Home Services Advisories Blog Contact

Lighttpd FastCGI Remote Vulnerability

Affected Products:
<= Lighttpd 1.4.17

Authors:
Mattias Bengtsson <mattias@secweb.se>
Philip Olausson <po@secweb.se>

Reported:
2007-09-05

Released:
2007-09-09

CVE:
CVE-2007-4727

Issue:

Lighttpd is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application.

Description:

Lighttpd (pronounced "lighty") is a web server which is designed to be secure, fast, standards-compliant, and flexible while being optimized for speed-critical environments.

Details:

fcgi_env_add_request_headers(srv, con, p);
fcgi_header(&(header), FCGI_PARAMS, request_id, p->fcgi_env->used, 0);
buffer_append_memory(b, (const char *)&header;, sizeof(header));
buffer_append_memory(b, (const char *)p->fcgi_env->ptr, p->fcgi_env->used);

The above code will read up all headers requested by the client and construct the fastcgi header, which will be sent to PHP. The code does not care if contentLength is more than 0xffff, and is therefore prone to a overrun.

static int fcgi_header(FCGI_Header * header, unsigned char type, size_t request_id, int contentLength, unsigned char paddingLength) {
...
     header->contentLengthB0 = contentLength & 0xff;
     header->contentLengthB1 = (contentLength >> 8) & 0xff;
...

While there are more data to send and PHP does not care how many packages it gets, it is possible to take control over the next package header and add/replace headers in PHP. For example SCRIPT_FILENAME which we will be using in the example exploit.

Proof Of Concepts:

Since 1.4.17 we are not allowed to use any character less then 0x20 as a value in an header which makes the exploitation of the vulnerability a little bit more complicated, but still possible. For the high risk of this vulnerability we have chosen not to release a exploit for 1.4.17, but instead a fully working exploit for <= 1.4.16 and PHP 5.2.X.

Lighttpd FastCGI Remote Vulnerability Exploit

Example:
# ./exploit localhost 80 /etc/passwd
or
# wget --referer="<?php system('/usr/bin/id'); ?>" localhost
# ./exploit localhost 80 /var/log/lighttpd/access.log

Interested in a exploit for 1.4.17? Please contact us!

Impact:

The impact for this issue should be considered VERY HIGH!

Solution:

Upgrade to lighttpd 1.4.18

secweb.se ©SECWEB 2007