Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-8448: analysisd: OS_CleanMSG segfault processing invalid msg location. #1815

Closed
cpu opened this issue Jan 15, 2020 · 1 comment · Fixed by #1823
Closed

CVE-2020-8448: analysisd: OS_CleanMSG segfault processing invalid msg location. #1815

cpu opened this issue Jan 15, 2020 · 1 comment · Fixed by #1823

Comments

@cpu
Copy link

cpu commented Jan 15, 2020

In src/analysisd/cleanevent.c the ossec-analysisd's OS_CleanMSG function handles the location portion of a message differently when the first character after a 2 digit ID is (, indicating it came from a remote agent via ossec-remoted.

When remote agent locations are processed OS_CleanMSG tries to null terminate the received location substring of the overall log message to store in lf->location by advancing past the -> in the string to the first : character:

/* Is this from an agent? */
if ( *msg == '(' )
{ /* look past '->' for the first ':' */
pieces = strchr(strstr(msg, "->"), ':');
if(!pieces)
{
merror(FORMAT_ERROR, ARGV0);
return(-1);
}
}
*pieces = '\0';
pieces++;
os_strdup(msg, lf->location);

Unfortunately the nesting of strstr as the first argument to strchr on L48 doesn't account for the possibility of a location string that starts with ( but doesn't contain a ->.

E.g. processing the msg 00:(: will result in the strstr returning NULL, meaning the strchr call will be strchr(NULL, ":") and a segfault will occur.

This code was introduced in 95cd0c9 on Nov 13, 2013. I believe it affects OSSEC 2.7+.

It seems that in all cases ossec-remoted will always write a well-formed location into the message it writes to the ossec UNIX domain socket queue because it uses SendMSG and populates the locmsg unconditionally:

/* Generate srcmsg */
snprintf(srcmsg, OS_FLSIZE, "(%s) %s",
keys.keyentries[agentid]->name,
keys.keyentries[agentid]->ip->ip);

snprintf(tmpstr, OS_MAXSTR, "%c:%s->%s", loc, locmsg, message);

I believe that means the only way this is triggerable is with direct write access to the socket, and probably makes the exploitability very low.

One possible fix (edit: implemented in #1823) is to separate the strstr and return an error when it returns NULL before performing the subsequent strchr with the result pointer.

@cpu cpu changed the title analysisd: OS_CleanMSG segfault processing invalid msg location. CVE-2020-8448: analysisd: OS_CleanMSG segfault processing invalid msg location. Jan 30, 2020
@cpu
Copy link
Author

cpu commented Jan 30, 2020

This was assigned CVE-2020-8448

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant