The past few weeks I have been considering doing some changes to my application stack. Currently, my stack consists of OpenBSD OS with Nginx as a load balancer and a web application written in Golang. I wanted to give H2O server a try. H2O is a high performance web server and web library written in C language.
The performance of the server is really good, no questions there. Next, I wanted to do my own security audit. After several hours of fuzzing the network protocol and doing other local checks I was finally able to crash the server. I did a little more digging and discovered a pattern that seemed to trigger the issue. With the help of gdb I was able to confirm it was a stack-based buffer overflow.
Image 1 - Crash inside the yoml__resolve_merge() function.
After close inspection I noticed that different input patterns triggered the crash in different locations inside the program.
Image 2 - Crash inside the yoml_find_anchor() function.
Under certain conditions, the program fails to properly parse anchors and references ('&' and '*').
H2O v2.2.5 and v2.3.0-beta1 are confirmed to be vulnerable.
Stack based buffer overflow.
Server crashes. Especially crafted input may allow an attacker to escalate privileges.
Here is a non-weaponized configuration file that triggers the crash. Just pass this file with the -c flag in the command line to H2O to test if your server is affected.
As of March 18, 2019, I have contacted the development team. I'm waiting for confirmation from their side.
Update March 23th, 2019: Developer is aware of the issue, we had internal discussion and I have provided several test cases.
As exploitation is difficult with no privilege escalation in the default install, the overall risk is low.