Stack-based vulnerability on H2O Webserver
The past few weeks I have been considering doing some changes to my application stack. Currently, my stack consists of OpenBSD OS with Nginx as a load balancer and a web application written in Golang. I wanted to give H2O server a try. H2O is a high performance web server and web library written in C language.
The performance of the server is really good, no questions there. Next, I wanted to do my own security audit. After several hours of fuzzing the network protocol and doing other local checks I was finally able to crash the server. I did a little more digging and discovered a pattern that seemed to trigger the issue. With the help of gdb I was able to confirm it was a stack-based buffer overflow.
Image 1 - Crash inside the yoml__resolve_merge() function.
After close inspection I noticed that different input patterns triggered the crash in different locations inside the program.
Image 2 - Crash inside the yoml_find_anchor() function.
Vulnerability Details
Issue
Under certain conditions, the program fails to properly parse anchors and references ('&' and '*').
Versions affected
H2O v2.2.5 and v2.3.0-beta1 are confirmed to be vulnerable.
Vulnerability details
Stack based buffer overflow.
Impact
Server crashes. Especially crafted input may allow an attacker to escalate privileges.
Testing for the vulnerability
Here is a non-weaponized configuration file that triggers the crash. Just pass this file with the -c flag in the command line to H2O to test if your server is affected.
Status
As of March 18, 2019, I have contacted the development team. I'm waiting for confirmation from their side.
Update March 23th, 2019: Developer is aware of the issue, we had internal discussion and I have provided several test cases.
As exploitation is difficult with no privilege escalation in the default install, the overall risk is low.
(2019) Carlos Andrés Ramírez Cataño