xorl %eax, %eax

CVE-2010-3872: Apache mod_fcgid Buffer Overflow

with 11 comments

This is an interesting vulnerability affecting mod_fcgid before 2.3.6 version. The issue was reported by Edgar Frank and the susceptible code is located at modules/fcgid/fcgid_bucket.c and specifically, in the following routine.

static apr_status_t fcgid_header_bucket_read(apr_bucket * b,
                                             const char **str,
                                             apr_size_t * len,
                                             apr_read_type_e block)
{
    fcgid_bucket_ctx *ctx = (fcgid_bucket_ctx *) b->data;
    apr_status_t rv;
    apr_size_t hasread, bodysize;
    FCGI_Header header;
    apr_bucket *curbucket = b;
  ...
        /* Initialize header */
        putsize = fcgid_min(bufferlen, sizeof(header) - hasread);
        memcpy(&header + hasread, buffer, putsize);
        hasread += putsize;
  ...
    return apr_bucket_read(b, str, len, APR_BLOCK_READ);
}

You can see that in order to initialize the header, it calculates the size and it’ll then use memcpy(3) library routine to copy data from the buffer to the header. The problem is that ‘hasread’ is of ‘apr_size_t’ type where ‘header’ is actually a pointer. This results in incorrect pointer arithmetic being performed in case of ‘hasread’ containing a non-zero value.
Of course, the fix to this bug was to add the appropriate type casting to avoid invalid pointer arithmetic like this:

         putsize = fcgid_min(bufferlen, sizeof(header) - hasread);
-        memcpy(&header + hasread, buffer, putsize);
+        memcpy((char*)(&header) + hasread, buffer, putsize);
         hasread += putsize;

I wrote about this because even though it’s a common bug class we don’t see that many pointer arithmetic vulnerabilities being released lately.

Written by xorl

January 6, 2011 at 23:45

Posted in bugs

11 Responses

Subscribe to comments with RSS.

  1. please,give me the exploit code . i want to do penetration test. i am japanese. recently,i am studying computer security

    shutter

    February 28, 2011 at 13:58

  2. I didn’t wrote any exploit for this particular vulnerability. I’m sorry. :(

    xorl

    February 28, 2011 at 18:49

  3. Dear I need your Help regarding Exploit development of CVE-2010-3872
    Could you please Guide.

    How might this CVE-2010-3872 be exploited and how might an exploit work

    Thanks and Regards

    Aizaz

    Muhammad Hussain

    March 9, 2011 at 15:27

  4. As I said to shutter in the comment above. I haven’t developed an exploit for this vulnerability. Sorry, I cannot help you with this.

    xorl

    March 9, 2011 at 21:48

  5. hi Xorl, Thanks for this info. What is the security threat level of this CVE ? knowing fully well that it has everything to do with stack buffer overflow.

    Alao

    March 16, 2011 at 12:12

  6. Alao, as I have said in the above comments, I didn’t wrote an exploit for it. That said, I cannot be 100% percent sure of its threat level.
    In my humble opinion, any memory corruption vulnerability is critical but since I don’t have an exploit I cannot give you an absolute answer.

    xorl

    March 16, 2011 at 22:26

  7. Hey Xorl can you answer to these questions for me please;

    – What level of threat does this CVE pose to a windows network/domaine?

    – A detailed technical level what is the CVE (2010-3782) and how does it function

    – How might this vulnerablity be exploited and how an exploit work?

    – What is the remedial action neccesary to mitigate this CVE?

    Please I expect some deep explainations from you

    Cheers!

    Kano

    March 17, 2011 at 18:44

  8. Dear Kano, I don’t have time to write such a detailed analysis of the vulnerability.

    As I have already said numerous times in the above comments. Since I haven’t researched any further this vulnerability, I cannot answer your questions.

    Regards

    xorl

    March 17, 2011 at 23:20

  9. Thanks for your response Xorl. Refer me to a website you think would be helpful in further understanding this CVE ? I’m a student taking a network system security course and its mandatory I understand this to the best possible knowledge. I’ld rate the threat level critical as well anyday!

    Alao

    March 18, 2011 at 19:00

  10. You might want to look for CVE-2010-3872 references or contact Edgar Frank who discovered this vulnerability directly.
    I don’t know of any particular website that you would find helpful. Sorry.

    xorl

    March 18, 2011 at 23:32

  11. Xorl, I like you and respect you a lot, but I want to kill all your fanboys, just look at them.

    Jesus

    April 6, 2011 at 13:10


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s