Advisory: Websockify: Remote Code Execution via Buffer OverflowRedTeam Pentesting discovered a buffer overflow vulnerability in the Cimplementation of Websockify, which allows attackers to executearbitrary code.Details=======Product: Websockify C implementationAffected Versions: all versions <= 0.8.0Fixed Versions: versions since commit 192ec6f (2016-04-22) [0]Vulnerability Type: Buffer OverflowSecurity Risk: highVendor URL: http://ift.tt/19GQpRRVendor Status: fixedAdvisory URL: http://ift.tt/1sIvIEpAdvisory Status: publishedCVE: GENERIC-MAP-NOMATCHCVE URL: http://ift.tt/1jQGmENIntroduction============"websockify was formerly named wsproxy and was part of the noVNCproject.At the most basic level, websockify just translates WebSockets trafficto normal TCP socket traffic. Websockify accepts the WebSocketshandshake, parses it, and then begins forwarding traffic between theclient and the target in both directions."(from the project's readme)More Details============For each new connection, websockify forks and calls the functiondo_handshake() to receive a client's WebSocket handshake. Thefollowing excerpt shows some of the source code responsible forreceiving the client's data from the socket file descriptor:------------------------------------------------------------------------ws_ctx_t *do_handshake(int sock) {char handshake[4096], response[4096], sha1[29], trailer[17];[...]offset = 0;for (i = 0; i < 10; i++) {len = ws_recv(ws_ctx, handshake+offset, 4096);if (len == 0) {handler_emsg("Client closed during handshake\n");return NULL;}offset += len;handshake[offset] = 0;if (strstr(handshake, "\r\n\r\n")) {break;}usleep(10);}[...]------------------------------------------------------------------------As can be seen in the listing, the function ws_recv() is called in aloop to read data from the client's socket into the stack-allocatedbuffer 'handshake'. Each time ws_recv() is called, a maximum of 4096bytes are read from the socket and stored in the handshake buffer.The variable 'offset' determines the position in the buffer at whichthe received data is written. In each iteration, the value of 'offset'is increased by the amount of bytes received. If the received datacontains the string "\r\n\r\n", which marks the end of the WebSockethandshake data, the loop is terminated. Otherwise, the loop isterminated after a maximum of 10 iterations. The do_handshake()function returns early if no more data can be received from thesocket.By forcing websockify to iterate multiple times, attackers canexploit this behaviour to write data past the space allocated for thehandshake buffer, thereby corrupting adjacent memory.Proof of Concept================The following curl command can be used to trigger the buffer overflow:$ curl http://example.com/$(python -c 'print "A"*5000')Providing a generic exploit for this vulnerability is not feasible, asit depends on the server side environment websockify is used in as wellas the used compiler and its flags. However, during a penetration testit was possible to successfully exploit this buffer overflowvulnerability and to execute arbitrary commands on the server.Workaround==========Use the Python implementation of websockify.Fix===The vulnerability has been fixed in commit 192ec6f [0].Security Risk=============Successful exploitation of the vulnerability allows attackers to executearbitrary code on the affected system. It is therefore rated as a highrisk.Timeline========2016-04-14 Vulnerability identified2016-05-03 Advisory provided to customer2016-05-06 Customer provided updated firmware, notified users2016-05-23 Customer notified users again2016-05-31 Advisory publishedReferences==========[0] http://ift.tt/1XLMMVCad4bd9e7bcd9RedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests performed by ateam of specialised IT-security experts. Hereby, security weaknesses incompany networks or products are uncovered and can be fixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found at:http://ift.tt/1ixScMF--RedTeam Pentesting GmbH Tel.: +49 241 510081-0Dennewartstr. 25-27 Fax : +49 241 510081-9952068 Aachen http://ift.tt/1ixScMFGermany Registergericht: Aachen HRB 14004Geschäftsführer: Patrick Hof, Jens Liebchen-----BEGIN PGP SIGNATURE-----Version: GnuPG v2iQEcBAABCgAGBQJXTXqbAAoJENG/HXWsgFSuRycIALYDa+gduzuDFurhuk2zY4Nm5ZXujPsC+P+E7dSBYIy95fXYOcQai4INGQg+MVNcGGfQ9E7Q7xp5w2g+H2NngwOMYTbZnSmjXh57SppDkpbhDVPN2UPviIVAVok5lIWbu8zsBXhAzFqQvZYCLKxkSUKulkiq3ODMjYI8ZoHs34W5ceh9aGV3g1t2+QseE9hR2euPjCoPWWDedp+lNRtI6PMK4FzXmwxGN2hmPQdhDWR/jgZNi/fdzD1qdooFNJxKK+b3/5Ika8/bcNBCi8r2AwBQQ1o5lK1TS/UUpRYlMyF9RB1/OHayD5U3UKjC1dNawMcLVDbV7d/F+5RTHmcoLJg==76mY-----END PGP SIGNATURE-----[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/25y8rHa
Advisory: Websockify: Remote Code Execution via Buffer Overflow
RedTeam Pentesting discovered a buffer overflow vulnerability in the C
implementation of Websockify, which allows attackers to execute
arbitrary code.
