| Upstream-Status: Backport |
| CVE: CVE-2022-22707 |
| Signed-off-by: Ross Burton <ross.burton@arm.com> |
| |
| From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 |
| From: povcfe <povcfe@qq.com> |
| Date: Wed, 5 Jan 2022 11:11:09 +0000 |
| Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) |
| |
| (thx povcfe) |
| |
| (edited: gstrauss) |
| |
| There is a potential remote denial of service in lighttpd mod_extforward |
| under specific, non-default and uncommon 32-bit lighttpd mod_extforward |
| configurations. |
| |
| Under specific, non-default and uncommon lighttpd mod_extforward |
| configurations, a remote attacker can trigger a 4-byte out-of-bounds |
| write of value '-1' to the stack. This is not believed to be exploitable |
| in any way beyond triggering a crash of the lighttpd server on systems |
| where the lighttpd server has been built 32-bit and with compiler flags |
| which enable a stack canary -- gcc/clang -fstack-protector-strong or |
| -fstack-protector-all, but bug not visible with only -fstack-protector. |
| |
| With standard lighttpd builds using -O2 optimization on 64-bit x86_64, |
| this bug has not been observed to cause adverse behavior, even with |
| gcc/clang -fstack-protector-strong. |
| |
| For the bug to be reachable, the user must be using a non-default |
| lighttpd configuration which enables mod_extforward and configures |
| mod_extforward to accept and parse the "Forwarded" header from a trusted |
| proxy. At this time, support for RFC7239 Forwarded is not common in CDN |
| providers or popular web server reverse proxies. It bears repeating that |
| for the user to desire to configure lighttpd mod_extforward to accept |
| "Forwarded", the user must also be using a trusted proxy (in front of |
| lighttpd) which understands and actively modifies the "Forwarded" header |
| sent to lighttpd. |
| |
| lighttpd natively supports RFC7239 "Forwarded" |
| hiawatha natively supports RFC7239 "Forwarded" |
| |
| nginx can be manually configured to add a "Forwarded" header |
| https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ |
| |
| A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) |
| in front of another 32-bit lighttpd will detect and reject a malicious |
| "Forwarded" request header, thereby thwarting an attempt to trigger |
| this bug in an upstream 32-bit lighttpd. |
| |
| The following servers currently do not natively support RFC7239 Forwarded: |
| nginx |
| apache2 |
| caddy |
| node.js |
| haproxy |
| squid |
| varnish-cache |
| litespeed |
| |
| Given the general dearth of support for RFC7239 Forwarded in popular |
| CDNs and web server reverse proxies, and given the prerequisites in |
| lighttpd mod_extforward needed to reach this bug, the number of lighttpd |
| servers vulnerable to this bug is estimated to be vanishingly small. |
| Large systems using reverse proxies are likely running 64-bit lighttpd, |
| which is not known to be adversely affected by this bug. |
| |
| In the future, it is desirable for more servers to implement RFC7239 |
| Forwarded. lighttpd developers would like to thank povcfe for reporting |
| this bug so that it can be fixed before more CDNs and web servers |
| implement RFC7239 Forwarded. |
| |
| x-ref: |
| "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" |
| https://redmine.lighttpd.net/issues/3134 |
| (not yet written or published) |
| CVE-2022-22707 |
| --- |
| src/mod_extforward.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/src/mod_extforward.c b/src/mod_extforward.c |
| index ba957e04..fdaef7f6 100644 |
| --- a/src/mod_extforward.c |
| +++ b/src/mod_extforward.c |
| @@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c |
| while (s[i] == ' ' || s[i] == '\t') ++i; |
| if (s[i] == ';') { ++i; continue; } |
| if (s[i] == ',') { |
| - if (j >= (int)(sizeof(offsets)/sizeof(int))) break; |
| + if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; |
| offsets[++j] = -1; /*("offset" separating params from next proxy)*/ |
| ++i; |
| continue; |
| -- |
| 2.25.1 |
| |