Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4323 PoC — Fluent Bit 安全漏洞

Source
https://github.com/d0rb/CVE-2024-4323
Associated Vulnerability
Title:Fluent Bit 安全漏洞 (CVE-2024-4323)
Description:Fluent Bit是一款使用C语言编写的开源日志处理和分析系统。 Fluent Bit 2.0.7 到 3.0.3版本存在安全漏洞,该漏洞源于 http 服务器对跟踪请求的解析存在安全问题,可能导致拒绝服务条件、信息泄露或远程代码执行。
Description
Critical heap buffer overflow vulnerability in the handle_trace_request and parse_trace_request functions of the Fluent Bit HTTP server.
Readme

<div align="center">

[![Profile Visitors](https://komarev.com/ghpvc/?username=d0rb&label=Visitors&color=0e75b6&style=flat)](https://komarev.com/ghpvc/?username=d0rb)

 #  🇮🇱  **#BringThemHome #NeverAgainIsNow**   🇮🇱

**We demand the safe return of all citizens who have been taken hostage by the terrorist group Hamas. We will not rest until every hostage is released and returns home safely. You can help bring them back home.
https://stories.bringthemhomenow.net/**
</div>


## CVE-2024-4323

## Overview

The `handle_trace_request` and `parse_trace_request` functions in Fluent Bit's HTTP server implementation have been identified as the source of a critical vulnerability, CVE-2024-4323. This vulnerability arises due to insufficient bounds checking and input validation, leading to a potential heap buffer overflow. This review highlights the nature of the vulnerability, its potential impact, and the necessary steps to mitigate it.

## Function Details

### `handle_trace_request` Function

This function handles incoming HTTP trace requests, performing buffer allocation and copying request data.

**Vulnerable Code:**

```c
static int handle_trace_request(struct flb_hs *hs, struct mk_http_session *session, struct mk_http_request *request)
{
    char *buffer;
    size_t size;
    int ret;
    flb_sds_t input_name;

    input_name = get_input_name(request);
    if (input_name == NULL) {
        return -1;
    }

    size = request->data.len;
    buffer = malloc(size);
    if (!buffer) {
        flb_sds_destroy(input_name);
        return -1;
    }

    memcpy(buffer, request->data.data, size);
    ret = parse_trace_request(buffer, size, request);

    free(buffer);
    flb_sds_destroy(input_name);

    return ret;
}
```


### parse_trace_request Function

This function parses the data from the trace request.

Vulnerable Code:
```c
void parse_trace_request(char *buffer, size_t size, struct mk_http_request *request)
{
    if (size > MAX_SIZE) {
        // Handle error
        return;
    }

    // Parsing logic
}
```
### Identified Issues

    Heap Buffer Overflow:
        Buffer Allocation and Copying: The handle_trace_request function directly uses the size of the incoming request data to allocate a buffer and copy data without proper validation. This can lead to a heap buffer overflow if the size exceeds the allocated memory.
        Lack of Bounds Checking: The parse_trace_request function performs a rudimentary size check but does not ensure that the buffer size is within safe limits before parsing.

    Input Validation:
        Inadequate Input Validation: The functions do not sufficiently validate the incoming request data, making them susceptible to malicious payloads designed to exploit the buffer overflow.

### Potential Impact

    Denial of Service (DoS): An attacker can craft a request that causes the application to crash by overflowing the heap buffer, leading to a denial of service.
    Remote Code Execution (RCE): In the worst case, an attacker could exploit the overflow to execute arbitrary code on the server, potentially gaining control over the system.

## Mitigation
Suggested Fix

The following patch introduces bounds checking and input validation to mitigate the vulnerability:

```c
#define MAX_ALLOWED_SIZE 1024 * 1024  // Define a reasonable maximum size

static int handle_trace_request(struct flb_hs *hs, struct mk_http_session *session, struct mk_http_request *request)
{
    char *buffer;
    size_t size;
    int ret;
    flb_sds_t input_name;

    input_name = get_input_name(request);
    if (input_name == NULL) {
        return -1;
    }

    size = request->data.len;
    if (size > MAX_ALLOWED_SIZE) {
        // Log error and return
        flb_sds_destroy(input_name);
        return -1;
    }

    buffer = malloc(size);
    if (!buffer) {
        flb_sds_destroy(input_name);
        return -1;
    }

    memcpy(buffer, request->data.data, size);
    ret = parse_trace_request(buffer, size, request);

    free(buffer);
    flb_sds_destroy(input_name);

    return ret;
}

void parse_trace_request(char *buffer, size_t size, struct mk_http_request *request)
{
    if (size > MAX_ALLOWED_SIZE) {
        // Handle error
        return;
    }

    // Parsing logic
    // ...
}
```
### Key Improvements

    Bounds Checking: Added a check to ensure that the size of the incoming data does not exceed a defined maximum allowed size before allocating the buffer.
    Input Validation: Ensured that input data is validated to prevent oversized or malformed requests from causing a buffer overflow.

## Conclusion

The vulnerability in the handle_trace_request and parse_trace_request functions is a critical issue that can lead to severe security risks, including denial of service and remote code execution. The proposed patch effectively mitigates these risks by introducing robust bounds checking and input validation. It is imperative to apply this patch promptly and conduct regular code audits to ensure the security and integrity of the Fluent Bit application.
File Snapshot

 [4.0K]  /data/pocs/711bd401bb8cdcbe2914cb978dd179dc94ae65de
├── [1022]  PoC.py
└── [4.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.