Configuring logging

rachmel · **Joined:** Wed Aug 23, 2006 11:45 am **Posts:** 110

Hi,

I have discovered a vulnerability, allowing a user to cause the appWeb server to crash using a specially crafted GET message, on appWeb 2.0.5.4.

Is it a known issue that was fixed later, or is this a new problem?
(I have done some googling and came up with nothing).

I am currently debugging the issue, and I might require some help in understand the code-flow - but would rather not discuss it here in the open forum...

Thanks,

Nir.

rachmel · **Joined:** Wed Aug 23, 2006 11:45 am **Posts:** 110

Hi All,

I have located a possible issue - would like you comments (I am referring to appWeb 2.0.5-4):

In:

MprLogToFile::logEvent() , in case there is no actual file descriptor defined (the logging is enabled by compilation, but disabled via conf file), Some errors are logged to the STDERR. for some reason, the following call is made:

======= start code ============

if (logFd < 0 && level <= 1) {
//
// Always output fatal and error messages
//
mprFprintf(MPR_STDERR, buf);
return;
}

// OPT -- could get length above
write(logFd, buf, strlen(buf));

========= end code ==========

the call to mprFprintf, when there is only a buffer, and no other paramaters cause un-expected results, when the 'buf' itself holds some of the special characters, such as : %s, %d ... etc.

for example: if a user initiates a GET request, with a special character, such as:
"GET %n://localhost:80/index.html HTTP/1.1..Host: 172.19.15.11..User-Agent: Security test..Content-Length: 0..Cache-Control: no-cache....\r\n\r\n"
"GET %s%s://localhost:80/index.html HTTP/1.1..Host: 172.19.15.11..User-Agent: Security test..Content-Length: 0..Cache-Control: no-cache....\r\n\r\n"
"GET %d://localhost:80/index.html HTTP/1.1..Host: 172.19.15.11..User-Agent: Security test..Content-Length: 0..Cache-Control: no-cache....\r\n\r\n"

The server cannot find such a page, and tries to write an error message to the stderr. When passing the above string to the mprFprintf as 'buf', the mprFprintf (or more accurately mprSprintfCore) tries to match the %s (or %d or %s) to an argument from the list. However... there is no argument in the list at all - thus resulting in garbage printed in the good case... and segmentation fault in the bad case.

I would like to suggest, changing the call to mprFprintf to be as when writing to a real logfile (and not just STD_ERR), and call write().
I have tested it, it works fine, doesn't harm any of the log options, and secures the web-server from the possible garbage printing or crash.

I would appreciate your comments - as this is a security threat for anyone running the appWeb server.

Thanks,

Nir Rachmel.

ph · **Joined:** Wed Nov 19, 2003 11:55 pm **Posts:** 471

So you mean that the developer must build with logging enabled, but then disable it in the conf file. Then you can get this buffer overflow?

Peter

cjr · **Joined:** Sat Dec 31, 2005 1:16 am **Posts:** 183

Seems pretty rare - but a good fix anyway.

Thanks

cjr

rachmel · **Joined:** Wed Aug 23, 2006 11:45 am **Posts:** 110

Hi,

Exactly - you need to build with logging enabled, but disable it in the conf file.

Thanks,

Nir.

rola · **Joined:** Thu Jan 03, 2008 5:17 am **Posts:** 2

Good answer, I'm looking for the solution of the same question.Thanks so much.

MarCn · **Joined:** Tue Apr 20, 2010 9:42 am **Posts:** 1

rachmel wrote:

Hi All,

I have located a possible issue - would like you comments (I am referring to appWeb 2.0.5-4):

In:

MprLogToFile::logEvent() , in case there is no actual file descriptor defined (the logging is enabled by compilation, but disabled via conf file), Some errors are logged to the STDERR. for some reason, the following call is made:

======= start code ============

if (logFd < 0 && level <= 1) {
//
// Always output fatal and error messages
//
mprFprintf(MPR_STDERR, buf);
return;
}

// OPT -- could get length above
write(logFd, buf, strlen(buf));

========= end code ==========

the call to mprFprintf, when there is only a buffer, and no other paramaters cause un-expected results, when the 'buf' itself holds some of the special characters, such as : %s, %d ... etc.

for example: if a user initiates a GET request, with a special character, such as:
"GET %n://localhost:80/index.html HTTP/1.1..Host: 172.19.15.11..User-Agent: Security test..Content-Length: 0..Cache-Control: no-cache....\r\n\r\n"
"GET %s%s://localhost:80/index.html HTTP/1.1..Host: 172.19.15.11..User-Agent: Security test..Content-Length: 0..Cache-Control: no-cache....\r\n\r\n"
"GET %d://localhost:80/index.html HTTP/1.1..Host: 172.19.15.11..User-Agent: Security test..Content-Length: 0..Cache-Control: no-cache....\r\n\r\n"

The server cannot find such a page, and tries to write an error message to the stderr. When cheap phentermine passing the above string to the mprFprintf as 'buf', the mprFprintf (or more accurately mprSprintfCore) tries to match the tadalafil %s (or %d or %s) to an argument from the list. However... there is no argument in the list at all - thus resulting in garbage printed in the good case... and segmentation fault in the bad case.

I would like to suggest, changing the call to mprFprintf to be as when writing to a real logfile (and not just STD_ERR), and call write().
I have tested it, it works fine, doesn't harm any of the log options, and secures the web-server from the possible garbage printing or crash.

I would appreciate your comments - as this is a security threat for anyone running the appWeb server.

Thanks,

Nir Rachmel.

Hi rachmel,
Thanks for the fix. I tried it, and indeed appWeb doesn't crash anymore.

AppWeb Forum

Configuring logging

Who is online