[Security vulnerability - memory corruption] Integer overflow into heap overflow #67
Description
Hello,
Inside the implementation of the protocol, within the ReadParams function (fcgiapp.c), an improper control of the input data can lead to an integer overflow which itself can lead to a heap overflow.
if((nameLen & 0x80) != 0) {
if(FCGX_GetStr((char *) &lenBuff[0], 3, stream) != 3) {
SetError(stream, FCGX_PARAMS_ERROR);
return -1;
}
nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+ (lenBuff[1] << 8) + lenBuff[2];
}
if((valueLen = FCGX_GetChar(stream)) == EOF) {
SetError(stream, FCGX_PARAMS_ERROR);
return -1;
}
if((valueLen & 0x80) != 0) {
if(FCGX_GetStr((char *) &lenBuff[0], 3, stream) != 3) {
SetError(stream, FCGX_PARAMS_ERROR);
return -1;
}
valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+ (lenBuff[1] << 8) + lenBuff[2];
}
/*
* nameLen and valueLen are now valid; read the name and value
* from stream and construct a standard environment entry.
*/
nameValue = (char *)Malloc(nameLen + valueLen + 2);nameLen and valueLen are both taken from the input data while reading the parameters fed to fcgi's IPC socket.
If nameLen and valueLen equals 0x7fffffff, the +2 added during the malloc will overflow the sizemax of a size_t in 32bit architectures.
The following line :
if(FCGX_GetStr(nameValue, nameLen, stream) != nameLen) {Will then take a buffer mallocd for 0, that won't correspond to nameLen. This will cause a heap overflow.
Considering FastCGI is mostly used inside embedded equipment with poor system protections (no ASLR or NX as an example), this could be used to achieve remote code execution with the help of a misconfiguration from the developper exposing the socket, or, more realistically, through the help of another vulnerability of type SSRF within his own web application.