Open cpu opened 4 years ago
One possible fix would be for the syscheck decoder to os_strdup the lf->hostname and lf->program_name before freeing full_log.
See my comment on the related bug. I believe this fix would cause a memory leak and shouldn't be implemented as described: https://github.com/ossec/ossec-hids/issues/1817#issuecomment-575355241
This was assigned CVE-2020-8447
The
ossec-analysisd
'sOS_ReadMSG
function callsOS_CleanMSG
at the start of processing a message read from the ossec queue UNIX domain socket.In
src/analysisd/cleanevent.c
theOS_CleanMSG
function populates thelf
struct, setting fields likelog
,hostname
andprogram_name
to substrings of thelf->full_log
buffer.After cleaning any syscheck messages are given to the syscheck decoder for further processing.
After processing a syscheck msg from a client the syscheck decoder will free the
lf->full_log
pointer in two places. One place is if the message indicated a change in an existing tracked file:https://github.com/ossec/ossec-hids/blob/60cf8d2e941bcded8a05810d87cb906ff771df92/src/analysisd/decoders/syscheck.c#L572-L576
Another place is if the message indicated a new file to track:
https://github.com/ossec/ossec-hids/blob/60cf8d2e941bcded8a05810d87cb906ff771df92/src/analysisd/decoders/syscheck.c#L601-L604
In both cases the syscheck decoder replaces the existing
lf->log
andlf->full_log
pointers with pointers to new messages after first freeing the oldlf->full_log
. Afterwards theDB_Search
, andDecodeSyscheck
functions return 1 toOS_ReadMSG
.Since the decoder returned 1, the
OS_ReadMSG
function will continue processing the event, it will not jump toCLMEM
:https://github.com/ossec/ossec-hids/blob/60cf8d2e941bcded8a05810d87cb906ff771df92/src/analysisd/analysisd.c#L762-L765
If any subsequent processing rules access the
lf->hostname
orlf->program_name
fields set byOS_CleanMSG
they will be accessing memory of a freed heap chunk previously containinglf->full_log
.I believe the bug was introduced in 8672fa0d5acd1087c285e664804bfa455e9cfd07 on Nov 18, 2006 and affects OSSEC v2.7+.
This code path is triggerable via an authenticated client through the
ossec-remoted
. The client needs only write a valid syscheck message that will have theprogram_name
orhostname
set duringOS_CleanMSG
.I don't have a strong sense for the possibility of exploitation. I suspect this may be turned into an out of bounds read of heap memory accessing
program_name
orhostname
during rule processing if the area pointed to after the syscheck decoder free isn't null terminated.One possible fix would be for the syscheck decoder to
os_strdup
thelf->hostname
andlf->program_name
before freeingfull_log
.