libsoup Out-of-Bounds Read Vulnerability in SoupServer Component Allowing Heap Information Disclosure

A vulnerability has been identified in libsoup, a commonly used HTTP library in GNOME-based systems. This flaw arises from improper validation of byte ranges in HTTP Range headers, which can lead to out-of-bounds read conditions. In certain build configurations, this vulnerability may allow remote attackers to access unauthorized portions of server memory, particularly when the SoupServer component is active. Exploitation requires a vulnerable configuration that permits the processing of crafted Range headers.

Impact

Exploitation of this vulnerability causes an out-of-bounds read, leading to unauthorized disclosure of heap memory contents. This could allow an attacker to access sensitive information such as cryptographic keys or personal data, and in some contexts, could be used to bypass memory protection mechanisms like Address Space Layout Randomization (ASLR). Additionally, the out-of-bounds read could cause a segmentation fault, crashing the application, especially if the read operation assumes the presence of a terminating character in a string.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with a specially crafted Range header that includes an excessively large end value. This request should be directed to a server that is using the vulnerable version of libsoup with the SoupServer component enabled. If the GLib library is compiled without checks, the server may respond with heap memory contents that extend beyond the intended response body.