Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Apache HTTP Server is the most popular web server on the internet and needs no introduction. Apache has many runtime loadable modules to extend functionality. One of these is mod_lua, which allows for Lua scripts to be written within the configuration file.

The HTTP specification has many different Content-Types. One of these is multipart/form-data which sends data in multiple parts with each one containing a Content-Disposition header with some other formatting as well.

In the Lua plugin, there is a function called r:parsebody() which parses the body of a POST request. When calculating the element data in the request, it subtracts the CRLF amount then 8 bytes more for the two CRLFs prior to the data. This size check ends once the -- string is found. However, what happens if this is improperly formatted? Any time there is a subtraction on a size, we should always think integer underflow!

If the form element is not properly formatted with the boundary string (--) appears less than 8 bytes into the payload, an underflow will occur. Since the variable is unsigned, it turns a small negative number into a very large positive number. Although this does not seem exploitable, there is a saving feature: later on, an allocation of size+1 is done, which will overflow into an allocation of size 0 if our original subtraction bug resulted in -1.

Down the road, this size is used for a memcpy to copy the elements data into a buffer. Since the buffer is no where near this size (because of the overflow), this result sin a large buffer overflow. Although they claim this leads to code execution, I feel like this would crash the server since it is a wildcopy with no stopping factors.

Overall, good find! I wish the write up had more pictures (instead of ALL text) as it is quite dense.