Apache HTTP Server mod_luaÄ£¿£¿£¿£¿£¿é»º³åÇøÒç³öÎó²îÆÊÎö£¨CVE-2021-44790£©
Ðû²¼Ê±¼ä 2022-01-20Îó²î¸ÅÊö
2021Äê12ÔÂ20ÈÕ£¬£¬£¬Apache ÍŶÓÐû²¼ÁËApache HTTP Server 2.4.52°æ±¾£¬£¬£¬ÐÞ¸´ÁËApache HTTP ServerÖеÄÒ»¸ö»º³åÇøÒç³öÎó²î£¨CVE-2021-44790£©£¬£¬£¬¸ÃÎó²î±£´æÓÚmod_luaÆÊÎöÆ÷ÖУ¬£¬£¬µ±Ð§ÀÍÆ÷ÆÊÎö¶ñÒâÇëÇóʱ´¥·¢»º³åÇøÒç³ö£¬£¬£¬¿Éµ¼Ö¾ܾøÐ§ÀÍ»òÖ´ÐÐí§Òâ´úÂë¡£¡£
Ó°Ïì¹æÄ£
Ó°Ïì°æ±¾£ºApache HTTP Server <= 2.4.51
Ïà¹ØÏÈÈÝ
Mod_luaÄ£¿£¿£¿£¿£¿é
Mod_luaÄ£¿£¿£¿£¿£¿éÊÇApacheÉϵÄÒ»¸öÀ©Õ¹Ä£¿£¿£¿£¿£¿é£¬£¬£¬ÊÊÓÃÓÚ2.3ÒÔÉϰ汾¡£¡£¸ÃÄ£¿£¿£¿£¿£¿éÔÊÐíʹÓÃlua¾ç±¾À©Õ¹Ð§ÀÍÆ÷£¬£¬£¬»¹°üÀ¨Ðí¶àÆäËûÄ£¿£¿£¿£¿£¿é¿ÉÓõĹ³×Óº¯Êý¡£¡£ÀýÈ罫ÇëÇó Map µ½Îļþ£¬£¬£¬ÌìÉú¶¯Ì¬ÏìÓ¦£¬£¬£¬»á¼û¿ØÖÆ£¬£¬£¬Éí·ÝÑéÖ¤ºÍÊÚȨµÈ¡£¡£ÈôÊÇ¿ªÆô¸ÃÄ£¿£¿£¿£¿£¿é£¬£¬£¬¿ÉÄÜ»áÔì³ÉһЩÇå¾²Òþ»¼¡£¡£
ÔÚ/etc/httpd/httpd.cnfÉèÖÃÎļþÖÐ×÷·ÏÏÂÃæÕâÐÐ×¢ÊÍ£¬£¬£¬¼´¿É¿ªÆô¸ÃÄ£¿£¿£¿£¿£¿éµÄ¹¦Ð§¡£¡£
µ±ÊÕµ½.luaÎļþÇëÇóʱ£¬£¬£¬mod_luaÄ£¿£¿£¿£¿£¿éŲÓÃlua-scriptµÄhandleº¯Êý¾ÙÐд¦Öóͷ£¡£¡£ÏÂͼΪhandleº¯ÊýʵÀý¡£¡£
aprÄÚ´æ³Ø
ΪÁËïÔÌϵͳÄÚ´æ·ÖÅɵÄʱ¼ä£¬£¬£¬Ìá¸ß³ÌÐòÔËÐÐЧÂÊ£¬£¬£¬ApacheµÄ¿ª·¢Õß½¨ÉèÁËÒ»Ì×»ùÓڳؿ´·¨µÄÄÚ´æÖÎÀí¼Æ»®¡£¡£ÕâÌ×ÒªÁìÒÆµ½aprÖгÉΪͨÓõÄÄÚ´æÖÎÀí¼Æ»®£¬£¬£¬Ò²¾ÍÊÇaprÄÚ´æ³Ø¡£¡£
