oss-sec mailing list archives

CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204)

From: Salva Peiró <speirofr () gmail com>
Date: Wed, 12 Dec 2018 16:27:02 +0100

Hi everyone,

The mini-httpd daemon (version <= v1.30) shipped in Debian/Ubuntu from [1]
is affected by a response discrepancy information exposure (CWE-204) that
enables an attacker to remotely enumerate valid htpasswd usernames (RFC
7617).

A more detailed advisory can be found at:
https://speirofr.appspot.com/files/advisory/SPADV-2018-01.md
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916190

Is there a CVE for this? If not, could one be assigned, please?

[1] http://www.acme.com/software/mini_httpd/

Best Regards,
--
Salva Peiró. Software Engineer
https://speirofr.appspot.com

##  Description

Requesting an .htpasswd protected URL with a valid username part without
providing the corresponding password eg, "user:" per (RFC 7617)
causes the mini-httpd to unexpectedly terminate.

~~~
user@box $ curl http://user:@127.0.0.1:8000/auth/
curl: (52) Empty reply from server
~~~

The problem is that the mini_httpd.c:2407 contains a NULL pointer
dereference bug
that allows a remote attacker to enumerate valid htpasswd usernames (RFC
7617).

## Proposed Fix

~~~

From 62eff179b34cd1435017438ab99ed1906b6cc6c8 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr () gmail com>
Date: Wed, 5 Dec 2018 18:46:46 +0100
Subject: [PATCH] Fix NULL pointer dereference at mini_httpd.c:2407
(SPADV-2018-01)

---
 mini_httpd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mini_httpd.c b/mini_httpd.c
index 03d0cdd..77f030f 100644
--- a/mini_httpd.c
+++ b/mini_httpd.c
@@ -2404,7 +2404,8 @@ auth_check( char* dirname )
         /* Yes. */
         (void) fclose( fp );
         /* So is the password right? */
-        if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
+        char *cryptpass = crypt( authpass, cryp );
+        if ((cryptpass != NULL) && (strcmp(cryptpass, cryp ) == 0) )
         {
         /* Ok! */
         remoteuser = line;
--
2.11.0
~~~

## Versions affected

All versions of mini-httpd below <= v1.30.
    http://www.acme.com/software/mini_httpd/

Debian: https://packages.debian.org/stretch/mini-httpd
Ubuntu: https://launchpad.net/ubuntu/+source/mini-httpd

Current thread:

CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salva Peiró (Dec 12)
- Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Solar Designer (Dec 12)
  - Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salva Peiró (Dec 13)
    - Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Solar Designer (Dec 13)
    - Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salva Peiró (Dec 13)
- Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salvatore Bonaccorso (Dec 12)