War stories. Part 1

@CesantaHQ

by Sergey Lyubka, Cesanta CTO, for Dublin C/C++ User Group

1. Mongoose web server: MySQL connect fail

• Early 2005 (actually, December 31, 2004)
• OS: MS Windows
• Mongoose web server running PHP CGI application
• PHP script uses MySQL for storing data
• ... and fails to connect to the database!

1. Mongoose web server: MySQL connect fail

• Checking PHP error messages:

mysql_connect(): Can't create TCP/IP socket (10106)

• Checking MSDN for error code 10106:

1. Mongoose web server: MySQL connect fail

• Running PHP script by hands from the command prompt:
• ... works fine
• Created a test C program with mysql_connect() call
• An underlying Winsock socket() call failed with code 10106.

any guess what's going on?

1. Mongoose web server: MySQL connect fail

• Does a web server runs programs any differently?
• Yes. According to the CGI/1.1 standard,
  • A web server must run a CGI script from the directory where that CGI script lives
  • A web server must run a CGI script with the redirected standard IO (that is to make a webserver able to read CGI script's stdout, and pass a POST buffer to the stdin)
  • A web server must start a CGI script with specifically constructed environment (that is mainly to pass HTTP headers to the CGI script as special variables, e.g. HTTP_CONTENT_LENGTH).

1. Mongoose web server: MySQL connect fail

• Same directory: checked from the cmd line, works fine.
• Redirected IO: thought for a minute.. messy to test. skipped to the next
• Environment:
  • Ran "set" command in the prompt
  • Started to copy variables one by one into the environment created by the web server

1. Mongoose web server: MySQL connect fail

1. Mongoose web server: MySQL connect fail

• Winsock's socket() call needs a SYSTEMROOT environment variable
• All programs started by Windows inherit their environment from the parent process, with has SYSTEMROOT variable
• If for some reason that variable is absent, then the program cannot do any TCP/IP networking
• Try it for yourself!
• Then try to find that in the MSDN documentation

1. Mongoose web server: MySQL connect fail

• Winsock implementation sits in WS2_32.dll
• Speculation:
• socket() function might access some configuration parameters via the SYSTEMROOT environment variable

2. Mongoose web server: CGI code disclosure

• Late 2008
• Problem: a security advisory is published!
• Windows version of Mongoose shows CGI file content instead of executing a CGI file
• ... if a CGI file name has a whitespace character appended to it

2. Mongoose web server: CGI code disclosure

• I have run a simple CGI file from the unit test,
  • http://localhost:8080/env.cgi
• Added a space to the end of the URI in the browser
• And, yeah, I saw a CGI file content!
• A security hole was there indeed
• Mongoose was identifying CGI file by file extension
• All files ended with ".cgi" were treaded as CGI
• The rest were shown as-is, like regular files

any guess what was going on?

2. Mongoose web server: CGI code disclosure

• It was not very hard to find!
• Windows runtime code
• And, yeah, I saw a CGI file content!
• A security hole was there indeed
• Mongoose was identifying CGI file by file extension
• All files ended with ".cgi" were treaded as CGI
• The rest were shown as-is, like regular files

any guess what was going on?

2. Mongoose web server: CGI code disclosure

• Windows' fopen() implementation,
• .. which sits in the runtime library msvcrt.dll,
• .. happily opens files which have garbage at the end of file name!

// Opens "a.cgi" with no error
FILE *fp = fopen("a.cgi    ", "r");

• Garbage could be a white space, or '+', or '.',or characters with the upper half of the ASCII table

2. Mongoose web server: CGI code disclosure

• Bottom line:
• Windows may successfully open a file whose path does not exist in the filesystem
• Because MSVC runtime is trying to be smart and prettify the file name by trimming some characters
• Beware! This is a potential security hole

Thank you!

contact me at

sergey.lyubka@cesanta.com