ubuntu-translations-coordinators team mailing list archive

Thread
Date
[Bug 1573594] [NEW] Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS response handling

To: ubuntu-translations-coordinators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1573594@xxxxxxxxxxxxxxxxxx>
Date: Sat, 02 Feb 2019 20:08:27 -0000
Reply-to: Bug 1573594 <1573594@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

[Impact]

When connecting to a server using SASL,
memcached_sasl_authenticate_connection() reads the list of supported
mechanisms [1] from the server via the command
PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string
containing supported authentication mechanisms, which gets stored into
the (uninitialized) destination buffer without null termination [2].

The buffer then gets passed to sasl_client_start [3] which treats it as
a null-terminated string [4], reading uninitialised bytes in the buffer.

As the buffer lives on the stack, an attacker that can put strings on
the stack before the connection gets made, might be able to tamper with
the authentication.

[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start


[Test Case]

This bug is difficult to reproduce since it depends on the contents of the stack.
However, here is a test case using the fix on Bionic that shows that this fix does not cause any problems.

For testing you need

1) A memcached server.
   You can setup one by following the instructions in [1],
   or (what I did) create one in the cloud [2].

2) A client test program to connect to the memcached server.
   One can be found in [3].
   This simple test connects to a memcache server and test basic get/set operations.
   Copy paste the C code into a file (sals_test.c) and compile with :
   gcc -o sasl_test -O2 sasl_test.c -lmemcached -pthread

3) On a machine with the updated version of libmemcached in which the fix is applied :
   jo@bionic-vm:~$ dpkg -l | grep libmemcached
ii  libhashkit-dev:amd64                  1.0.18-4.2ubuntu0.18.04.1              amd64        libmemcached hashing functions and algorithms (development files)
ii  libhashkit2:amd64                     1.0.18-4.2ubuntu0.18.04.1              amd64        libmemcached hashing functions and algorithms
ii  libmemcached-dbg:amd64                1.0.18-4.2ubuntu0.18.04.1              amd64        Debug Symbols for libmemcached
ii  libmemcached-dev:amd64                1.0.18-4.2ubuntu0.18.04.1              amd64        C and C++ client library to the memcached server (development files)
ii  libmemcached-tools                    1.0.18-4.2ubuntu0.18.04.1              amd64        Commandline tools for talking to memcached via libmemcached
ii  libmemcached11:amd64                  1.0.18-4.2ubuntu0.18.04.1              amd64        C and C++ client library to the memcached server
ii  libmemcachedutil2:amd64               1.0.18-4.2ubuntu0.18.04.1              amd64        library implementing connection pooling for libmemcached

   Run the sals_test binary :
   #./sasl_test [username] [password] [server] 
  
   In my case using the credentials and the server created in step 1 : 
   jo@bionic-vm:~$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
   Get/Set success!

[1] https://blog.couchbase.com/sasl-memcached-now-available/
[2] https://www.memcachier.com/
[3] https://blog.memcachier.com/2014/11/05/ubuntu-libmemcached-and-sasl-support/

[Regression Potential]

This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.

[Other Info]

This bug affects trusty and later.

* rmadison:
 libmemcached | 1.0.8-1ubuntu2 | trusty  | source
 libmemcached | 1.0.18-4.1     | xenial  | source
 libmemcached | 1.0.18-4.2     | bionic  | source
 libmemcached | 1.0.18-4.2     | cosmic  | source
 libmemcached | 1.0.18-4.2     | disco   | source

* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696

* Upstream seems pretty quiet since 2014

Unfortunately, because the project seems more or less dead ... it seems
like we won't be able submit anything upstream and go straight to fixing
Debian and Ubuntu.

- Repo:
bzr branch lp:libmemcached

- Last commit:
revno: 1113 [merge]
committer: Continuous Integration <ci@xxxxxxxxxxx>
branch nick: workspace
timestamp: Sun 2014-02-16 03:31:37 -0800
message:
  Merge bzr://soup.haus/ Build: jenkins-Libmemcached-473

** Affects: ubuntu-translations
     Importance: Undecided
         Status: New

** Affects: libmemcached (Ubuntu)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: Fix Released

** Affects: libmemcached (Ubuntu Trusty)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: Fix Committed

** Affects: libmemcached (Ubuntu Xenial)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: Fix Committed

** Affects: libmemcached (Ubuntu Bionic)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: Fix Committed

** Affects: libmemcached (Ubuntu Cosmic)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: Fix Committed

** Affects: libmemcached (Ubuntu Disco)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: Fix Released

** Affects: libmemcached (Debian)
     Importance: Unknown
         Status: New


** Tags: patch sts sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-trusty verification-needed-xenial
-- 
Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS response handling
https://bugs.launchpad.net/bugs/1573594
You received this bug notification because you are a member of Ubuntu Translations Coordinators, which is subscribed to Ubuntu Translations.