The security vulnerability identified as CVE-2022-31793 marks a critical oversight in the lightweight web server muhttpd—one which has had repercussions for prominent network devices like Arris NVG and BGW gateways often shipped by ISPs such as AT&T and Frontier. The flaw enables attackers to read arbitrary files from a vulnerable device by exploiting a code error in how the server parses incoming URLs.
What Is muhttpd?
muhttpd is a tiny standalone HTTP server written in C, often chosen for its small resource footprint. It's used in embedded systems, including consumer gateways and routers from vendors like Arris.
Understanding the Flaw
The heart of CVE-2022-31793 is a mishandling of the incoming URL path in the do_request() function in request.c. When serving files, the code *skips the first character* of the requested path. This may seem harmless, but it means that if you ask for "/etc/passwd", and prepend a single character (say, "__/etc/passwd"), the web server strips that first character and ends up serving "/etc/passwd"—a sensitive system file.
What this means:
Attackers who can reach the web interface could read any file on the filesystem readable by the webserver, just by crafting the request URL slightly.
The Problem in Source Code
Let's take a look at the vulnerable part of request.c in muhttpd versions prior to 1.1.7. Notice the line where the pointer is incremented before use:
void do_request(struct request_info *req) {
/* ... */
char *path = req->uri;
path++; // Here's the trouble
serve_file(path); // Oops! Now "/foo" => "foo"
}
What happens here:
If you request "GET /x/etc/passwd HTTP/1.1", the leading / (or any character) is skipped, so the server turns your request into "etc/passwd"—that's now a direct path, no sanitization, so you get the raw file back.
Example Exploit Steps
Let's walk through an attack scenario illustrating how easy this is.
1. Attacker identifies device is running a vulnerable muhttpd (say, via scanning typical ISP IP ranges).
`http
GET /X/etc/passwd HTTP/1.1
`
3. The server strips the first character ('X'), interprets /etc/passwd as the target filepath.
4. The contents of /etc/passwd are returned to the attacker, leaking sensitive information.
Proof of Concept using curl
curl http://TARGET_IP:PORT/X/etc/passwd
You may receive the contents of /etc/passwd—on some devices, this may leak user and system account information, and even firmware or configuration files.
Devices At Risk
Numerous consumer routers from the Arris line (and those based on their software) are affected. These are some of the known models:
Arris NVG443, NVG599, NVG589, NVG510
- Arris-derived AT&T/Frontier BGW210 and BGW320
Models often referred to as BGW210-700, BGW320-505, etc.
If you're using internet services from providers that dispatch these models, it's worth checking with your ISP about the status (and if they handle firmware updates).
muhttpd PATCHED in 1.1.7:
The upstream fix corrects the mishandling by not incrementing the pointer before file serving. Distributions/vendors need to update to 1.1.7 or later.
ISPs and device vendors need to provide updated firmware that includes the fix.
- If you control a vulnerable device, disable remote administration and ensure only trusted users can reach the management port until patched.
References
- Official CVE Page: NVD - CVE-2022-31793
- Vendor advisory (Arris/Commscope): AT&T Public Disclosure
- Full Patch Diff: muhttpd commit 813b971
- Exploit Example: Packet Storm - CVE-2022-31793
- Community Writeup: github issue discussion
Final Thoughts
CVE-2022-31793 is a textbook example of how a small programming mistake can lead to a big security incident—especially in embedded devices with a massive deployment base and slow update cycles. If you operate or rely on Arris NVG or BGW series routers, check with your provider or administer security controls until an official patch lands.
If you're a developer, always sanitize and validate file paths—and be careful with code like path++! One character may be all it takes for someone to own your box.
Timeline
Published on: 08/04/2022 22:15:00 UTC
Last modified on: 08/11/2022 18:07:00 UTC