GoAhead Developers Fix Null Byte Injection Vulnerability in Embedded Web Server
Exploitation requires additional vulnerability or device misconfiguration
UPDATE Embedthis fixed a null byte injection vulnerability in GoAhead, the embedded web server deployed on hundreds of millions of devices.
“A specially crafted URL with an embedded character before the extension may result in an incorrect file with a truncated filename serving,” read a security advisory on GitHub documenting the bug.
Quoting the hypothetical URL https://example.com/example%00.html, the notice states that “the is decoded to be NULL”, causing the file manager to serve as “example” instead of ” example.html ”.
As a result, “remote attackers could access documents whose names are strict subsets of longer valid URLs.”
The advisory nonetheless describes the severity of the bug as “low” because “an exploit requires [either] additional vulnerability via downloaded malicious files ”or device configuration errors.
The flaw was discovered by Luke rindels, an infosec master’s student at Carnegie Mellon University, during a 2021 PlaidCTF challenge earlier this month that involved manipulating the values of IoT cameras and sensors.
“GoAhead should only send .html files to the JST manager, but the vulnerability allows any file to be sent to the JST manager.”
While Rindels achieved XSS via a CSP bypass, it was, he conceded, done “using a highly personalized and unlikely setup.”
With the correct device configurations and the required ‘combined vulnerabilities – this could cause a DoS or [an attacker to] take unwanted control of the device, ”says Michael O’Brien, CEO and Founder of Integris The daily sip.
Obstacles to exploitation
However, real-world exploitation appears to be an unlikely scenario.
The server must be misconfigured to “allow file uploads to a directory that also allows JST templates to run” and a JST template must be uploaded “to a file in the upload directory of the same base name without the extension, ”before the file is served with it, O’Brien explains.
But “if an attacker can modify the configuration of the route, he already has access to the whole server and documents anyway”.
Keep up to date with the latest infosec research news
Additionally, the vulnerability “requires that a file with the same base name without an extension be present.” that is, “example” and example.html. Needless to say, most device manufacturers don’t and [it] would be rather strange to do it on purpose.
JST expressions are also device-specific, he adds, so source code access is likely needed as well.
Find the loophole
While looking for evidence of an incorrect extension parsing during CTF, Rindels realized that “the request URL must have been decoded, otherwise it couldn’t call with and delimiters,” Rindels says in a commentary. blog post published yesterday (April 26). .
He suspected that a null byte exploit would fail, perhaps because “dangerous URL encodings like” would not be allowed or decoded, resulting in an error or “attempted broadcast.”
Alternatively, he speculated, “if the is decoded, in an extension request will just be cut off.” There will be no expansion and GoAhead will attempt to broadcast. “
Undeterred, he downloaded a snapshot with the name containing, issued a request for “and to my amazement the nuncio was here!”
Incidentally, the exploit failed to secure the CTF flag because Chrome blocks “URL encoded null bytes”, but could pave the way for Rindels’ very first CVE.
Embedthis fixed the vulnerability in versions 4.1.4 and 5.1.2 of GoAhead. Version 2.2 is not affected.
Embedthis “reacted very quickly,” correcting the flaw on April 5, four days after its notification, Rindels said.
In addition to applying the update, O’Brien urges users to avoid serving JST templates “from directories that do not overlap with download directories.” You should NEVER have any file uploads to a directory that allows content serving and JST templates to be processed ”.
Vendor Says GoAhead is the World’s Most Popular Embedded Web Server, Hosting “Dynamic Embedded Web Applications Through an Event-Driven Single-Threaded Kernel” in medical devices, network equipment and factory automation systems , among others.
This article was updated on April 28 with comments from Embedthis CEO Michael O’Brien.
DON’T FORGET TO READ Pwn2Own 2021: Clickless zoom exploit among winners as payout record was broken