Apache HTTP Server mod_luaÄ£¿£¿£¿£¿£¿é»º³åÇøÒç³öÎó²îÆÊÎö£¨CVE-2021-44790£©

Ðû²¼Ê±¼ä 2022-01-20

Îó²î¸ÅÊö


2021Äê12ÔÂ20ÈÕ£¬ £¬£¬Apache ÍŶÓÐû²¼ÁËApache HTTP Server 2.4.52°æ±¾£¬ £¬£¬ÐÞ¸´ÁËApache HTTP ServerÖеÄÒ»¸ö»º³åÇøÒç³öÎó²î£¨CVE-2021-44790£©£¬ £¬£¬¸ÃÎó²î±£´æÓÚmod_luaÆÊÎöÆ÷ÖУ¬ £¬£¬µ±Ð§ÀÍÆ÷ÆÊÎö¶ñÒâÇëÇóʱ´¥·¢»º³åÇøÒç³ö£¬ £¬£¬¿Éµ¼Ö¾ܾøÐ§ÀÍ»òÖ´ÐÐí§Òâ´úÂë¡£¡£


Ó°Ïì¹æÄ£


Ó°Ïì°æ±¾£ºApache HTTP Server <= 2.4.51


Ïà¹ØÏÈÈÝ


Mod_luaÄ£¿£¿£¿£¿£¿é

Mod_luaÄ£¿£¿£¿£¿£¿éÊÇApacheÉϵÄÒ»¸öÀ©Õ¹Ä£¿£¿£¿£¿£¿é£¬ £¬£¬ÊÊÓÃÓÚ2.3ÒÔÉϰ汾¡£¡£¸ÃÄ£¿£¿£¿£¿£¿éÔÊÐíʹÓÃlua¾ç±¾À©Õ¹Ð§ÀÍÆ÷£¬ £¬£¬»¹°üÀ¨Ðí¶àÆäËûÄ£¿£¿£¿£¿£¿é¿ÉÓõĹ³×Óº¯Êý¡£¡£ÀýÈ罫ÇëÇó Map µ½Îļþ£¬ £¬£¬ÌìÉú¶¯Ì¬ÏìÓ¦£¬ £¬£¬»á¼û¿ØÖÆ£¬ £¬£¬Éí·ÝÑéÖ¤ºÍÊÚȨµÈ¡£¡£ÈôÊÇ¿ªÆô¸ÃÄ£¿£¿£¿£¿£¿é£¬ £¬£¬¿ÉÄÜ»áÔì³ÉһЩÇå¾²Òþ»¼¡£¡£

ÔÚ/etc/httpd/httpd.cnfÉèÖÃÎļþÖÐ×÷·ÏÏÂÃæÕâÐÐ×¢ÊÍ£¬ £¬£¬¼´¿É¿ªÆô¸ÃÄ£¿£¿£¿£¿£¿éµÄ¹¦Ð§¡£¡£


´úÂëÎļþ.png

µ±ÊÕµ½.luaÎļþÇëÇóʱ£¬ £¬£¬mod_luaÄ£¿£¿£¿£¿£¿éŲÓÃlua-scriptµÄhandleº¯Êý¾ÙÐд¦Öóͷ£¡£¡£ÏÂͼΪhandleº¯ÊýʵÀý¡£¡£


´úÂëÎļþ.png

aprÄÚ´æ³Ø


ΪÁËïÔ̭ϵͳÄÚ´æ·ÖÅɵÄʱ¼ä£¬ £¬£¬Ìá¸ß³ÌÐòÔËÐÐЧÂÊ£¬ £¬£¬ApacheµÄ¿ª·¢Õß½¨ÉèÁËÒ»Ì×»ùÓڳؿ´·¨µÄÄÚ´æÖÎÀí¼Æ»®¡£¡£ÕâÌ×ÒªÁìÒÆµ½aprÖгÉΪͨÓõÄÄÚ´æÖÎÀí¼Æ»®£¬ £¬£¬Ò²¾ÍÊÇaprÄÚ´æ³Ø¡£¡£

