CVE-2020-8442: analysisd rootcheck decoder: heap overflow in DB_File. #1820
Comments
This was referenced Jan 15, 2020
cpu
changed the title
|
This was assigned CVE-2020-8442 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
ossec-analysisdrootcheck decoder (src/analysisd/decoders/rootcheck.c) allocates two fixed size heap buffers via global static vars. One,rk_agent_ipsis an array of*charsizeMAX_AGENTS. The otherrk_agent_fpsis an array of*FILE, also sizeMAX_AGENTS. In a default build MAX_AGENTS is 2048.ossec-hids/src/analysisd/decoders/rootcheck.c
Lines 21 to 22 in abb36d4
When processing rootcheck messages the
RK_Filefunction is called to find a file pointer for the given agent name.In
RK_Fileawhileloop with a index counteriis used to try and find an index ofrk_agent_ipsthat matches the providedagentname.No check of
iis made to ensure that it stays within the bound ofMAX_AGENT, resulting in a straight-forward heap buffer overflow when more thanMAX_AGENTsyscheck update messages for distinct agent names are processed.This code was introduced in the original
rootcheckfunctionality with 5546ed6 on Oct 9, 2005. I believe it affects OSSEC v2.7+.This is triggerable via an authenticated client through the
ossec-remoted. The client needs only write MAX_AGENT rootcheck update messages with distinct message agent names.While
ossec-remotedalways sets the agent name portion of messages passed on toossec-analysisdwith a prefix out of the attackers control based on the agent key and src IP (($NAME) $SRCPIP->) the portion after this prefix is attacker controlled and thus can be mutated to make more than MAX_AGENT unique names that will be decoded by theossec-analysisd.Notably this bug has fairly high potential for exploitation. The attacker is able to overwrite a *FILE pointer with a pointer to the agent name, which is mostly attacker controlled (minus a short prefix), and can be up to 255 - strlen(prefix) bytes long. I'm definitely able to reliably segfault the
ossec-analysisdprocess with this bug though I was personally unable to achieve control of execution.Overwriting a *FILE pointer with a pointer to attacker controlled data is a common way to achieve reliable code execution. There are many pointers in the FILE struct to be abused and while libc has added some hardening it isn't applicable for versions 2.24 or lower (e.g. Ubuntu 16.04) and bypass techniques are well known.
https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/
https://dhavalkapil.com/blogs/FILE-Structure-Exploitation/
https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique
In this case there are two additional challenges to exploiting the bug that stumped me but may not stump someone who is actually good at writing exploits :-)
rk_agent_fpsentry used withfseekrequires being able to specify therk_agent_ipsname at the matchingivalue. Usually this is the first bytes of a validFILEand so I think the attacker needs full control of the agent name to be able to specify a match (usually\200,\255\373or similar. The value is predictable based on rootcheck'sopenflags). If I'm correct this might mean the segfault is remotely triggerable but exploiting the FILE overwrite may not be.To fix this the
whileconditions inDB_FileandDB_SetCompletedshould be rewritten to short circuit ifi >= MAX_AGENTS:E.g. instead of:
Use:
I think it's worth noting that this bug is nearly identical to the one reported by Paul Southerington in the syscheck decoder, patched in Feb 2012: 91aa29a
It looks like this was fixed in Wazuh's OSSEC fork at some point, though potentially without realizing it fixed a vulnerability: https://github.com/wazuh/wazuh/blob/413b72b17070350b62b2176c2bdc310cc66d30f6/src/analysisd/decoders/rootcheck.c#L77
This seems like a place where process improvement could help. Receiving vulnerability reports should trigger a search through the codebase for equivalent problems.
The text was updated successfully, but these errors were encountered: