Vulnerabilities > CVE-2011-4362
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.
Vulnerable Configurations
Exploit-Db
| description | lighttpd Denial of Service Vulnerability PoC. CVE-2011-4362. Dos exploit for linux platform |
| file | exploits/linux/dos/18295.txt |
| id | EDB-ID:18295 |
| last seen | 2016-02-02 |
| modified | 2011-12-31 |
| platform | linux |
| port | |
| published | 2011-12-31 |
| reporter | pi3 |
| source | https://www.exploit-db.com/download/18295/ |
| title | lighttpd Denial of Service Vulnerability PoC |
| type | dos |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2012-9078.NASL description This update fixes CVE-2011-4362 by updating to the latest release. It also fixes problems that had been reported with previous releases, such as ssl-related crashes on startup. This update fixes some minor SSL related problems, as well as a connection stall bug. This update fixes some minor SSL related problems, as well as a connection stall bug. This update fixes some minor SSL related problems, as well as a connection stall bug. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-06-26 plugin id 59690 published 2012-06-26 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59690 title Fedora 16 : lighttpd-1.4.31-1.fc16 (2012-9078) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-9078. # include("compat.inc"); if (description) { script_id(59690); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2011-4362"); script_bugtraq_id(50851); script_xref(name:"FEDORA", value:"2012-9078"); script_name(english:"Fedora 16 : lighttpd-1.4.31-1.fc16 (2012-9078)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update fixes CVE-2011-4362 by updating to the latest release. It also fixes problems that had been reported with previous releases, such as ssl-related crashes on startup. This update fixes some minor SSL related problems, as well as a connection stall bug. This update fixes some minor SSL related problems, as well as a connection stall bug. This update fixes some minor SSL related problems, as well as a connection stall bug. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=758624" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/082686.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7b2b223c" ); script_set_attribute( attribute:"solution", value:"Update the affected lighttpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:lighttpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"lighttpd-1.4.31-1.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lighttpd"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_C6521B04314B11E19CF45404A67EEF98.NASL description US-CERT/NIST reports : Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index. last seen 2020-06-01 modified 2020-06-02 plugin id 57411 published 2011-12-29 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57411 title FreeBSD : lighttpd -- remote DoS in HTTP authentication (c6521b04-314b-11e1-9cf4-5404a67eef98) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201406-10.NASL description The remote host is affected by the vulnerability described in GLSA-201406-10 (lighttpd: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in lighttpd. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could create a Denial of Service condition. Futhermore, a remote attacker may be able to execute arbitrary SQL statements. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 76062 published 2014-06-16 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76062 title GLSA-201406-10 : lighttpd: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2368.NASL description Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint. - CVE-2011-4362 Xi Wang discovered that the base64 decoding routine which is used to decode user input during an HTTP authentication, suffers of a signedness issue when processing user input. As a result it is possible to force lighttpd to perform an out-of-bounds read which results in Denial of Service conditions. - CVE-2011-3389 When using CBC ciphers on an SSL enabled virtual host to communicate with certain client, a so called last seen 2020-03-17 modified 2012-01-12 plugin id 57508 published 2012-01-12 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57508 title Debian DSA-2368-1 : lighttpd - multiple vulnerabilities (BEAST) NASL family Web Servers NASL id LIGHTTPD_1_4_30.NASL description According to its banner, the version of lighttpd running on the remote host is prior to 1.4.30. It is, therefore, affected by a denial of service vulnerability. The HTTP server allows out-of-bounds values to be decoded during the auth process and later uses these values as offsets. Using negative values as offsets can result in application crashes. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 57410 published 2011-12-28 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57410 title lighttpd < 1.4.30 base64_decode Function Out-of-Bounds Read Error DoS NASL family Solaris Local Security Checks NASL id SOLARIS11_LIGHTTPD_20120417.NASL description The remote Solaris system is missing necessary patches to address security updates : - Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index. (CVE-2011-4362) last seen 2020-06-01 modified 2020-06-02 plugin id 80697 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80697 title Oracle Solaris Third-Party Patch Update : lighttpd (cve_2011_4362_denial_of) NASL family SuSE Local Security Checks NASL id SUSE_11_4_LIGHTTPD-120130.NASL description This update of lighttpd fixes an out-of-bounds read due to a signedness error which could cause a Denial of Service (CVE-2011-4362). Additionally an option was added to honor the server cipher order (resolves lighttpd#2364). last seen 2020-06-05 modified 2014-06-13 plugin id 75941 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75941 title openSUSE Security Update : lighttpd (openSUSE-SU-2012:0240-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2012-107.NASL description Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index. last seen 2020-06-01 modified 2020-06-02 plugin id 69597 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69597 title Amazon Linux AMI : lighttpd (ALAS-2012-107) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-110.NASL description - added lighttpd-1.4.30_head_fixes.patch: cherry picked 4 fixes from HEAD : - [ssl] include more headers explicitly - list all network handlers in lighttpd -V (fixes lighttpd#2376) - Move fdevent subsystem includes to implementation files to reduce conflicts (fixes lighttpd#2373) - [ssl] fix segfault in counting renegotiations for openssl versions without TLSEXT/SNI - update to 1.4.30: (bnc#733607) - Always use our ‘own’ md5 implementation, fixes linking issues on MacOS (fixes #2331) - Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems. - [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled - Add static-file.disable-pathinfo option to prevent handling of urls like …/secret.php/image.jpg as static file - Don’t overwrite 401 (auth required) with 501 (unknown method) (fixes #2341) - Fix mod_status bug: always showed “0/0” in the “Read” column for uploads (fixes #2351) - [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) - [ssl] count renegotiations to prevent client renegotiations - [ssl] add option to honor server cipher order (fixes #2364, BEAST attack) - [core] accept dots in ipv6 addresses in host header (fixes #2359) - [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb) - [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes #2324) - add automake as buildrequire to avoid implicit dependency last seen 2020-06-05 modified 2014-06-13 plugin id 74546 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74546 title openSUSE Security Update : lighttpd (openSUSE-2012-110) NASL family Fedora Local Security Checks NASL id FEDORA_2012-9040.NASL description This update fixes CVE-2011-4362 by updating to the latest release. It also fixes problems that had been reported with previous releases, such as ssl-related crashes on startup. This update fixes some minor SSL related problems, as well as a connection stall bug. This update fixes some minor SSL related problems, as well as a connection stall bug. This update fixes some minor SSL related problems, as well as a connection stall bug. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-06-26 plugin id 59689 published 2012-06-26 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59689 title Fedora 17 : lighttpd-1.4.31-1.fc17 (2012-9040)
Seebug
bulletinFamily exploit description No description provided by source. id SSV:72453 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72453 title lighttpd Denial of Service Vulnerability PoC bulletinFamily exploit description No description provided by source. id SSV:30003 last seen 2017-11-19 modified 2012-01-02 published 2012-01-02 reporter Root source https://www.seebug.org/vuldb/ssvid-30003 title Lighttpd Proof of Concept code for CVE-2011-4362 bulletinFamily exploit description No description provided by source. id SSV:26120 last seen 2017-11-19 modified 2011-12-27 published 2011-12-27 reporter Root source https://www.seebug.org/vuldb/ssvid-26120 title Lighttpd 1.4.30 / 1.5 Denial Of Service bulletinFamily exploit description CVE-2011-4362 Lighttpd是一款轻型的开放源码Web Server软件包。 lighttpd在认证数据的解码实现上存在漏洞,攻击者可能利用此漏洞使应用程序崩溃造成拒绝服务。 http_auth.c中的代码在base64解码用户输入的认证数据时使用"const char *in"类型,并将每个字符转换为"int ch"作为映射表的索引,大于0x80的字符就会导致负索引,可能造成非法内存访问。 lighttpd <=1.4.29 厂商补丁: LightTPD -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.lighttpd.net/ id SSV:24275 last seen 2017-11-19 modified 2011-12-01 published 2011-12-01 reporter Root source https://www.seebug.org/vuldb/ssvid-24275 title lighttpd mod_auth模块base64 拒绝服务漏洞
References
- http://archives.neohapsis.com/archives/bugtraq/2011-12/0167.html
- http://blog.pi3.com.pl/?p=277
- http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt
- http://jvn.jp/en/jp/JVN37417423/index.html
- http://redmine.lighttpd.net/issues/2370
- http://secunia.com/advisories/47260
- http://www.debian.org/security/2011/dsa-2368
- http://www.exploit-db.com/exploits/18295
- http://www.openwall.com/lists/oss-security/2011/11/29/13
- http://www.openwall.com/lists/oss-security/2011/11/29/8
- http://www.securitytracker.com/id?1026359
- https://bugzilla.redhat.com/show_bug.cgi?id=758624
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71536