Security researcher Derek Abdine has published an advisory about vulnerabilities that exist in the MIT-licensed muhttpd web server. This web server is present in Arris firmware which can be found in several router models.
muhttpd web server
muhttpd (mu HTTP deamon) is a simple but complete web server written in portable ANSI C. It has three major goals: Be simple, be portable, and be secure. Simplicity was the main goal for muhttpd, but because of its simplicity and broad use, it also must prioritize security.
ISP customer premise equipment (CPE) often uses this web server, and ISP subscribers will typically get these routers in loan for telephony and Internet access.
Path traversal
A path traversal attack aims to access files and directories stored outside the web root folder. These attacks are sometimes referred to as dot-dot-slash attacks since they manipulate variables that reference files with “dot-dot-slash (../)” sequences and variations of them to access arbitrary files and directories.
The muhttpd server 1.1.5 (last official release 2010) has a path traversal vulnerability. The latest release of muhttpd is version 1.1.7 (released June 1, 2022). Unfortunately the Arris firmware is based on the vulnerable version of muhttpd.
Vulnerabilities
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Derek Abdine found several vulnerabilities, one of which is:
CVE-2022-31793: Path traversal from the filesystem root. Simply prepending a single character that is not a dot (“.”), forward slash (“/”) or question mark (“?”) before the requested path is sufficient to obtain any regular file on the device. This vulnerability allows an unauthenticated remote attacker (in cases where remote administration is enabled) or any local (LAN) party to obtain:
- The contents of the md5crypt (salted/hashed) passwords in /etc/passwd.
- The SSID and plaintext password of the 2G and 5G Wi-Fi networks broadcast by the device.
- The usernames and (sometimes encrypted) passwords of all administration accounts on the system.
- Configuration information including the TR-069 protocol in use by an internet service provider (ISP).
- Session Initiation Protocol (SIP) usernames (phone numbers) and passwords, including SIP endpoint URLs.
- Port forwarding configuration information.
- Other sensitive network information, such as established TCP connections.
- Various system and firewall logs.
- A complete list of the LAN IP address, hostname, MAC, uptime, and device characteristics such as the operating system and known applications of every device on the LAN.
- The router serial number.
- The certificate and private key for the web management portal.
- Router process information.
Other vulnerabilities
The researcher found two more vulnerabilities which are not so easy to exploit:
NULL pointer dereference: The muhttpd server receives HTTP requests on a non-blocking socket. Socket connections are accepted and fed to a forked process to execute. When data is received, the server reads in a loop until a sequence of two carriage return/newline characters are received. Processing is then handed off to another method which attempts to parse the request method. Injecting a NULL byte into the request steam will cause the request process (forked from the server process) to segfault. A segmentation fault (aka segfault) is a common condition that causes programs to crash.
Buffer over-read when defanging URLs: The muhttpd server contains a buffer over-read when dealing with percent-encoded values. When encountering a percent “%” in the URL, the server attempts to decode the next two characters without checking the bounds. As a result, if the URL consists of “%” with no following characters, the decode_url function will read past the URL data and into the parts of the request buffer containing the HTTP protocol version string. While not practically exploitable, safeguards should be made to prevent accessing unintended address space.
Affected devices
The affected muhttpd server is used in fiber and DSL-based Arris router products (NVG), as well as whitelabel/OEM products by other vendors. Internet Service Providers (ISPs) around the world typically loan these routers out to their collective millions of subscribers. In 2017 for example, experts discovered easily exploitable flaws in Arris modems distributed by AT&T.
Arris router models that were found to be vulnerable are NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320. Please note that Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05, and SBR-AC1200P 1.0.5-B05 are vulnerable to another vulnerability listed as CVE-2022-26992 which allows attackers to execute arbitrary commands via a crafted request.
Internet searches revealed 19,000 vulnerable routers directly connected to the internet. The owners were informed and most of the devices have been patched by now. Both Arris and muhttpd have issued patched versions but since the firmware is widespread and every ISP manages their own firmware updates independently, it’s likely that this issue will persist for years.
Mitigation
At the moment there are no reports of these vulnerabilities being used in the wild, but now that the vulnerabilities are known and proof of concept code is available, it might only be a matter of time until an attack is carried out.
If your router uses a vulnerable version of muhttpd you are advised to disable remote administration since that limits exploitability of the vulnerabilities to LAN attacks. Also, either get a patched version as soon as possible or replace the device.