aprµÄÄÚ´æ³Ø½á¹¹×ÅʵÊÇÒ»ÖÖÊ÷×´µÄÌõÀí½á¹¹£¬£¬£¬parentÖ¸ÏòÄ¿½ñÄÚ´æ³ØµÄ¸¸ÄÚ´æ³Ø£¬£¬£¬childÖ¸ÏòÄ¿½ñÄÚ´æ³ØµÄ×ÓÄÚ´æ³Ø£¬£¬£¬siblingÔòÖ¸ÏòÄ¿½ñÄÚ´æ³ØµÄÐÖµÜÄÚ´æ³Ø¡£¡£Óû§Ê¹ÓõÄÄÚ´æ¿Õ¼ä£¬£¬£¬ÔòÊÇactiveÖÎÀíµÄÒ»¸ö½ÚµãÁ´±í¡£¡£Óû§ÒªÉêÇëÄÚ´æ¿Õ¼äµÄʱ¼ä¾Í»áÔÚactiveÖÎÀíµÄÄÚ´æ½ÚµãÖÐѰÕÒ¡£¡£
½á¹¹ÌåÈçÏÂËùʾ£º
Óû§ÉêÇëÄÚ´æÀú³Ì£º
£¨1£©Ê×ÏÈÈ¡×î¿¿½ü²»Ð¡ÓÚ8×Ö½Ú±¶Êý¾ÞϸµÄ¿Õ¼ä£¨8×Ö½Ú¶ÔÆë£©£¬£¬£¬È»ºóƾ֤ÉêÇë¾ÞϸÅжÏactive½Úµã¿ÉÓÿռäÊÇ·ñ×ã¹»¡£¡£ÈôÄÚ´æ×ã¹»£¬£¬£¬Òƶ¯first_availÖ¸Õ룬£¬£¬·µ»ØÆäµØµã£»£»Èô¿Õ¼äȱ·¦£¬£¬£¬Ôò¼ÌÐø¾ÙÐÐ2Ö®ºóµÄ°ì·¨¡£¡£
£¨2£©ÅжÏÏÂÒ»¸öÄÚ´æ½ÚµãµÄÊ£Óà¿Õ¼äÊÇ·ñ×ã¹»£¬£¬£¬Èô×ã¹»ÔòʹÓÃÖ®£¬£¬£¬²¢½«Ö®ÍÑÀëÄ¿½ñÁ´±í£»£»Èôȱ·¦£¬£¬£¬Ôò̫ͨ¹ýÅä×Ó·ÖÅÉеÄÄÚ´æ½Úµã¡£¡£
£¨3£©½«µÚ2²½ÖлñµÃµÄ½Úµã²åÈëactive½Úµã֮ǰ£¬£¬£¬²¢³ÉΪеÄactive½Úµã¡£¡£
£¨4£©ÅÌËã¾ÉµÄactive½ÚµãµÄÊ£Óà¿Õ¼ä´óС£¡£¬£¬£¬²¢ÇÒÓëÆäÁ´±íºóµÄËùÓнڵãµÄÊ£Óà¿Õ¼ä¾Þϸ½ÏÁ¿£¬£¬£¬²¢²åÈëÁ´±íÖÐ׼ȷµÄλÖᣡ£
²¹¶¡ÆÊÎö
¸ÃÎó²îÔÚApache HTTP Server 2.4.52ÖоÙÐÐÁËÐÞ¸´£¬£¬£¬ÔÚÄÚ´æÉêÇë֮ǰ£¬£¬£¬ÔöÌíÁ˶Գ¤¶ÈµÄÕýµ±ÐÔУÑé¡£¡£µ±end-crlfСÓÚ¼´ÊÇ8£¬£¬£¬³ÌÐò»áÖ±½ÓÍ˳ö£¬£¬£¬×èÖ¹ÕûÊýÒç³ö¡£¡£
Îó²îÆÊÎö
ƾ֤Îó²îͨ¸æ£¬£¬£¬¿ÉÖªÎó²î±£´æÓÚmod_luaÄ£¿£¿£¿£¿£¿éÖУ¬£¬£¬lua¾ç±¾Å²ÓÃÁËr:parsebody()º¯Êý±¬·¢ÁË»º³åÇøÒç³ö¡£¡£Á¬ÏµpatchÐÅÏ¢£¬£¬£¬Ö±½Ó¶¨Î»µ½req_parsebodyº¯Êý¡£¡£
