FastCGI Integer Overflow Vulnerability Leading to Heap-Based Buffer Overflow

A vulnerability in FastCGI versions 2.x through 2.4.4 has been identified, involving an integer overflow that results in a heap-based buffer overflow. This issue arises in the ReadParams function within fcgiapp.c, where crafted nameLen or valueLen values in data sent to the IPC socket are not properly validated. The vulnerability can be exploited, particularly in environments without robust system protections, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can be leveraged to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending crafted data to the FastCGI IPC socket that includes manipulated nameLen or valueLen values. This can be done through a web application that uses FastCGI and is misconfigured to expose the FastCGI socket, or by exploiting another vulnerability, such as server-side request forgery, to send the malicious data.

Remediation

Users are advised to upgrade to FastCGI version 2.4.5, which addresses this vulnerability. Additionally, limiting remote access to the FastCGI socket by using UNIX sockets can help mitigate the risk.