aprµÄÄÚ´æ³Ø½á¹¹×ÅʵÊÇÒ»ÖÖÊ÷×´µÄÌõÀí½á¹¹£¬ £¬£¬parentÖ¸ÏòÄ¿½ñÄÚ´æ³ØµÄ¸¸ÄÚ´æ³Ø£¬ £¬£¬childÖ¸ÏòÄ¿½ñÄÚ´æ³ØµÄ×ÓÄÚ´æ³Ø£¬ £¬£¬siblingÔòÖ¸ÏòÄ¿½ñÄÚ´æ³ØµÄÐÖµÜÄÚ´æ³Ø¡£¡£Óû§Ê¹ÓõÄÄÚ´æ¿Õ¼ä£¬ £¬£¬ÔòÊÇactiveÖÎÀíµÄÒ»¸ö½ÚµãÁ´±í¡£¡£Óû§ÒªÉêÇëÄÚ´æ¿Õ¼äµÄʱ¼ä¾Í»áÔÚactiveÖÎÀíµÄÄÚ´æ½ÚµãÖÐѰÕÒ¡£¡£


½á¹¹ÌåÈçÏÂËùʾ£º


´úÂëÎļþ.png


Óû§ÉêÇëÄÚ´æÀú³Ì£º


£¨1£©Ê×ÏÈÈ¡×î¿¿½ü²»Ð¡ÓÚ8×Ö½Ú±¶Êý¾ÞϸµÄ¿Õ¼ä£¨8×Ö½Ú¶ÔÆë£©£¬ £¬£¬È»ºóƾ֤ÉêÇë¾ÞϸÅжÏactive½Úµã¿ÉÓÿռäÊÇ·ñ×ã¹»¡£¡£ÈôÄÚ´æ×ã¹»£¬ £¬£¬Òƶ¯first_availÖ¸Õ룬 £¬£¬·µ»ØÆäµØµã£»£»Èô¿Õ¼äȱ·¦£¬ £¬£¬Ôò¼ÌÐø¾ÙÐÐ2Ö®ºóµÄ°ì·¨¡£¡£


£¨2£©ÅжÏÏÂÒ»¸öÄÚ´æ½ÚµãµÄÊ£Óà¿Õ¼äÊÇ·ñ×ã¹»£¬ £¬£¬Èô×ã¹»ÔòʹÓÃÖ®£¬ £¬£¬²¢½«Ö®ÍÑÀëÄ¿½ñÁ´±í£»£»Èôȱ·¦£¬ £¬£¬Ôò̫ͨ¹ýÅä×Ó·ÖÅÉеÄÄÚ´æ½Úµã¡£¡£


£¨3£©½«µÚ2²½ÖлñµÃµÄ½Úµã²åÈëactive½Úµã֮ǰ£¬ £¬£¬²¢³ÉΪеÄactive½Úµã¡£¡£


£¨4£©ÅÌËã¾ÉµÄactive½ÚµãµÄÊ£Óà¿Õ¼ä´óС£¡£¬ £¬£¬²¢ÇÒÓëÆäÁ´±íºóµÄËùÓнڵãµÄÊ£Óà¿Õ¼ä¾Þϸ½ÏÁ¿£¬ £¬£¬²¢²åÈëÁ´±íÖÐ׼ȷµÄλÖᣡ£


´úÂëÎļþ.png

²¹¶¡ÆÊÎö


¸ÃÎó²îÔÚApache HTTP Server 2.4.52ÖоÙÐÐÁËÐÞ¸´£¬ £¬£¬ÔÚÄÚ´æÉêÇë֮ǰ£¬ £¬£¬ÔöÌíÁ˶Գ¤¶ÈµÄÕýµ±ÐÔУÑé¡£¡£µ±end-crlfСÓÚ¼´ÊÇ8£¬ £¬£¬³ÌÐò»áÖ±½ÓÍ˳ö£¬ £¬£¬×èÖ¹ÕûÊýÒç³ö¡£¡£


