dabdine-r7 (10)

The details for this vulnerability were scant from Apache, but this is actually an integer overflow in the mod_proxy_uwsgi Apache module. Specifically, if you send enough headers, you can overflow the packet size that gets encoded into the uWSGI protocol header struct. If you do this, you may be able to coerce the uWSGI middleware service to interpret some of the header data as a new uWSGI packet. uWSGI allows file read and remote code execution as part of the protocol.

Here’s the patch that was silently added from ASF (ignore the 16K comment too, since that is wrong, and it should’ve been 65K):
https://github.com/apache/httpd/commit/fb08e475bf322f081665fa6f9d9e346136df9337#

In practice this is a bit difficult to exploit, but could in theory lead to tasty, tasty shells. The most interesting thing about this vulnerability is that you would interpret the title as an issue that allows for code execution within the context of Apache itself, whereas in reality it is an issue which allows payload stuffing that ultimately can lead to command execution by crafted payloads sent to the uWSGI middleware/backend service that Apache fronts.

Given the video showing how to take advantage of this vulnerability: https://youtu.be/3BQKpPNlTSo, this seems like an really easy way to do privilege escalation. Full blog here: https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege