( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. Open Litespeed Use After Free Vulnerability Affected versions: Open Litespeed <= 1.3.9 PDF: http://www.security-assessment.com/files/documents/advisory/Open%20Litespeed%20Use%20After%20Free%20Vulnerability.pdf +-----------+ |Description| +-----------+ A use after free vulnerability was discovered within the header parser of the Open Litespeed web server. This vulnerability can be successfully exploited to trigger an out of bounds memory read, resulting in a segmentation fault crashing the web server +------------+ |Exploitation| +------------+ By sending a crafted request, an attacker may trigger an out-of-bounds memory read, crashing the web server. This is due to a portion of memory being referenced by the application after being freed by a realloc() call. The second parameter (p) to the memmove() call (line 741, httpreq.cpp) within the HttpReq:newKeyValueBuf method results in an out of bound memory read when the attacker submits a crafted requests contain a large number of header rows. This is is due to the portion of memory the 'p' parameter resides in being freed by a realloc() call. The reallocation is performed by the allocate() method of the AutoBuf class. This is triggered by the call to AutoBuf's grow() method within the newKeyValueBuf method (line 736, httpreq.cpp). The newKeyValueBuf method snippet is detailed below, showing the call to AutoBuf::Grow() and the subsequent memmove() call: 735 if ( m_reqBuf.available() < total ) 736 if ( m_reqBuf.grow( total ) ) 737 return NULL; 738 char * pNewBuf = m_reqBuf.end(); 739 m_reqBuf.used( total ); 740 if ( orgSize > 0 ) 741 memmove( pNewBuf, p, sizeof( int ) * 2 + sizeof( key_value_pair ) * orgSize ); 742 else 743 *( ((int *)pNewBuf) + 1 ) = 0; Further information is available in the advisory PDF. POC exploit code can be found at http://www.security-assessment.com/files/documents/advisory/openlitespeed-1.3.9-UAF-DOS.c +----------+ | Solution | +----------+ Update to the latest version of the Open Litespeed web server +-------------------+ |Disclosure Timeline| +-------------------+ 26/03/2015 - Advisory send to Litespeed 27/03/2015 - Response from Litespeed stating the vulnerability will be fixed in the next release of Open Litespeed 10/04/2015 - Open Litespeed 1.3.10 released 14/04/2015 - Advisory PDF released +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. For further information on this issue or any of our service offerings, contact us: Web www.security-assessment.com Email info () security-assessment com Phone +64 4 470 1650