´úÂëÎļþ.png


Îó²îÆÊÎö


ƾ֤Îó²îͨ¸æ£¬ £¬£¬¿ÉÖªÎó²î±£´æÓÚmod_luaÄ£¿£¿£¿£¿£¿éÖУ¬ £¬£¬lua¾ç±¾Å²ÓÃÁËr:parsebody()º¯Êý±¬·¢ÁË»º³åÇøÒç³ö¡£¡£Á¬ÏµpatchÐÅÏ¢£¬ £¬£¬Ö±½Ó¶¨Î»µ½req_parsebodyº¯Êý¡£¡£

±¾ÎÄʹÓÃApache HTTP Server 2.4.49°æ±¾¾ÙÐÐÆÊÎö£¬ £¬£¬´úÂëÖкìÉ«·½¿ò±êʶ³öÀ´µÄ²¿·Ö¼´Îó²î´úÂëλÖ㬠£¬£¬Í¼Æ¬ÖжÔÒªº¦²¿·Ö¾ÙÐÐÁËÏìÓ¦µÄ×¢ÊÍ¡£¡£


´úÂëÎļþ.png


ÏÂÃæÁ¬ÏµpostÊý¾Ý°üÀ´ÆÊÎö³ÌÐò´¦Öóͷ£Âß¼­¡£¡£½á¹¹ÈçÏÂpostÊý¾Ý°ü£º


´úÂëÎļþ.png


Ê×ÏÈ£¬ £¬£¬start±äÁ¿Ö¸ÏòpostÊý¾Ý°ü×îÏȵÄλÖ㬠£¬£¬Ò²¾ÍÊǶÔÓ¦ÉÏÃæµÚÒ»¸ö±êʶ·û--VILC2R2IHFHLZZµÄλÖ㬠£¬£¬crlfÖ¸ÏòÁ½¸ö¿ÕÐУ¨\r\n\r\n£©×îÏȵÄλÖ㬠£¬£¬endÖ¸ÏòÏÂÒ»¸ö±êʶ·ûVILC2R2IHFHLZZ×îÏȵÄλÖ㬠£¬£¬ÄÇôÔÚcrlfºÍendÖ®¼äµÄÊý¾Ý¾ÍÓÐÏÂÃæÕâЩÄÚÈÝ£¬ £¬£¬×ܳ¤¶ÈΪ8£¨ÌØÊâ×Ö·û³¤¶È£©+len£¨Êý¾Ý²ÎÊý³¤¶È£©¸ö×Ö½Ú¡£¡£


¡®\r\n\r\ntest\r\n--¡¯

ƾ֤ÉÏÃæ²ÎÊýÄÚÈÝ£¬ £¬£¬ÎÒÃǾͿÉÒÔÃ÷È·ÏÂÃæÕâÐдúÂëµÄÒâÒåÁË¡£¡£vlen¼´ÊÇ×ܳ¤¶È¼õÈ¥¶àÓàµÄ8¸öÌØÊâ×Ö·û£¬ £¬£¬¾Í¿ÉÒÔÅÌËã³ö²ÎÊýµÄ³¤¶È¡£¡£


vlen=end-crlf-8;


È»ºó£¬ £¬£¬³ÌÐòŲÓÃapr_pcalloc·ÖÅÉÄÚ´æ¡£¡£


´úÂëÎļþ.png


³ÌÐòûÓжÔvlenÖµµÄÕýµ±ÐÔ¾ÙÐмì²é£¬ £¬£¬ÈôÊÇÉÏÃæ²ÎÊýÖеÄÌØÊâ×Ö·ûȱʧ£¬ £¬£¬ÅÌËãµÄvlenÖµ¾Í¿ÉÄܱäΪ¸ºÊý£¬ £¬£¬Ôì³ÉÕûÊýÒç³ö¡£¡£µ±ÉêÇë¿Õ¼äµÄʱ¼ä£¬ £¬£¬»á·ºÆðÇå¾²ÎÊÌâ¡£¡£



