Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Security Advisory 2020-01-13-1 - uhttpd invalid data access via HTTP POST request (CVE-2019-19945) DESCRIPTION REQUIREMENTS MITIGATIONS AFFECTED VERSIONS CREDITS Security Advisory 2020-01-13-1 - uhttpd invalid data access via HTTP POST request (CVE-2019-19945) DESCRIPTION An invalid data access can be triggered with an HTTP POST request to a CGI script specifying both Transfer-Encoding: chunked and a large Content-Length which exceeds 2^31 and is interpreted as a signed negative number. The negative content length is assigned to r→content_length in client_parse_header and passed as a negative read length to ustream_consume in client_poll_post_data which will set the internal ustream buffer pointer to an invalid address, causing out of bounds memory reads later on in the code flow. A similar implicit unsigned to signed conversion happens when parsing chunk sizes emitted by a CGI program. REQUIREMENTS In order to exploit this vulnerability, a malicious attacker would need to provide specially crafted HTTP POST request to uhttpd. Something like following: $ cat crash.poc # crlf line endings, ends with 3 line endings POST /cgi-bin/luci HTTP/1.0 Transfer-Encoding: chunked Content-Length: -100000 $ ./uhttpd -f -p 127.0.0.1:8000 & # start uhttpd $ nc 127.0.0.1 8000 < crash.poc # send POC to uhttpd [1]+ Segmentation fault (core dumped) MITIGATIONS To fix this issue, update the affected uhttpd package using the command below. opkg update; opkg upgrade uhttpd The fix is contained in the following and later versions: OpenWrt master: 2019-12-22 reboot-11760-gf34f9a414dd3 OpenWrt 19.07: 2019-12-22 v19.07.0-rc2-32-g414ea309271e OpenWrt 18.06: 2019-12-22 v18.06.5-40-gb90156361152 AFFECTED VERSIONS To our knowledge, OpenWrt versions 18.06.0 to 18.06.5 are affected. The fixed packages are integrated in the OpenWrt 18.06.6, OpenWrt 19.07.0 and subsequent releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more. CREDITS The issue was discovered by Jan-Niklas Sohn and fixed by Jo-Philipp Wich. This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2020/01/26 11:50by jow