Bug 1543825 (CVE-2018-6644)

Summary: CVE-2018-6644 sblim-sfcb: NULL pointer dereference (DoS) vulnerability via POST request to /cimom
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dkholia, praveenkpaladugu, srinivas_g_gowda, vcrhonek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the way sblim-sfcb handled processing of POST requests to the /cimom URI. A remote attacker could use this flaw to cause a sblim-sfcb child process to crash via a specially crafted HTTP POST request.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-23 08:06:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1543826    
Bug Blocks: 1543827    

Description Pedro Sampaio 2018-02-09 11:50:30 UTC 
SBLIM Small Footprint CIM Broker (SFCB) 1.4.9 has a NULL pointer dereference vulnerability (DoS) via a crafted POST request to the /cimom URI.

References:

http://www.openwall.com/lists/oss-security/2018/02/07/1
Comment 1 Pedro Sampaio 2018-02-09 11:51:11 UTC 
Created sblim-sfcb tracking bugs for this issue:

Affects: fedora-all [bug 1543826]
Comment 5 Dhiru Kholia 2018-02-21 08:19:00 UTC 
Information for Fedora 27.

Attach GDB to the "http daemon" and run the public reproducer,

Thread 2.1 "sfcbd" received signal SIGSEGV, Segmentation fault...
(gdb) bt
#0  scanCimXmlRequest (ctx=ctx@entry=0x7fff15d5d020, 
    xmlData=0x564fe41bb220 "<?xml version=\"1.0\" ?>\n<CIM CIMVERSION=\"2.0\" DTDVERSION=\"2.0\">\n   <MESSAGE ID=\"4711\" PROTOCOLVERSION=\"1.0\">\n      <SIMPLEREQ>\n         <IMETHODCALL NAME=\"EnumerateInstances\">\n", ' ' <repeats 12 times>, "<LOCALNAMESPA"..., rc=rc@entry=0x7fff15d5cbfc) at cimXmlParserProcessed.c:1739
#1  0x00007fb3b85f140e in handleCimRequest (ctx=ctx@entry=0x7fff15d5d020, flags=flags@entry=0, more=more@entry=0x564fe41bd6d0 "") at cimRequest.c:1850
#2  0x00007fb3b88046ed in doHttpRequest (conn_fd=...) at httpAdapter.c:1400
#3  0x00007fb3b8805dd5 in handleHttpRequest (sslMode=<optimized out>, connFd=141) at httpAdapter.c:1742
#4  acceptRequest (sock=<optimized out>, ssin=<optimized out>, sin_len=<optimized out>, sslMode=<optimized out>) at httpAdapter.c:2023
#5  0x00007fb3b8807854 in httpDaemon (argc=<optimized out>, argv=<optimized out>, sslMode=<optimized out>, adapterNum=<optimized out>, ipAddr=<optimized out>, ipAddrFam=<optimized out>, sfcbPid=0)
    at httpAdapter.c:2464
#6  0x0000564fe3622335 in startHttpd (argc=1, argv=0x7fff15d5ed78, sslMode=1) at sfcBroker.c:538
#7  0x0000564fe36218b6 in main (argc=1, argv=0x7fff15d5ed78) at sfcBroker.c:1060

cimXmlParserProcessed.c:1739 ->

  if (strncmp(ctx->contentType,"application/xml",15) !=0 ) {
    *rc=1;
    return control.reqHdr;
  }

(gdb) print ctx->contentType
$3 = 0x0

This looks like a standard NULL pointer dereference flaw.

...

Perhaps the following untested patch could fix this crash,

diff --git a/cimXmlParserProcessed.c b/cimXmlParserProcessed.c
index 7098392..065a38b 100644
--- a/cimXmlParserProcessed.c
+++ b/cimXmlParserProcessed.c
@@ -1736,6 +1736,11 @@ scanCimXmlRequest(CimRequestContext *ctx, char *xmlData, int *rc)
   control.MQs = 0;
   control.MPQs = 0;
 
+  if (!ctx->contentType)
+    *rc=1;
+    return control.reqHdr;
+  }
+
   if (strncmp(ctx->contentType,"application/xml",15) !=0 ) {
     *rc=1;
     return control.reqHdr;
Comment 6 Dhiru Kholia 2018-02-23 07:59:51 UTC 
Statement:

This issue did not affect the versions of sblim-sfcb as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.