CVE-2022-31793: Easy File Access Exploit in muhttpd Servers Using a Single Character Trick

A recent security vulnerability identified as CVE-2022-31793 has been discovered, affecting multiple Arris devices running the muhttpd web server. Remote attackers can exploit this vulnerability to read arbitrary files on the device's filesystem by using a specially crafted URL. This article provides a detailed explanation of the vulnerability, code snippet, possible exploitation, and original references for the issue. The security flaw affects the following Arris devices: NVG443, NVG599, NVG589, NVG510, as well as Arris-derived BGW210 and BGW320 devices.

Details

The vulnerability exists in the 'do_request()' function within the 'request.c' file in muhttpd, a popular lightweight web server. The affected versions are prior to 1.1.7. The issue occurs because the code skips over the first character when serving files. As a result, attackers can exploit this to read arbitrary files on the server.

Here's the code snippet from the vulnerable function 'do_request()'

static void do_request(struct MHD_Connection *connection,
                       const char *url, const char *method,
                       const char *upload_data,
                       size_t *upload_data_size, struct Session *session) {
  struct MHD_Response *response;
  int ret;
  FILE *file;
  const char *x;
  x = &url[1]; // Skipping first character of the URL
  file = NULL;

  if (fopen(x, "rb")) { // Opening desired file with read-binary permissions
    ...
  }
  ...
}

Exploit Details

To exploit this vulnerability, a remote attacker needs to craft a URL with a single character before the desired path on the filesystem. For example, the attacker may use a URL like this:

http://TARGET_IP_ADDRESS/a/../etc/passwd

Here, the 'a' character is the single character before the desired path. Since the code skips the first character of the URL, the resulting path becomes:

../etc/passwd

This path, accompanied by skipping the first character, will enable the attacker to bypass protections and read arbitrary files on the server.

To learn more about CVE-2022-31793, please refer to the following link

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31793

For more information on the muhttpd web server, check the official GitHub repository

- https://github.com/realies/muhttpd

Conclusion

CVE-2022-31793 is a critical security vulnerability affecting multiple Arris devices running the muhttpd web server. By exploiting this issue, remote attackers can read arbitrary files on the affected servers. It is highly recommended to update muhttpd to version 1.1.7 or later to avoid potential risks. If not already implemented, please consider applying the patch for this vulnerability as soon as possible to protect your servers and networks from any possible attacks.

Timeline

Published on: 08/04/2022 22:15:00 UTC
Last modified on: 08/11/2022 18:07:00 UTC