[OpenWrt-Devel] Security Advisory 2020-01-13-1 - uhttpd invalid data access via HTTP POST request (CVE-2019-19945)

Petr Štetiar ynezz at true.cz
Mon Jan 13 10:02:20 EST 2020 

Security Advisory 2020-01-13-1 - uhttpd invalid data access via HTTP POST request (CVE-2019-19945)


DESCRIPTION

An invalid data access can be triggered with an HTTP POST request to a CGI
script specifying both `Transfer-Encoding: chunked` and a large
`Content-Length` which exceeds 2^31 and is interpreted as a signed negative
number.

The negative content length is assigned to `r->content_length` in
`client_parse_header` and passed as a negative read length to
`ustream_consume` in `client_poll_post_data` which will set the internal
ustream buffer pointer to an invalid address, causing out of bounds memory
reads later on in the code flow.

A similar implicit unsigned to signed conversion happens when parsing chunk
sizes emitted by a CGI program.


REQUIREMENTS

In order to exploit this vulnerability, a malicious attacker would need to
provide specially crafted HTTP POST request to uhttpd. Something like
following:

 $ cat crash.poc               # crlf line endings, ends with 3 line endings
 POST /cgi-bin/luci HTTP/1.0
 Transfer-Encoding: chunked
 Content-Length: -100000

 $ ./uhttpd -f -p 127.0.0.1:8000 &                 # start uhttpd

 $ nc 127.0.0.1 8000 < crash.poc                   # send POC to uhttpd
 [1]+ Segmentation fault (core dumped)


MITIGATIONS

To fix this issue, update the affected uhttpd package using the command below.

   `opkg update; opkg upgrade uhttpd`

The fix is contained in the following and later versions:

 - OpenWrt master: 2019-12-22 reboot-11760-gf34f9a414dd3
 - OpenWrt 19.07:  2019-12-22 v19.07.0-rc2-32-g414ea309271e
 - OpenWrt 18.06:  2019-12-22 v18.06.5-40-gb90156361152


AFFECTED VERSIONS

To our knowledge, OpenWrt versions 18.06.0 to 18.06.5 are affected.  The fixed
packages are integrated in the OpenWrt 18.06.6, OpenWrt 19.07.0 and subsequent
releases. Older versions of OpenWrt (e.g.  OpenWrt 15.05 and LEDE 17.01) are
end of life and not supported any more.


CREDITS

The issue was discovered by Jan-Niklas Sohn and fixed by Jo-Philipp Wich.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20200113/882121a5/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list