Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 12 Dec 2018 16:27:02 +0100
From: Salva Peiró <speirofr@...il.com>
To: oss-security@...ts.openwall.com
Cc: security@...ian.org
Subject: CVE Request: mini-httpd (<= v1.30) is affected by a response
 discrepancy information exposure (CWE-204)

Hi everyone,

The mini-httpd daemon (version <= v1.30) shipped in Debian/Ubuntu from [1]
is affected by a response discrepancy information exposure (CWE-204) that
enables an attacker to remotely enumerate valid htpasswd usernames (RFC
7617).

A more detailed advisory can be found at:
https://speirofr.appspot.com/files/advisory/SPADV-2018-01.md
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916190

Is there a CVE for this? If not, could one be assigned, please?

[1] http://www.acme.com/software/mini_httpd/

Best Regards,
--
Salva Peiró. Software Engineer
https://speirofr.appspot.com

##  Description

Requesting an .htpasswd protected URL with a valid username part without
providing the corresponding password eg, "user:" per (RFC 7617)
causes the mini-httpd to unexpectedly terminate.

~~~
user@box $ curl http://user:@127.0.0.1:8000/auth/
curl: (52) Empty reply from server
~~~

The problem is that the mini_httpd.c:2407 contains a NULL pointer
dereference bug
that allows a remote attacker to enumerate valid htpasswd usernames (RFC
7617).

## Proposed Fix

~~~
>From 62eff179b34cd1435017438ab99ed1906b6cc6c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@...il.com>
Date: Wed, 5 Dec 2018 18:46:46 +0100
Subject: [PATCH] Fix NULL pointer dereference at mini_httpd.c:2407
(SPADV-2018-01)

---
 mini_httpd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mini_httpd.c b/mini_httpd.c
index 03d0cdd..77f030f 100644
--- a/mini_httpd.c
+++ b/mini_httpd.c
@@ -2404,7 +2404,8 @@ auth_check( char* dirname )
         /* Yes. */
         (void) fclose( fp );
         /* So is the password right? */
-        if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
+        char *cryptpass = crypt( authpass, cryp );
+        if ((cryptpass != NULL) && (strcmp(cryptpass, cryp ) == 0) )
         {
         /* Ok! */
         remoteuser = line;
--
2.11.0
~~~

## Versions affected

All versions of mini-httpd below <= v1.30.
    http://www.acme.com/software/mini_httpd/

Debian: https://packages.debian.org/stretch/mini-httpd
Ubuntu: https://launchpad.net/ubuntu/+source/mini-httpd

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.