2022-09-23: Crow HTTP framework use-after-free

(Collaborative post by hebi and Gynvael Coldwind)

Crow is an asynchronous C++ HTTP/WebSocket framework for creating "flask-like" web services. In early August we discovered a pretty interesting use-after-free vulnerability. Since Crow takes advantage of the Asio library for asynchronous input/output operations, analysis of this vulnerability took a few long evenings since the cause was split between multiple interweaved tasks and callbacks. Eventually we traced the root cause to an interesting mismatch between two layers of code, one of which - the HTTP parser - was supporting HTTP pipelining (or rather was agnostic towards it, which resulted in pipelining being inadvertently supported), while the other - HTTP server logic - was not designed to take HTTP pipelining into account. This resulted in some interesting "race conditions" with one task "thinking" an HTTP connection was over (and deleting objects) while another still using them while processing a separate HTTP request.

One thing to note is that we never proved exploitability (as in: actual RCE, since it's pretty easy to just trigger this vulnerability to cause a DoS) due to ENOTIME, though we believe it should be possible, if highly complex.

The vulnerability in question was reported mid-August and fixed within 6 days.

CVSS, CVE, etc

Human readable details are in the next section.

  • CVE: CVE-2022-38667
  • CVSS 3.1: 8.1 High (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) [as originally reported]
  • CVSS 3.1: 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) [as rated by NIST/NVD]

Timeline

  • 2022-08-11: Vulnerability discovered.
  • 2022-08-17: Vulnerability reported.
  • 2022-08-21: Public fix was proposed.
  • 2022-08-22: Public fix was merged in.
  • 2022-08-22: CVE requested and assigned.
  • 2022-09-23: Details were published.

Original report with details

Read more... [ 0 comments ]

2022-05-28: Mega Sekurak Hacking Party - Czerwiec 2022

Coś mi mówi, że muszę trochę częściej coś wrzucać na bloga. Poprzedni post był o grudniowym Mega Sekurak Hacking Party 2021, a ten jest o... czerwcowym Mega Sekurak Hacking Party 2022. Zapewne stali czytelnicy mojego bloga kojarzą ten organizowany przez Sekurak/Securitum event - jest to jednodniowe wydarzenie, z serią wykładów z różnych działek hakingu. Tym razem, jak poprzednio, jest to event on-line.

Kiedy/gdzie: 13 czerwca 2022 r., On-line
Więcej informacji: https://hackingparty.pl/
Sklep z biletami biletu: https://sklep.securitum.pl/mshp-edycja-zdalna-czerwiec-2022
Cena biletu: ~370 PLN (jest też opcja VIP za ~2300 PLN)
Ma być taniej: mshp-gyn-30 (30% zniżki)

Have Fun!

Czytaj dalej... [ 0 komentarzy ]

Five newest or recently updated notes (these are unfinished posts, code snippets, links or commands I find useful but always forget, and other notes that just don't fit on the blog):

Click here for a list of all notes.

EN Security papers and research notes

Some conference slides are linked at the bottom of this page.

EN Selected vulnerabilities

The full list of vulnerabilities discovered by me (including collaborative work) can be found here (please note that the list might be out of date).

The Google Application Security / Research site might also contain some of my findings.

EN Coding (selected posts)
EN Tools and libraries
  • PiXieServ is a simplified PXE (network boot) server for Windows and Linux-based OS, created for testing of very small home-made OS. See also the post about it.
  • ExcpHook, a system-wide exception monitor for Windows XP 32-bit. Useful if you're fuzzing something that doesn't like having a debugger attached.
  • Ent is an entropy measuring tool for reverse engineering reconnaissance (see also a post explaining how to use it).
  • HiperDrop is a simple command line process memory dumper for Windows, with a few different work modes.
  • asmloader - this little app executes headerless machine code (compiled assembly code). It's meant to be an aid in learning/teaching and playing with assembly, as well as the right tool when you just need to execute some machine code.
  • NetSock is a simple socket/networking lib/wrapper for C++ I've wrote back in 2003 and update from time to time - I use it for most of my network-enabled projects.
PL Videotutoriale i podcasty [ 0 views | 0 videos | 0 subscribers ]

Subscribe to me on YouTube W wolnym czasie prowadzę videocasty na żywo o programowaniu, reverse engineeringu oraz hackingu/security:

Livestream | Kanał na YT | Archiwum starszych odcinków

Najnowszy odcinek: Gynvael's Livestream #75: Implementujemy serwer FTP
[ 0 thumbs up | 0 comments | 0 views ]

Dodatkowo: ReverseCraft - starsza seria podcastów o reverse engineeringu i assembly.

PL Edukacyjnie (wybrane posty)

Dla programistów:

Security / hacking:

  • Hacking - jak uczyć się security/hackingu i spać spokojnie.

Dodatkowo, kilka przemyśleń na temat odnajdywania się na rynku pracy w IT:

PL Programowanie (wybrane posty)

← trochę więcej postów jest po angielskojęzycznej stronie.

PL Gamedev i GFX (wybrane posty)

Grafika generowana proceduralnie:

【 design & art by Xa / Gynvael Coldwind 】 【 logo font (birdman regular) by utopiafonts / Dale Harris 】