Bug 1543825 (CVE-2018-6644) - CVE-2018-6644 sblim-sfcb: NULL pointer dereference (DoS) vulnerability via POST request to /cimom
Summary: CVE-2018-6644 sblim-sfcb: NULL pointer dereference (DoS) vulnerability via PO...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-6644
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1543826
Blocks: 1543827
TreeView+ depends on / blocked
 
Reported: 2018-02-09 11:50 UTC by Pedro Sampaio
Modified: 2021-02-17 00:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the way sblim-sfcb handled processing of POST requests to the /cimom URI. A remote attacker could use this flaw to cause a sblim-sfcb child process to crash via a specially crafted HTTP POST request.
Clone Of:
Environment:
Last Closed: 2018-02-23 08:06:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2018-02-09 11:50:30 UTC 
SBLIM Small Footprint CIM Broker (SFCB) 1.4.9 has a NULL pointer dereference vulnerability (DoS) via a crafted POST request to the /cimom URI.

References:

http://www.openwall.com/lists/oss-security/2018/02/07/1
Comment 1 Pedro Sampaio 2018-02-09 11:51:11 UTC 
Created sblim-sfcb tracking bugs for this issue:

Affects: fedora-all [bug 1543826]
Comment 5 Dhiru Kholia 2018-02-21 08:19:00 UTC 
Information for Fedora 27.

Attach GDB to the "http daemon" and run the public reproducer,

Thread 2.1 "sfcbd" received signal SIGSEGV, Segmentation fault...
(gdb) bt
#0  scanCimXmlRequest (ctx=ctx@entry=0x7fff15d5d020, 
    xmlData=0x564fe41bb220 "<?xml version=\"1.0\" ?>\n<CIM CIMVERSION=\"2.0\" DTDVERSION=\"2.0\">\n   <MESSAGE ID=\"4711\" PROTOCOLVERSION=\"1.0\">\n      <SIMPLEREQ>\n         <IMETHODCALL NAME=\"EnumerateInstances\">\n", ' ' <repeats 12 times>, "<LOCALNAMESPA"..., rc=rc@entry=0x7fff15d5cbfc) at cimXmlParserProcessed.c:1739
#1  0x00007fb3b85f140e in handleCimRequest (ctx=ctx@entry=0x7fff15d5d020, flags=flags@entry=0, more=more@entry=0x564fe41bd6d0 "") at cimRequest.c:1850
#2  0x00007fb3b88046ed in doHttpRequest (conn_fd=...) at httpAdapter.c:1400
#3  0x00007fb3b8805dd5 in handleHttpRequest (sslMode=<optimized out>, connFd=141) at httpAdapter.c:1742
#4  acceptRequest (sock=<optimized out>, ssin=<optimized out>, sin_len=<optimized out>, sslMode=<optimized out>) at httpAdapter.c:2023
#5  0x00007fb3b8807854 in httpDaemon (argc=<optimized out>, argv=<optimized out>, sslMode=<optimized out>, adapterNum=<optimized out>, ipAddr=<optimized out>, ipAddrFam=<optimized out>, sfcbPid=0)
    at httpAdapter.c:2464
#6  0x0000564fe3622335 in startHttpd (argc=1, argv=0x7fff15d5ed78, sslMode=1) at sfcBroker.c:538
#7  0x0000564fe36218b6 in main (argc=1, argv=0x7fff15d5ed78) at sfcBroker.c:1060

cimXmlParserProcessed.c:1739 ->

  if (strncmp(ctx->contentType,"application/xml",15) !=0 ) {
    *rc=1;
    return control.reqHdr;
  }

(gdb) print ctx->contentType
$3 = 0x0

This looks like a standard NULL pointer dereference flaw.

...

Perhaps the following untested patch could fix this crash,

diff --git a/cimXmlParserProcessed.c b/cimXmlParserProcessed.c
index 7098392..065a38b 100644
--- a/cimXmlParserProcessed.c
+++ b/cimXmlParserProcessed.c
@@ -1736,6 +1736,11 @@ scanCimXmlRequest(CimRequestContext *ctx, char *xmlData, int *rc)
   control.MQs = 0;
   control.MPQs = 0;
 
+  if (!ctx->contentType)
+    *rc=1;
+    return control.reqHdr;
+  }
+
   if (strncmp(ctx->contentType,"application/xml",15) !=0 ) {
     *rc=1;
     return control.reqHdr;
Comment 6 Dhiru Kholia 2018-02-23 07:59:51 UTC 
Statement:

This issue did not affect the versions of sblim-sfcb as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.
Note You need to log in before you can comment on or make changes to this bug.