±¾ÎÄʹÓÃApache HTTP Server 2.4.49°æ±¾¾ÙÐÐÆÊÎö£¬£¬£¬´úÂëÖкìÉ«·½¿ò±êʶ³öÀ´µÄ²¿·Ö¼´Îó²î´úÂëλÖ㬣¬£¬Í¼Æ¬ÖжÔÒªº¦²¿·Ö¾ÙÐÐÁËÏìÓ¦µÄ×¢ÊÍ¡£¡£
ÏÂÃæÁ¬ÏµpostÊý¾Ý°üÀ´ÆÊÎö³ÌÐò´¦Öóͷ£Âß¼¡£¡£½á¹¹ÈçÏÂpostÊý¾Ý°ü£º
Ê×ÏÈ£¬£¬£¬start±äÁ¿Ö¸ÏòpostÊý¾Ý°ü×îÏȵÄλÖ㬣¬£¬Ò²¾ÍÊǶÔÓ¦ÉÏÃæµÚÒ»¸ö±êʶ·û--VILC2R2IHFHLZZµÄλÖ㬣¬£¬crlfÖ¸ÏòÁ½¸ö¿ÕÐУ¨\r\n\r\n£©×îÏȵÄλÖ㬣¬£¬endÖ¸ÏòÏÂÒ»¸ö±êʶ·ûVILC2R2IHFHLZZ×îÏȵÄλÖ㬣¬£¬ÄÇôÔÚcrlfºÍendÖ®¼äµÄÊý¾Ý¾ÍÓÐÏÂÃæÕâЩÄÚÈÝ£¬£¬£¬×ܳ¤¶ÈΪ8£¨ÌØÊâ×Ö·û³¤¶È£©+len£¨Êý¾Ý²ÎÊý³¤¶È£©¸ö×Ö½Ú¡£¡£
¡®\r\n\r\ntest\r\n--¡¯
ƾ֤ÉÏÃæ²ÎÊýÄÚÈÝ£¬£¬£¬ÎÒÃǾͿÉÒÔÃ÷È·ÏÂÃæÕâÐдúÂëµÄÒâÒåÁË¡£¡£vlen¼´ÊÇ×ܳ¤¶È¼õÈ¥¶àÓàµÄ8¸öÌØÊâ×Ö·û£¬£¬£¬¾Í¿ÉÒÔÅÌËã³ö²ÎÊýµÄ³¤¶È¡£¡£
vlen=end-crlf-8;
È»ºó£¬£¬£¬³ÌÐòŲÓÃapr_pcalloc·ÖÅÉÄÚ´æ¡£¡£
³ÌÐòûÓжÔvlenÖµµÄÕýµ±ÐÔ¾ÙÐмì²é£¬£¬£¬ÈôÊÇÉÏÃæ²ÎÊýÖеÄÌØÊâ×Ö·ûȱʧ£¬£¬£¬ÅÌËãµÄvlenÖµ¾Í¿ÉÄܱäΪ¸ºÊý£¬£¬£¬Ôì³ÉÕûÊýÒç³ö¡£¡£µ±ÉêÇë¿Õ¼äµÄʱ¼ä£¬£¬£¬»á·ºÆðÇå¾²ÎÊÌâ¡£¡£
¶¯Ì¬µ÷ÊÔ
ƾ֤²î±ð»ûÐΰüµÄ½á¹¹£¬£¬£¬Ë¼Á¿ÒÔÏÂÁ½ÖÖÇéÐΣ¬£¬£¬Á¬Ïµ¶¯Ì¬µ÷ÊÔ¾ÙÐÐÆÊÎö¡£¡£
ÉêÇ볬´óµÄ¿Õ¼ä
¼ÙÉèȱʧ'/r/n--'Õâ4¸öÌØÊâ×Ö·û£¬£¬£¬ÇÒÊý¾Ý²¿·ÖΪ2×Ö½Ú£¬£¬£¬vlen=(2+4-8)=-2¡£¡£Å²ÓÃapr_pcalloc(r->pool, vlen+1)ÉêÇëÄÚ´æÊ±£¬£¬£¬vlen+1=0xffffffffffffffff¡£¡£
