Exploitation requires additional vulnerability or device misconfiguration
UPDATED Embedthis has patched a null byte injection vulnerability in GoAhead, the embedded web server deployed in hundreds of millions of devices.
“A specially crafted URL with a %00 character embedded before the extension can cause an incorrect file with a truncated filename to be served,” reads a security advisory on GitHub documenting the bug.
Citing hypothetical URL https://example.com/example%00.html, the advisory says “the %00 is decoded to be a NULL”, resulting in the file handler serving ‘example’ instead of ‘example.html’.
As a result, “remote attackers could gain access to documents with names that are strict subsets of longer valid URLs.”
The advisory nevertheless describes the bug’s severity as ‘low’ since “an exploit requires [either] an additional vulnerability via uploaded malicious files” or device misconfigurations.
‘Unlikely setup’
The flaw was discovered by Luke Rindels, an infosec Master’s student at Carnegie Mellon University, during a PlaidCTF 2021 challenge earlier this month that involved manipulating IoT camera and sensor values.
“The vulnerability abuses the mismatch between route extension parsing and the decoded filename to dupe GoAhead into thinking a file should be sent to the JST [JavaScript Template] handler even when it has an improper extension,” Rindels tells The Daily Swig.
“GoAhead should only send .html files to the JST handler, but the vulnerability allows for any file to be sent to the JST handler.”
While Rindels achieved XSS via a CSP bypass this was, he conceded, done “using a highly customized and unlikely setup”.
With the right device misconfigurations and “required combined vulnerabilities – it could cause a DoS or [an attacker to] gain unwanted control of the device”, Embedthis CEO and founder Michael O’Brien tells The Daily Swig.
Barriers to exploitation
However, real-world exploitation appears to be an unlikely scenario.
The server must be misconfigured to “permit file uploads to a directory that also allows executing JST templates” and a JST template must be uploaded “to a file in the upload directory of the same base name without the extension”, before the file is served with %00, explains O’Brien.
But “if an attacker can change the route configuration, they already have access to the entire server and documents anyway”.
Catch up on the latest infosec research news
Moreover, the vulnerability “requires a file of the same base name without extension to be present. i.e. ‘example’ and example.html. Needless to say, most device builders do not do this and [it] would be rather strange to do it on purpose.”
JST expressions are also device-specific, he adds, so source code access is probably required too.
Finding the flaw
While hunting for evidence of incorrect extension parsing during the CTF, Rindels realized that “the request URL must have been decoded, otherwise it wouldn’t be able to call strrchr() with . and / delimiters”, recounts Rindels in a blog post published yesterday (26 April).
He suspected that a null bytes exploit would fail, possibly because “dangerous URL encodings like %00” wouldn’t be allowed or decoded, resulting in an error being served or an “attempt to serve /example%00.html”.
Alternatively, he speculated, “if the %00 is decoded, in a request for /example%00.html the extension will simply be cut-off. There will be no extension and GoAhead will attempt to serve /example.”
Undeterred, he uploaded a snapshot with the name example containing <script nonce="<% nonce(); %>"> alert(1);</script>, issued a request for /data/snapshot/example%00.html, “and to my amazement the nonce was there!”
Incidentally, the exploit failed to secure the CTF flag because Chrome blocks “encoded null bytes in URLs”, but could pave the way to Rindels’ first-ever CVE.
Patching, mitigation
Embedthis has addressed the vulnerability in GoAhead versions 4.1.4 and 5.1.2. Version 2.2 is not affected.
Embedthis “responded very quickly”, patching the flaw on April 5, four days after it was reported, said Rindels.
As well as applying the update, O’Brien urges users to avoid serving JST templates “from directories that do not overlap with upload directories. You should NEVER have file uploads to a directory that permits serving content and processing JST templates”.
The vendor says GoAhead is the world’s most popular embedded web server, hosting “dynamic embedded web applications via an event driven, single-threaded core” within medical devices, networking equipment, and factory automation systems, among other devices.
This article was updated on April 28 with comments from Embedthis CEO Michael O’Brien.
DON’T FORGET TO READ Pwn2Own 2021: Zero-click Zoom exploit among winners as payout record smashed
