Skip to main content

GoAhead devs fix null byte injection vulnerability in embedded web server- hackeread-2021

 Embedthis fixes null byte injection vulnerability in embedded web server GoAhead

Embedthis has patched a null byte injection vulnerability in GoAhead, the embedded web server deployed in hundreds of millions of devices.

“A specially crafted URL with a %00 character embedded before the extension can cause an incorrect file with a truncated filename to be served,” reads a security advisory on GitHub documenting the bug.

Citing hypothetical URL https://example.com/example%00.html, the advisory says “the %00 is decoded to be a NULL”, resulting in the file handler serving ‘example’ instead of ‘example.html’.

As a result, “remote attackers could gain access to documents with names that are strict subsets of longer valid URLs.”

The advisory nevertheless describes the bug’s severity as ‘low’ since “an exploit requires [either] an additional vulnerability via uploaded malicious files” or a device that has misconfigured file uploads to be permitted “to a directory that also serves content”.

CSP bypass leading to XSS

The flaw was discovered by Luke Rindels, an infosec Master’s student at Carnegie Mellon University, during a PlaidCTF 2021 challenge earlier this month that involved manipulating IoT camera and sensor values.

“The vulnerability abuses the mismatch between route extension parsing and the decoded filename to dupe GoAhead into thinking a file should be sent to the JST [JavaScript Template] handler even when it has an improper extension,” Rindels told The Daily Swig.

“GoAhead should only send .html files to the JST handler, but the vulnerability allows for any file to be sent to the JST handler.

“Using a highly customized and unlikely setup,” his exploit resulted “in a CSP bypass leading to XSS.

“Data leakage and XSS are what I imagine to be the most likely outcomes of successful exploitation, but it all depends on what templates the operator has implemented,” he continued. 

However, Rindels conceded a lack of familiarity “with how GoAhead is used in the real world, so I don't really know how popular Javascript Templates are and if they're used in any way that poses a threat”.

Incorrect assumptions

While hunting for evidence of incorrect extension parsing during the CTF, he realized that “the request URL must have been decoded, otherwise it wouldn’t be able to call strrchr() with . and / delimiters”, recounts Rindels in a blog post published yesterday (26 April).

He suspected that a null bytes exploit would fail, possibly because “dangerous URL encodings like %00” wouldn’t be allowed or decoded, resulting in an error being served or an “attempt to serve /example%00.html”.

Alternatively, he speculated, “if the %00 is decoded, in a request for /example%00.html the extension will simply be cut-off. There will be no extension and GoAhead will attempt to serve /example.”

Undeterred, he uploaded a snapshot with the name example containing <script nonce="<% nonce(); %>"> alert(1);</script>, issued a request for /data/snapshot/example%00.html, “and to my amazement the nonce was there!”

Explaining how his “assumptions were incorrect”, he told The Daily Swig: “The route extension is parsed without the null byte interfering (.html), but the filename fetched by GoAhead is truncated because of the null byte (example).”

In the blog post he added that “this is also pretty serious because it [means] any route that depends on an extension to determine the correct handler can be bypassed!”

Incidentally, the exploit failed to secure the CTF flag because Chrome “does not allow encoded null bytes in URLs”.

However, Rindels said he may try to secure his first CVE with the flaw.

Patching

Embedthis has addressed the vulnerability in GoAhead versions 4.1.4 and 5.1.2. Version 2.2 is not affected.

Embedthis “responded very quickly”, patching the flaw on April 5, four days after it was reported, said Rindels.

The vendor says GoAhead is the world’s most popular embedded web server and is used to host “dynamic embedded web applications via an event driven, single-threaded core” within medical devices, networking equipment, and factory automation systems, among other devices.

Comments

Post a Comment

Popular posts from this blog

List Of Sql Infected Sites-HACKEREAD

SQL injection  is a  code injection  technique, used to  attack  data-driven applications, in which malicious  SQL  statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).  SQL injection must exploit a  security vulnerability  in an application's software, for example, when user input is either incorrectly filtered for  string literal   escape characters  embedded in SQL statements or user input is not  strongly typed  and unexpectedly executed. SQL injection is mostly known as an attack  vector  for websites but can be used to attack any type of SQL database. List of SQL Infected sites:  http://www.genhound.co.uk/source.php?id=477 http://www.lcoastpress.com/journal.php?id=8 http://www.travellers-tales.co.uk/travelJournal.php?id=42 http://www.arrowvalves.co.uk/content.php?id=8 http://www.reaplasrack.co.uk/content.php?id=129 http://www.arrowval...
Post a Comment
Read more

Google dork list for XSS (Cross- site scripting)-2020

GOOGLE DORK LIST FOR Cross-site scripting -2020 Google Dorks  its also known as google query ,List “Google Hacking” is mainly referred to pull the sensitive information from Google using advanced search terms that help users to search the index of a specific website, specific file type and some interesting information from unsecured Websites. Google Dorks list  2020 can uncover some incredible information such as email addresses and lists, login credentials, sensitive files, website vulnerabilities, and even financial information (e.g. payment card data). Here you can see an example to understand how  Google Darks   password  used by hackers to gain sensitive information from specific websites. You can also use for Exploit DB site to give you according to you Search state. https://www.exploit-db.com/ “ inurl: domain/ ” “ additional dorks A hacker would simply use in the desired parameters as follows: inurl = the URL of a site you want...
Post a Comment
Read more

Popular Android Zombie game phish users to steal Gmail credentials

The app made its way to Google Play Store was also found phishing users for Facebook credentials. Scary Granny ZOMBY Mod: The Horror Game 2019 is the latest game on Google Play Store that is condemned by the digital security fraternity for sneakily stealing personal data from unsuspecting users. The game, which has been downloaded for over 50,000 times, was available for Android devices making Android users its primary target. The malicious app attempts to collect sensitive information such as Facebook and Gmail login credentials. The malicious activities of Scary Granny ZOMBY Mod were detected by the mobile security firm Wandera. The company found out that the app asks users to enter their Gmail or other Google account credentials, which are then used for collecting private data of the user by hijacking the account –  All of this happens, unsurprisingly, without alerting the user. Gmail phishing page on the supposed gaming app (Screenshot: Wandera) Rese...
Post a Comment
Read more