ʹÓÃgdb¸½¼ÓÀú³Ì£¬£¬£¬¾ÙÐж¯Ì¬µ÷ÊÔ¡£¡£ÔÚÎó²îº¯Êý´¦ÉèÖöϵ㣬£¬£¬È»ºó·¢ËÍÌØÊâµÄpostÇëÇ󡣡£
aprÄÚ´æ³ØÎÞ·¨ÌṩÕâô´óµÄÄڴ棬£¬£¬ÕâʱaprµÄ·ÖÅÉ×ӾͻáÏòϵͳÉêÇëÄÚ´æ¿Õ¼ä£¬£¬£¬¿ÉÊÇÉêÇëµÄÖØ´óÄÚ´æ¿Õ¼äÊÇϵͳÎÞ·¨ÌṩµÄ£¬£¬£¬ÒÔÊÇϵͳ»áÖ±½Ó½«Àú³Ìkillµô£¨0x75ÊÇÀú³ÌºÅ£©£¬£¬£¬Ôì³É¾Ü¾øÐ§ÀÍ¡£¡£
Òç³ö³¬³¤µÄ×Ö½Ú
¼ÙÉèȱʧ'/r/n--'Õâ4¸öÌØÊâ×Ö·û£¬£¬£¬ÇÒÊý¾Ý²¿·ÖΪ3×Ö½Ú£¬£¬£¬vlen=(3+4-8)=-1£¬£¬£¬Å²ÓÃapr_pcalloc(r->pool, vlen+1)ÉêÇëÄÚ´æÊ±£¬£¬£¬³¤¶Èvlen+1=0£¬£¬£¬Æ¾Ö¤aprÄÚ´æ³ØÄÚ´æ·ÖÅÉ»úÖÆ£¬£¬£¬aprÄÚ´æ³Ø»á·ÖÅÉ×îСµÄÄÚ´æ¿é8×Ö½Ú£¬£¬£¬×îºóʹÓú¯ÊýmemcpyµÄʱ¼ä£º
memcpy(buffer, crlf + 4, vlen)
vlenÓÖΪFFFFFFFF.......(-1)£¬£¬£¬¾Í»á±¬·¢»º³åÇøÒç³ö¡£¡£
¶¯Ì¬µ÷ÊÔʱ¿ÉÒÔ¿´µ½Å²ÓÃapr_pallocʱ£¬£¬£¬³¤¶È²ÎÊýÊÇ0£¬£¬£¬ÏÖʵÉÏ»á·ÖÅÉ8×ֽڵĿռ䡣¡£
²Î¿¼Á´½Ó£º
[1]https://mp.weixin.qq.com/s/XLzXHZYvpPIqNrDz3OHaMA
[2]https://nakedsecurity.sophos.com/2021/12/21/apaches-other-product-critical-bugs-in-httpd-web-server-patch-now/
[3]https://httpd.apache.org/security/vulnerabilities_24.html
[4]https://ubuntu.com/security/CVE-2021-44790
[5]https://github.com/apache/httpd/commit/07b9768cef6a224d256358c404c6ed5622d8acce