You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After executing my fuzz tests, I discovered a remote stack buffer overflow in the C version of MicroHttpServer in the function uint8_t _ReadStaticFiles(HTTPReqMessage *req, HTTPResMessage *res) at lib/middleware.c, line 67:
Any server or embedded application that utilizes MicroHttpServer is potentially at risk of remote code execution. I've included reproduction steps in the following sections.
Makefile Modifications
The following modifications were made to the Makefile to compile the server with address sanitizer and debug symbols. The purpose of this is to track and verify the location of the stack buffer overflow:
The issue here is that memcpy is copying the value of 'uri' to 'path+srlen(STATIC_FILE_FOLDER)', but the size of the uri is larger than the destination buffer.
Hi
After executing my fuzz tests, I discovered a remote stack buffer overflow in the C version of MicroHttpServer in the function uint8_t _ReadStaticFiles(HTTPReqMessage *req, HTTPResMessage *res) at lib/middleware.c, line 67:
MicroHttpServer/c-version/lib/middleware.c
Line 67 in 4398570
Any server or embedded application that utilizes MicroHttpServer is potentially at risk of remote code execution. I've included reproduction steps in the following sections.
Makefile Modifications
The following modifications were made to the Makefile to compile the server with address sanitizer and debug symbols. The purpose of this is to track and verify the location of the stack buffer overflow:
Proof of Concept Python3 Script
Save the following script to a file named poc.py:
Starting MicroHttpServer
Execute our Python3 Script
Address Sanitizer Output
The following output is produced by address sanitizer, confirming the existence of the stack buffer overflow:
Impact
Mitigation
The issue here is that memcpy is copying the value of 'uri' to 'path+srlen(STATIC_FILE_FOLDER)', but the size of the uri is larger than the destination buffer.
Buffer overflow vulnerability:
This can be modified to prevent a buffer overflow:
References
The text was updated successfully, but these errors were encountered: