Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1543825 - (CVE-2018-6644) CVE-2018-6644 sblim-sfcb: NULL pointer dereference (DoS) vulnerability via POST request to /cimom
CVE-2018-6644 sblim-sfcb: NULL pointer dereference (DoS) vulnerability via PO...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180206,repor...
: Security
Depends On: 1543826
Blocks: 1543827
  Show dependency treegraph
 
Reported: 2018-02-09 06:50 EST by Pedro Sampaio
Modified: 2018-02-23 09:43 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the way sblim-sfcb handled processing of POST requests to the /cimom URI. A remote attacker could use this flaw to cause a sblim-sfcb child process to crash via a specially crafted HTTP POST request.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-23 03:06:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Pedro Sampaio 2018-02-09 06:50:30 EST 
SBLIM Small Footprint CIM Broker (SFCB) 1.4.9 has a NULL pointer dereference vulnerability (DoS) via a crafted POST request to the /cimom URI.

References:

http://www.openwall.com/lists/oss-security/2018/02/07/1
Comment 1 Pedro Sampaio 2018-02-09 06:51:11 EST 
Created sblim-sfcb tracking bugs for this issue:

Affects: fedora-all [bug 1543826]
Comment 5 Dhiru Kholia 2018-02-21 03:19:00 EST 
Information for Fedora 27.

Attach GDB to the "http daemon" and run the public reproducer,

Thread 2.1 "sfcbd" received signal SIGSEGV, Segmentation fault...
(gdb) bt
#0  scanCimXmlRequest (ctx=ctx@entry=0x7fff15d5d020, 
    xmlData=0x564fe41bb220 "<?xml version=\"1.0\" ?>\n<CIM CIMVERSION=\"2.0\" DTDVERSION=\"2.0\">\n   <MESSAGE ID=\"4711\" PROTOCOLVERSION=\"1.0\">\n      <SIMPLEREQ>\n         <IMETHODCALL NAME=\"EnumerateInstances\">\n", ' ' <repeats 12 times>, "<LOCALNAMESPA"..., rc=rc@entry=0x7fff15d5cbfc) at cimXmlParserProcessed.c:1739
#1  0x00007fb3b85f140e in handleCimRequest (ctx=ctx@entry=0x7fff15d5d020, flags=flags@entry=0, more=more@entry=0x564fe41bd6d0 "") at cimRequest.c:1850
#2  0x00007fb3b88046ed in doHttpRequest (conn_fd=...) at httpAdapter.c:1400
#3  0x00007fb3b8805dd5 in handleHttpRequest (sslMode=<optimized out>, connFd=141) at httpAdapter.c:1742
#4  acceptRequest (sock=<optimized out>, ssin=<optimized out>, sin_len=<optimized out>, sslMode=<optimized out>) at httpAdapter.c:2023
#5  0x00007fb3b8807854 in httpDaemon (argc=<optimized out>, argv=<optimized out>, sslMode=<optimized out>, adapterNum=<optimized out>, ipAddr=<optimized out>, ipAddrFam=<optimized out>, sfcbPid=0)
    at httpAdapter.c:2464
#6  0x0000564fe3622335 in startHttpd (argc=1, argv=0x7fff15d5ed78, sslMode=1) at sfcBroker.c:538
#7  0x0000564fe36218b6 in main (argc=1, argv=0x7fff15d5ed78) at sfcBroker.c:1060

cimXmlParserProcessed.c:1739 ->

  if (strncmp(ctx->contentType,"application/xml",15) !=0 ) {
    *rc=1;
    return control.reqHdr;
  }

(gdb) print ctx->contentType
$3 = 0x0

This looks like a standard NULL pointer dereference flaw.

...

Perhaps the following untested patch could fix this crash,

diff --git a/cimXmlParserProcessed.c b/cimXmlParserProcessed.c
index 7098392..065a38b 100644
--- a/cimXmlParserProcessed.c
+++ b/cimXmlParserProcessed.c
@@ -1736,6 +1736,11 @@ scanCimXmlRequest(CimRequestContext *ctx, char *xmlData, int *rc)
   control.MQs = 0;
   control.MPQs = 0;
 
+  if (!ctx->contentType)
+    *rc=1;
+    return control.reqHdr;
+  }
+
   if (strncmp(ctx->contentType,"application/xml",15) !=0 ) {
     *rc=1;
     return control.reqHdr;
Comment 6 Dhiru Kholia 2018-02-23 02:59:51 EST 
Statement:

This issue did not affect the versions of sblim-sfcb as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.