Details
=======
Product: Websockify C implementation
Affected Versions: all versions <= 0.8.0
Fixed Versions: versions since commit 192ec6f (2016-04-22) [0]
Vulnerability Type: Buffer Overflow
Security Risk: high
Vendor URL: http://ift.tt/19GQpRR
Vendor Status: fixed
Advisory URL: http://ift.tt/1sIvIEp
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://ift.tt/1jQGmEN
Introduction
============
"websockify was formerly named wsproxy and was part of the noVNC
project.
At the most basic level, websockify just translates WebSockets traffic
to normal TCP socket traffic. Websockify accepts the WebSockets
handshake, parses it, and then begins forwarding traffic between the
client and the target in both directions."
(from the project's readme)
More Details
============
For each new connection, websockify forks and calls the function
do_handshake() to receive a client's WebSocket handshake. The
following excerpt shows some of the source code responsible for
receiving the client's data from the socket file descriptor:
------------------------------------------------------------------------
ws_ctx_t *do_handshake(int sock) {
char handshake[4096], response[4096], sha1[29], trailer[17];
[...]
offset = 0;
for (i = 0; i < 10; i++) {
len = ws_recv(ws_ctx, handshake+offset, 4096);
if (len == 0) {
handler_emsg("Client closed during handshake\n");
return NULL;
}
offset += len;
handshake[offset] = 0;
if (strstr(handshake, "\r\n\r\n")) {
break;
}
usleep(10);
}
[...]
------------------------------------------------------------------------
As can be seen in the listing, the function ws_recv() is called in a
loop to read data from the client's socket into the stack-allocated
buffer 'handshake'. Each time ws_recv() is called, a maximum of 4096
bytes are read from the socket and stored in the handshake buffer.
The variable 'offset' determines the position in the buffer at which
the received data is written. In each iteration, the value of 'offset'
is increased by the amount of bytes received. If the received data
contains the string "\r\n\r\n", which marks the end of the WebSocket
handshake data, the loop is terminated. Otherwise, the loop is
terminated after a maximum of 10 iterations. The do_handshake()
function returns early if no more data can be received from the
socket.
By forcing websockify to iterate multiple times, attackers can
exploit this behaviour to write data past the space allocated for the
handshake buffer, thereby corrupting adjacent memory.
Proof of Concept
================
The following curl command can be used to trigger the buffer overflow:
$ curl http://example.com/$(python -c 'print "A"*5000')
Providing a generic exploit for this vulnerability is not feasible, as
it depends on the server side environment websockify is used in as well
as the used compiler and its flags. However, during a penetration test
it was possible to successfully exploit this buffer overflow
vulnerability and to execute arbitrary commands on the server.
Workaround
==========
Use the Python implementation of websockify.
Fix
===
The vulnerability has been fixed in commit 192ec6f [0].
Security Risk
=============
Successful exploitation of the vulnerability allows attackers to execute
arbitrary code on the affected system. It is therefore rated as a high
risk.
Timeline
========
2016-04-14 Vulnerability identified
2016-05-03 Advisory provided to customer
2016-05-06 Customer provided updated firmware, notified users
2016-05-23 Customer notified users again
2016-05-31 Advisory published
References
==========
[0] http://ift.tt/1XLMMVC
ad4bd9e7bcd9
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
http://ift.tt/1ixScMF
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen http://ift.tt/1ixScMF
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAABCgAGBQJXTXqbAAoJENG/HXWsgFSuRycIALYDa+gduzuDFurhuk2zY4Nm
5ZXujPsC+P+E7dSBYIy95fXYOcQai4INGQg+MVNcGGfQ9E7Q7xp5w2g+H2NngwOM
YTbZnSmjXh57SppDkpbhDVPN2UPviIVAVok5lIWbu8zsBXhAzFqQvZYCLKxkSUKu
lkiq3ODMjYI8ZoHs34W5ceh9aGV3g1t2+QseE9hR2euPjCoPWWDedp+lNRtI6PMK
4FzXmwxGN2hmPQdhDWR/jgZNi/fdzD1qdooFNJxKK+b3/5Ika8/bcNBCi8r2AwBQ
Q1o5lK1TS/UUpRYlMyF9RB1/OHayD5U3UKjC1dNawMcLVDbV7d/F+5RTHmcoLJg=
=76mY
-----END PGP SIGNATURE-----
[ reply ]