CVE-2021-21783
A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.
Genivia gSOAP 2.8.109
Genivia gSOAP 2.8.110
https://www.genivia.com/products.html#gsoap
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-680 - Integer Overflow to Buffer Overflow
The gSOAP toolkit is a C/C++ library for developing XML-based web services. It includes several plugins to support the implementation of SOAP and web service standards. The framework also provides multiple deployment options including modules for both IIS and Apache, standalone CGI scripts and its standalone HTTP service.
One of the many plugins provided by gSOAP includes the wsa plugin for supporting the WS-Addressing specification which provides an asynchronous mechanism for routing SOAP requests and responses. The specification includes a
While testing a newer version of gSOAP (2.8.110), it was discovered that we were able to reproduce a previously patched vulnerability again. This vulnerability, TALOS-2020-1187, was disclosed to Genivia and patched in an update in October of 2020. Details of the vulnerability remain the same.
Changes were made to soap_decode to check for negative values but unforunately the checks were added comparing size_t types. size_t data types are unsigned integers which can never hold negative values. When the initial size calculation occurs, an unsigned value will wrap around to a very large number resulting in this condition always being true.
soap_decode(char *buf, size_t len, const char *val, const char *sep)
{
const char *s;
char *t = buf;
size_t i = len;
if (!buf || !val || !sep || len == 0)
return val;
for (s = val; *s; s++)
if (*s != ' ' && *s != '\t' && !strchr(sep, *s))
break;
if (len > 0)
{
if (*s == '"')
{
s++;
while (*s && *s != '"' && i-- > 1)
*t++ = *s++;
}
else
{
while (*s && !strchr(sep, *s) && i-- > 1)
{
if (*s == '%' && s[1] && s[2])
{
*t++ = ((s[1] >= 'A' ? (s[1] & 0x7) + 9 : s[1] - '0') << 4)
+ (s[2] >= 'A' ? (s[2] & 0x7) + 9 : s[2] - '0');
s += 3;
}
else
*t++ = *s++;
}
}
buf[len - 1] = '\0'; /* appease static checkers that get confused */
}
*t = '\0';
while (*s && !strchr(sep, *s))
s++;
return s;
}
2021-01-22 - Vendor Disclosure
2021-03-24 - Public Release
Discovered by a member of Cisco Talos.