For the letter c we chose Cherokee project. It is a web server written mainly in C language. What’s interesting, this server may be met on IoT devices including GoPro cameras.
Our approach to find bugs was quite similar to the previous ones, but we decided to extend it in some ways.
We started with preparing the environment for fuzzing.
During building we encountered a problem:
which was solved by setting ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes.
So finally, we were able to build with:
Run the main server
and administration panel (with an option to listen on all network interfaces)
Our idea was to test all handlers offered by the server. We enabled and made them available under paths /test1, /test2, …, /test19. Backed up configuration file is also available here.
Radamsa was run from a custom script. A few HTTP requests were taken as an input and after modification were sent to all handlers.
To improve result analysis we set up two additional tools. The first one - gcov, was already configured during the building (with compiler flags -fprofile-arcs -ftest-coverage). This tool helps in measuring code coverage. After some time of fuzzing it was beneficial to verify through how many code paths we went through.
While the application was running, special files *.gcda were created. They can be converted to HTML files with ease to read statistics.
As the result, coverage report in form of HTML document will appear in out directory.
The second tool - OpenGrok, was set up to help reading the code. It’s a source code browser, supporting cross-reference navigation and search options in a browser. Its installation and configuration process is well documented on the project’s page.
By fuzzing we discovered several crashes in various handlers. All were reported on the Cherokee’s GitHub.
One of the interesting findings was in code responsible for handling headers before passing them to the CGI.
Structure cherokee_handler_cgi_t has fixed size array for environmental variables including request headers. When the handler processes a request it adds entries without checking whether boundary value was reached.
So, sending a request with enough headers causes writing outside the array.
Despite the bugs discovered by fuzzing, two reflected XSS vulnerabilities were found manually:
As an authenticated administrator has access to powerful options in the panel, we created a Proof of Concept exploit to show how this vulnerability can be used to achieve Remote Code Execution.
After opening the URL all actions are executed by the exploit, no further user interaction was required. For easier development this exploit simulates filling proper inputs in the panel which is quite slow, thus some parts of the video are sped up.
Utilizing fuzzing adjusted to the project’s features and additionally extending our approach with manual testing, several crashes and XSS vulnerabilities were found. One of them directly lead to RCE.
All reported bugs have been fixed.
Written on November 15, 2019 by
Mateusz Kocielski, Michał Dardas
We invite you to contact us
through the following form:
LogicalTrust sp. z o.o. sp. k.
al. Aleksandra Brücknera 25-43 51-411 Wrocław, Poland, EU
According to art. 13 of the General Regulation on the Protection of Personal Data of 27 April 2016 (Official Journal EU L 119 of 04.05.2016) I inform that:
Data Administrator: The administrator of your personal data is Logicaltrust sp. z o.o. sp. k., with its registered office at ul. Aleksandra Brücknera, 25-43, 51-411 Wrocław, Tax Identification Number (NIP): 8952177980, National Business Registry Number (REGON): 369271084, National Court Register Number (KRS): 0000713515.
Contact with the Data Administrator: You can contact the data administrator via email at: firstname.lastname@example.org or by traditional mail by sending a letter to the administrator's registered office address.
Purpose and Legal Basis for Processing Personal Data: Your personal data will be processed by the data administrator for the purpose of responding to your inquiries, executing requested contact, taking actions prior to entering into a contract, performing the contract, establishing business relationships, presenting offers upon potential client's request (based on Art. 6(1)(a), (b), and (f) of the General Data Protection Regulation).
Data Processing Period: Your personal data will be processed for the time necessary to clarify your matter and provide a comprehensive response. They will also be processed for the duration of cooperation and the contract (in this case, the data is processed as client data). In the event of non-cooperation, the data will be promptly deleted unless there is a need for further retention for the purpose of defense and protection against claims. In cases where the processing of personal data is based on voluntarily given consent according to Art. 6(1)(a) of the General Data Protection Regulation, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, in accordance with the applicable law.
Scope of Processed Data: The scope of processed data includes: first name, last name, email, and phone number.
Recipients of Personal Data: In specific situations, your personal data may be disclosed, for example, to fulfill a legal obligation or to exercise legally justified interests pursued by the data administrator or by a third party. The categories of recipients to whom the data administrator may disclose your personal data are entities or authorities authorized by law and service providers processing personal data on behalf of the data administrator based on data processing agreements (e.g., hosting company).
Data Transfers: Your personal data will not be transferred outside the European Economic Area.
Rights and Entitlements: You have the right to request access to your personal data, their correction, deletion, or processing limitations, as well as the right to object to data processing. You also have the right to file a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw) if you believe that the processing of personal data violates data protection regulations.
Additional Information: Providing data is voluntary, but failure to provide data necessary for correspondence may hinder the execution and maintenance of contact.
1. About cookies - Cookies are small data files, especially text files, which are stored by a server on your computer. With these files, your device will be recognized and, in consequence, the way a given website is presented will be adjusted to your personal preferences. Cookies usually contain the name of the website from which they originate, information on how long they have been stored on the device and a unique number.
2. Which type of cookies do we use - Session cookies – temporary files which are stored on your device until you log out from a given website or close the Internet browser. Persistent cookies – permanent files that remain on your device for a fixed period (specified in the parameters of the file) or until they are deleted manually. Third-party cookies – files that adjust the way a given website is presented to your personal preferences.