For the letter c we chose Cherokee project. It is a web server written mainly in C language. What’s interesting, this server may be met on IoT devices including GoPro cameras.
Our approach to find bugs was quite similar to the previous ones, but we decided to extend it in some ways.
We started with preparing the environment for fuzzing.
During building we encountered a problem:
which was solved by setting ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes.
So finally, we were able to build with:
Run the main server
and administration panel (with an option to listen on all network interfaces)
Our idea was to test all handlers offered by the server. We enabled and made them available under paths /test1, /test2, …, /test19. Backed up configuration file is also available here.
Radamsa was run from a custom script. A few HTTP requests were taken as an input and after modification were sent to all handlers.
To improve result analysis we set up two additional tools. The first one - gcov, was already configured during the building (with compiler flags -fprofile-arcs -ftest-coverage). This tool helps in measuring code coverage. After some time of fuzzing it was beneficial to verify through how many code paths we went through.
While the application was running, special files *.gcda were created. They can be converted to HTML files with ease to read statistics.
As the result, coverage report in form of HTML document will appear in out directory.
The second tool - OpenGrok, was set up to help reading the code. It’s a source code browser, supporting cross-reference navigation and search options in a browser. Its installation and configuration process is well documented on the project’s page.
By fuzzing we discovered several crashes in various handlers. All were reported on the Cherokee’s GitHub.
One of the interesting findings was in code responsible for handling headers before passing them to the CGI.
Structure cherokee_handler_cgi_t has fixed size array for environmental variables including request headers. When the handler processes a request it adds entries without checking whether boundary value was reached.
So, sending a request with enough headers causes writing outside the array.
Despite the bugs discovered by fuzzing, two reflected XSS vulnerabilities were found manually:
As an authenticated administrator has access to powerful options in the panel, we created a Proof of Concept exploit to show how this vulnerability can be used to achieve Remote Code Execution.
After opening the URL all actions are executed by the exploit, no further user interaction was required. For easier development this exploit simulates filling proper inputs in the panel which is quite slow, thus some parts of the video are sped up.
Utilizing fuzzing adjusted to the project’s features and additionally extending our approach with manual testing, several crashes and XSS vulnerabilities were found. One of them directly lead to RCE.
All reported bugs have been fixed.
Written on November 15, 2019 by
Mateusz Kocielski, Michał Dardas
We invite you to contact us
through the following form:
LogicalTrust sp. z o.o. sp. k.
al. Aleksandra Brücknera 25-43 51-411 Wrocław, Poland, EU
According to art. 13 of the General Regulation on the Protection of Personal Data of 27 April 2016 (Official Journal EU L 119 of 04.05.2016) I inform that:
1) the administrator of your personal data is Logicaltrust Sp. z o.o. Sp. k. - al. Aleksandra Brücknera 25-43, 51-411 Wrocław,
2) contact with the Personal Data Administrator - email@example.com,
3) Your personal data will be processed for marketing purposes on the basis of Art. 6(1)(a) of the general regulation on the protection of personal data of April 27, 2016..
4) Your personal data will be stored until you withdraw your consent
5) You have the right to request from the administrator access to personal data, the right to rectify their removal or limit processing, the right to withdraw consent and the right to transfer data
6) You have the right to lodge a complaint with the supervisory authority
7) Your data will be processed in an automated manner, including in the form of profiling. Automated decision-making will take place on the principles set out in the regulations (options: subscription, competition, etc.) and the consequence of such processing will be receiving selected marketing information
8) providing personal data is voluntary, however failure to provide data may result in the inability to participate in the newsletter subscription, participate in contests, receive marketing offers, participate in surveys
At the same time, pursuant to Art.6(1)(a) of the general regulation on the protection of personal data of 27 April 2016, I agree to the processing of my personal data for the purpose of subscribing to the newsletter, participation in competitions, receiving marketing offers, participation in surveys