For the letter c we chose Cherokee project. It is a web server written mainly in C language. What’s interesting, this server may be met on IoT devices including GoPro cameras.
Our approach to find bugs was quite similar to the previous ones, but we decided to extend it in some ways.
Preparing
We started with preparing the environment for fuzzing.
During building we encountered a problem:
which was solved by setting ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes.
So finally, we were able to build with:
After building:
Run the main server
and administration panel (with an option to listen on all network interfaces)
Fuzzing
Our idea was to test all handlers offered by the server. We enabled and made them available under paths /test1, /test2, …, /test19. Backed up configuration file is also available here.
Radamsa was run from a custom script. A few HTTP requests were taken as an input and after modification were sent to all handlers.
Additional tools
To improve result analysis we set up two additional tools. The first one - gcov, was already configured during the building (with compiler flags -fprofile-arcs -ftest-coverage). This tool helps in measuring code coverage. After some time of fuzzing it was beneficial to verify through how many code paths we went through.
While the application was running, special files *.gcda were created. They can be converted to HTML files with ease to read statistics.
As the result, coverage report in form of HTML document will appear in out directory.
The second tool - OpenGrok, was set up to help reading the code. It’s a source code browser, supporting cross-reference navigation and search options in a browser. Its installation and configuration process is well documented on the project’s page.
Results
By fuzzing we discovered several crashes in various handlers. All were reported on the Cherokee’s GitHub.
One of the interesting findings was in code responsible for handling headers before passing them to the CGI.
Structure cherokee_handler_cgi_t has fixed size array for environmental variables including request headers. When the handler processes a request it adds entries without checking whether boundary value was reached.
So, sending a request with enough headers causes writing outside the array.
XSS
Despite the bugs discovered by fuzzing, two reflected XSS vulnerabilities were found manually:
The first one affects only 400 Bad Request responses, thus it seems hard to be used against the user. The second one was found in the administration handler. This handler is used by default in the administration panel but also can be set up as a handler in the main server. The problem lies in copying the invoked URL to a response. The URL is not encoded before put in HTML, CSS and JavaScript code, so special characters can be placed by an attacker.
As an authenticated administrator has access to powerful options in the panel, we created a Proof of Concept exploit to show how this vulnerability can be used to achieve Remote Code Execution.
After opening the URL all actions are executed by the exploit, no further user interaction was required. For easier development this exploit simulates filling proper inputs in the panel which is quite slow, thus some parts of the video are sped up.
Summary
Utilizing fuzzing adjusted to the project’s features and additionally extending our approach with manual testing, several crashes and XSS vulnerabilities were found. One of them directly lead to RCE.
All reported bugs have been fixed.
Written on November 15, 2019 by
Mateusz Kocielski, Michał Dardas
We invite you to contact us
through the following form:
LogicalTrust sp. z o.o. sp. k.
al. Aleksandra Brücknera 25-43 51-411 Wrocław, Poland, EU
According to art. 13 of the General Regulation on the Protection of Personal Data of 27 April 2016 (Official Journal EU L 119 of 04.05.2016) I inform that:
Data Administrator: The administrator of your personal data is Logicaltrust sp. z o.o. sp. k., with its registered office at ul. Aleksandra Brücknera, 25-43, 51-411 Wrocław, Tax Identification Number (NIP): 8952177980, National Business Registry Number (REGON): 369271084, National Court Register Number (KRS): 0000713515.
Contact with the Data Administrator: You can contact the data administrator via email at: ado@logicaltrust.net or by traditional mail by sending a letter to the administrator's registered office address.
Purpose and Legal Basis for Processing Personal Data: Your personal data will be processed by the data administrator for the purpose of responding to your inquiries, executing requested contact, taking actions prior to entering into a contract, performing the contract, establishing business relationships, presenting offers upon potential client's request (based on Art. 6(1)(a), (b), and (f) of the General Data Protection Regulation).
Data Processing Period: Your personal data will be processed for the time necessary to clarify your matter and provide a comprehensive response. They will also be processed for the duration of cooperation and the contract (in this case, the data is processed as client data). In the event of non-cooperation, the data will be promptly deleted unless there is a need for further retention for the purpose of defense and protection against claims. In cases where the processing of personal data is based on voluntarily given consent according to Art. 6(1)(a) of the General Data Protection Regulation, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, in accordance with the applicable law.
Scope of Processed Data: The scope of processed data includes: first name, last name, email, and phone number.
Recipients of Personal Data: In specific situations, your personal data may be disclosed, for example, to fulfill a legal obligation or to exercise legally justified interests pursued by the data administrator or by a third party. The categories of recipients to whom the data administrator may disclose your personal data are entities or authorities authorized by law and service providers processing personal data on behalf of the data administrator based on data processing agreements (e.g., hosting company).
Data Transfers: Your personal data will not be transferred outside the European Economic Area.
Rights and Entitlements: You have the right to request access to your personal data, their correction, deletion, or processing limitations, as well as the right to object to data processing. You also have the right to file a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw) if you believe that the processing of personal data violates data protection regulations.
Additional Information: Providing data is voluntary, but failure to provide data necessary for correspondence may hinder the execution and maintenance of contact.
Cookie policy
1. About cookies - Cookies are small data files, especially text files, which are stored by a server on your computer. With these files, your device will be recognized and, in consequence, the way a given website is presented will be adjusted to your personal preferences. Cookies usually contain the name of the website from which they originate, information on how long they have been stored on the device and a unique number.
2. Which type of cookies do we use - Session cookies – temporary files which are stored on your device until you log out from a given website or close the Internet browser. Persistent cookies – permanent files that remain on your device for a fixed period (specified in the parameters of the file) or until they are deleted manually. Third-party cookies – files that adjust the way a given website is presented to your personal preferences.
3. Why do we use cookies? - Cookies are used for the purpose of statistics, marketing and in order to adjust the contents of websites to the user's personal preferences. Cookies store information about geolocation, the visitor's language and random data about session identifiers. With the collected data, we are able to understand how exactly the visitor uses websites and, consequently, to improve their structure and content. The information received helps us to prepare statistics related to the number of new and regular users as well as enables us to analyze which pages are visited.
4. How to use and how to disable cookies - You can change the settings of your Internet browser at any time, so that it would block cookies or inform you when they are being sent. However, please note that if you do not accept the cookie policy, you may encounter some problems while using the website. The software used for searching websites accepts the cookies by default. The settings of an Internet browser can be changed, so that it would block cookies or inform the user each time when cookies are being sent onto his/her device. For more information on how to disable automatic saving of cookies, please check the settings of your Internet browser (the software used for searching Internet websites).