The MIT-licensed muhttpd web server has security flaws, according to a report by security expert Derek Abdine. The Arris firmware, which is featured in a number of router types, has this web server.
muhttpd web server
A straightforward but comprehensive web server, muhttpd (mu HTTP deamon) is created in portable ANSI C. Its three main objectives are to be straightforward, transportable, and secure. Muhttpd was designed with simplicity in mind, however due to its popularity and ease of use, security must take precedence. This web server is frequently used by ISP customer premise equipment (CPE), and ISP customers typically borrow these routers for telephony and Internet access.
Path traversal
An attempt to access files and folders kept outside the web root folder is known as a path traversal attack.
Since they modify variables that reference files with “dot-dot-slash (../)” sequences and variations of them to access arbitrary files and directories, these attacks are frequently referred to as “dot-dot-slash attacks.”
The path traversal issue affects the muhttpd server 1.1.5 (latest official release 2010). Version 1.1.7 of muhttpd is the most recent release (released June 1, 2022). Unfortunately, the vulnerable version of muhttpd is the foundation of the Arris firmware.
Vulnerabilities
The Common Vulnerabilities and Exposures (CVE) database contains a collection of publicly known vulnerabilities in computer security. Its objective is to facilitate data sharing among various vulnerability capabilities (tools, databases, and services). One of the vulnerabilities discovered by Derek Abdine is:
CVE-2022-31793: path exploration starting at the filesystem root. Any ordinary file on the device can be accessed by simply adding a single character that isn’t a dot (“.”), forward-slash (“/”), or question mark (“?”) before the requested path. If remote administration is enabled, this vulnerability enables any local (LAN) party or unauthenticated remote attacker to obtain:
- The contents of the md5crypt (salted/hashed) passwords in /etc/passwd.
- The SSID and plaintext password of the 2G and 5G Wi-Fi networks are broadcast by the device.
- The usernames and (sometimes encrypted) passwords of all administration account on the system.
- Configuration information including the TR-069 protocol in use by an internet service provider (ISP).
- Session Initiation Protocol (SIP) usernames (phone numbers) and passwords, including SIP endpoint URLs.
- Port forwarding configuration information.
- Other sensitive network information, such as established TCP connections.
- Various system and firewall logs.
A comprehensive list of each device’s LAN IP address, hostname, MAC, uptime, and device details including its operating system and installed apps. The router serial number.
- The certificate and private key for the web management portal.
- Router process information.
Other vulnerabilities
Two other, less straightforward vulnerabilities were discovered by the researcher:
Dereference of a NULL pointer HTTP requests are delivered to the muhttpd server via a non-blocking socket. Accepted socket connections are forwarded to a forked process for execution. The server reads in a loop after receiving data until it receives a string of two carriage return/newline characters. After that, another function that tries to parse the request method takes over processing. The request process, which is a forked version of the server process, will segfault if a NULL byte is introduced into the request stream. Program crashes frequently result from a segmentation fault, also known as a segfault.
The muhttpd server has a buffer over-read when dealing with values that are percent-encoded when defanging URLs. The server tries to decode the following two characters without checking the boundaries when it encounters a percent ” percent ” in the URL. Therefore, the decode URL function will read past the URL data and into the request buffer sections that include the HTTP protocol version string if the URL only contains ” percent ” with no subsequent characters. Although not exploitable in practice, measures should be put in place to stop access to unauthorized address space.
Devices Affected
The impacted muhttpd server is utilized in white label/OEM products by various vendors as well as fibre and DSL-based Arris router products (NVG). These routers are often lent by Internet Service Providers (ISPs) to their millions of subscribers worldwide. For instance, in 2017 researchers found weaknesses in AT&T-distributed Arris modems that were easily exploitable.
NVG443, NVG599, NVG589, and NVG510 Arris router types were discovered to be vulnerable, as well as ISP-specific variations like BGW210 and BGW320. Please be aware that the SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05, and SBR-AC1200P 1.0.5-B05 Arris routers are susceptible to a different vulnerability identified as CVE-2022-26992, which enables attackers to execute arbitrary actions via a well-constructed request.
19,000 vulnerable routers directly connected to the internet were found by internet searches. The majority of the devices have now been patched, and the owners were informed. Both Arris and muhttpd have released fixed versions, however, given the broad use of the firmware and the autonomous management of firmware upgrades by each ISP, it is possible that this problem will last for years.
How to Mitigate
The usage of these vulnerabilities has not yet been reported in the open, but now that they are known about and proof-of-concept code is accessible, it might only be a matter of time until an attack is launched.
You should disable remote administration if your router utilizes a vulnerable version of muhttpd since doing so restricts how the flaws can be used in LAN attacks. Additionally, replace the gadget or purchase a patched version as soon as possible.