issue should be considered VERY HIGH!

Solution:

Upgrade to lighttpd 1.4.18
---------------- END ---------------





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server

Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability

PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)

ADT

Protect your family and valuables with Home Security Systems

Copyright © SecurityReason.com. All Rights Reserved.