¶¯Ì¬µ÷ÊÔ


ƾ֤²î±ð»ûÐΰüµÄ½á¹¹£¬ £¬£¬Ë¼Á¿ÒÔÏÂÁ½ÖÖÇéÐΣ¬ £¬£¬Á¬Ïµ¶¯Ì¬µ÷ÊÔ¾ÙÐÐÆÊÎö¡£¡£

ÉêÇ볬´óµÄ¿Õ¼ä

¼ÙÉèȱʧ'/r/n--'Õâ4¸öÌØÊâ×Ö·û£¬ £¬£¬ÇÒÊý¾Ý²¿·ÖΪ2×Ö½Ú£¬ £¬£¬vlen=(2+4-8)=-2¡£¡£Å²ÓÃapr_pcalloc(r->pool, vlen+1)ÉêÇëÄÚ´æÊ±£¬ £¬£¬vlen+1=0xffffffffffffffff¡£¡£

ʹÓÃgdb¸½¼ÓÀú³Ì£¬ £¬£¬¾ÙÐж¯Ì¬µ÷ÊÔ¡£¡£ÔÚÎó²îº¯Êý´¦ÉèÖöϵ㣬 £¬£¬È»ºó·¢ËÍÌØÊâµÄpostÇëÇ󡣡£


´úÂëÎļþ.png


aprÄÚ´æ³ØÎÞ·¨ÌṩÕâô´óµÄÄڴ棬 £¬£¬ÕâʱaprµÄ·ÖÅÉ×ӾͻáÏòϵͳÉêÇëÄÚ´æ¿Õ¼ä£¬ £¬£¬¿ÉÊÇÉêÇëµÄÖØ´óÄÚ´æ¿Õ¼äÊÇϵͳÎÞ·¨ÌṩµÄ£¬ £¬£¬ÒÔÊÇϵͳ»áÖ±½Ó½«Àú³Ìkillµô£¨0x75ÊÇÀú³ÌºÅ£©£¬ £¬£¬Ôì³É¾Ü¾øÐ§ÀÍ¡£¡£

´úÂëÎļþ.png


Òç³ö³¬³¤µÄ×Ö½Ú

¼ÙÉèȱʧ'/r/n--'Õâ4¸öÌØÊâ×Ö·û£¬ £¬£¬ÇÒÊý¾Ý²¿·ÖΪ3×Ö½Ú£¬ £¬£¬vlen=(3+4-8)=-1£¬ £¬£¬Å²ÓÃapr_pcalloc(r->pool, vlen+1)ÉêÇëÄÚ´æÊ±£¬ £¬£¬³¤¶Èvlen+1=0£¬ £¬£¬Æ¾Ö¤aprÄÚ´æ³ØÄÚ´æ·ÖÅÉ»úÖÆ£¬ £¬£¬aprÄÚ´æ³Ø»á·ÖÅÉ×îСµÄÄÚ´æ¿é8×Ö½Ú£¬ £¬£¬×îºóʹÓú¯ÊýmemcpyµÄʱ¼ä£º


memcpy(buffer, crlf + 4, vlen)

vlenÓÖΪFFFFFFFF.......(-1)£¬ £¬£¬¾Í»á±¬·¢»º³åÇøÒç³ö¡£¡£

¶¯Ì¬µ÷ÊÔʱ¿ÉÒÔ¿´µ½Å²ÓÃapr_pallocʱ£¬ £¬£¬³¤¶È²ÎÊýÊÇ0£¬ £¬£¬ÏÖʵÉÏ»á·ÖÅÉ8×ֽڵĿռä¡£¡£



´úÂëÎļþ.png


´úÂëÎļþ.png


²Î¿¼Á´½Ó£º


[1]https://mp.weixin.qq.com/s/XLzXHZYvpPIqNrDz3OHaMA


[2]https://nakedsecurity.sophos.com/2021/12/21/apaches-other-product-critical-bugs-in-httpd-web-server-patch-now/


[3]https://httpd.apache.org/security/vulnerabilities_24.html 


[4]https://ubuntu.com/security/CVE-2021-44790


[5]https://github.com/apache/httpd/commit/07b9768cef6a224d256358c404c6ed5622d8acce