exploit the possibilities

Apache2 mod_proxy_uwsgi Incorrect Request Handling

Apache2 mod_proxy_uwsgi Incorrect Request Handling
Posted Aug 31, 2020
Authored by Google Security Research, Felix Wilhelm

Apache2 suffers from an incorrect handling of large requests issue in mod_proxy_uwsgi.

tags | advisory
advisories | CVE-2020-11984
MD5 | 794813ee73c7fb742550accd8b61f2e2

Apache2 mod_proxy_uwsgi Incorrect Request Handling

Change Mirror Download
Apache2: Incorrect handling of large requests in mod_proxy_uwsgi

mod_proxy_uwsgi as included in current versions of Apache httpd incorrectly handles large
HTTP requests. The UWSGI line protocol uses uint16_t length values for both header name/values
and the overall packet size, but mod_proxy_uwsgi does not verify that these size fields do not overflow:

// modules/proxy/mod_proxy_uwsgi.c
static int uwsgi_send_headers(request_rec *r, proxy_conn_rec * conn)
{
char *buf, *ptr;

const apr_array_header_t *env_table;
const apr_table_entry_t *env;

apr_size_t headerlen = 4;
apr_uint16_t pktsize, keylen, vallen;

[...]

env_table = apr_table_elts(r->subprocess_env);
env = (apr_table_entry_t *) env_table->elts;

for (j = 0; j < env_table->nelts; ++j) {
headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
}

ptr = buf = apr_palloc(r->pool, headerlen);

ptr += 4;

for (j = 0; j < env_table->nelts; ++j) {
keylen = strlen(env[j].key); ** A **
*ptr++ = (apr_byte_t) (keylen & 0xff);
*ptr++ = (apr_byte_t) ((keylen >> 8) & 0xff);
memcpy(ptr, env[j].key, keylen);
ptr += keylen;

vallen = strlen(env[j].val); ** B **
*ptr++ = (apr_byte_t) (vallen & 0xff);
*ptr++ = (apr_byte_t) ((vallen >> 8) & 0xff);
memcpy(ptr, env[j].val, vallen);
ptr += vallen;
}

pktsize = headerlen - 4; ** C **

buf[0] = 0;
buf[1] = (apr_byte_t) (pktsize & 0xff);
buf[2] = (apr_byte_t) ((pktsize >> 8) & 0xff);
buf[3] = 0;

return uwsgi_send(conn, buf, headerlen, r);
}

A malicious request can easily overflow pktsize (C) by sending
a small amount of headers with a length that is close to the LimitRequestFieldSize
default value of 8190. This can be used to trick UWSGI into parsing parts of
the serialized subprocess environment as part of the POST body.
In most configurations the security impact of this seems to be limited. However,
an attacker might be able to leak sensitive environment variables as part of the POST body and/or
strip security sensitive headers from the request.
If UWSGI is explicitly configured in persistent mode (puwsgi), this can
also be used to smuggle a second UWSGI request leading to remote code execution.
(In its standard configuration UWSGI only supports a single request per connection,
making request smuggling impossible)

RCE against a standard UWSGI config is possible if an attacker can put a controlled
name or value into subprocess_env that is longer than 0xFFFF bytes:
This would overflow the size calculation in (A) or (B) and
makes it possible to inject malicious key/value pairs into the UWSGI request. This can be turned
into code execution by setting a malicious UWSGI_FILE var
(see https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md)

Using an oversized HTTP header for this attack requires a LimitRequestFieldSize
bypass and should not be possible in normal configurations.
However, mod_http2 incorrectly enforced LimitRequestFieldSize before
R1863276 (https://svn.apache.org/viewvc?view=revision&revision=1863276) so systems
without this commit can be exploited easily. Other config dependent attack vectors might exist.


Credits:
Felix Wilhelm of Google Project Zero

This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report
will become visible to the public. The scheduled disclosure date is 2020-07-23.
Disclosure at an earlier date is also possible if agreed upon by all parties.

Related CVE Numbers: CVE-2020-11984.



Found by: fwilhelm@google.com

Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close