xorl %eax, %eax

CVE-2008-3746: LibNEON Null Pointer Dereference

leave a comment »

On 17 April 2008, Yves-Alexis reported this vulnerability. LibNEON (also known as neon) is a popular C library for HTTP and WebDAV operations. The issue discussed here affects neon from 0.28.0 up to 0.28.2. The following code is taken from 0.28.2 and here is the vulnerable function located at src/ne_auth.c.

631 /* Parse the "domain" challenge parameter and set the domains array up
632  * in the session appropriately. */
633 static int parse_domain(auth_session *sess, const char *domain)
634 {
635     char *cp = ne_strdup(domain), *p = cp;
636     ne_uri base;
637     int invalid = 0;
      ...
642     do {
643         char *token = ne_token(&p, ' ');
644         ne_uri rel, absolute;
645
646         if (ne_uri_parse(token, &rel) == 0) {
647             /* Resolve relative to the Request-URI. */
648             ne_uri_resolve(&base, &rel, &absolute);
649
650             base.path = absolute.path;
651
652             /* Ignore URIs not on this server. */
653             if (absolute.path && ne_uri_cmp(&absolute, &base) == 0) {
654                 sess->domains = ne_realloc(sess->domains,
655                                            ++sess->ndomains *
656                                            sizeof(*sess->domains));
657                 sess->domains[sess->ndomains - 1] = absolute.path;
      ...
802     return 0;
803 }

This function is used to parse the challenge parameter and set the domains array but as you can clearly see at line 636, base does not get initialized. This variable is a ne_uri structure, this structure is defined at src/ne_uri.h like this:

58 typedef struct {
59     char *scheme;
60     char *host, *userinfo;
61     unsigned int port;
62     char *path, *query, *fragment;
63 } ne_uri;

Even though it is not initialized, you can see that it is used at line 648 where it’s passed on ne_uri_resolve() function of src/ne_uri.c. This function attempts to access members of ne_uri structure like this:

384 /* This function directly implements the "Transform References"
385  * algorithm described in RFC 3986 section 5.2.2. */
386 ne_uri *ne_uri_resolve(const ne_uri *base, const ne_uri *relative,
387                        ne_uri *target)
388 {
      ...
397         if (relative->host) {
      ...
401         } else {
402             if (relative->path[0] == '') {
403                 target->path = ne_strdup(base->path);
      ...
406                 } else if (base->query) {
407                     target->query = ne_strdup(base->query);
408                 }
      ...
413                     char *merged = merge_paths(base, relative->path);
      ...
419             copy_authority(target, base);
420         }
421         if (base->scheme) target->scheme = ne_strdup(base->scheme);
422     }


Of course, since base is not initialized, this will lead to NULL pointer dereference in any of the above conditions. Here is the patch which just initializes base.path and thus avoiding the dereference at line 403 of ne_uri_resolve() function.

         if (ne_uri_parse(token, &rel) == 0) {
             /* Resolve relative to the Request-URI. */
+            base.path = "/";
             ne_uri_resolve(&base, &rel, &absolute);

+            /* Compare against the resolved path to check this URI has
+             * the same (scheme, host, port) components; ignore it
+             * otherwise: */
             base.path = absolute.path;
-            
-            /* Ignore URIs not on this server. */
             if (absolute.path && ne_uri_cmp(&absolute, &base) == 0) {


Is it exploitable? Well, you can map legit data on the above offsets from NULL and avoid the crash but will this lead to control of execution? I don’t know, I haven’t tested it.

Written by xorl

March 26, 2009 at 14:58

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s