Exploit requires additional vulnerability or device misconfiguration
UPDATE Embedthis fixed a null byte injection vulnerability in GoAhead, the embedded web server deployed on hundreds of millions of devices.
“A specially crafted URL with an embedded character before the extension may result in an incorrect file being served with a truncated filename,” reads a security advisory on GitHub documenting the bug.
Citing the hypothetical URL https://example.com/example%00.html, the notice states that “the is decoded to be a NULL”, causing the file manager to serve “example” instead of ” example.html”.
As a result, “remote attackers could access documents whose names are strict subsets of more valid URLs.”
The advisory nevertheless describes the severity of the bug as “low” because “an exploit requires [either] additional vulnerability via downloaded malicious files” or device misconfigurations.
The flaw was discovered by Luke Rindelsinfosec master’s student at Carnegie Mellon University, during a 2021 PlaidCTF challenge earlier this month that involved manipulating the values of IoT cameras and sensors.
“GoAhead should only send .html files to the JST handler, but the vulnerability allows any file to be sent to the JST handler.”
Although Rindels achieved XSS via a CSP bypass, it was, he conceded, done “using a highly custom and unlikely configuration”.
With the right device configurations and “combined vulnerabilities required – this could cause a DoS or [an attacker to] take unwanted control of the device,” said Michael O’Brien, CEO and Founder of Embedthis The daily sip.
Barriers to exploitation
However, real-world exploitation appears to be an unlikely scenario.
The server must be misconfigured to “allow file uploads to a directory that also allows running JST templates” and a JST template must be uploaded “to a file in the upload directory of the same base name without the extension “, before the file is served. with , explains O’Brien.
But “if an attacker can modify the route configuration, he already has access to the entire server and documents anyway”.
Keep up to date with the latest infosec research news
Additionally, the vulnerability “requires a file of the same base name with no extension to be present. i.e. ‘example’ and example.html. Needless to say, most device manufacturers don’t and [it] would be rather strange to do it on purpose.
JST expressions are also device-specific, he adds, so source code access is likely required as well.
Find the flaw
Looking for evidence of improper extension parsing during CTF, Rindels realized that “the request URL must have been decoded, otherwise it couldn’t call with and delimiters,” Rindels recounts in a blog post published yesterday (April 26).
He suspected that a null byte exploit would fail, possibly because “dangerous URL encodings like” would not be allowed or decoded, resulting in an error or “attempt to serve.”
Alternatively, he speculated, “if the is decoded, an extension request will simply be cut off.” There will be no extension and GoAhead will attempt to serve.
Undeterred, he uploaded a snapshot with the name containing , issued a request for , “and to my amazement, the nuncio was there!”
Incidentally, the exploit failed to secure the CTF flag because Chrome blocks “null bytes encoded in URLs”, but could pave the way for Rindels’ first-ever CVE.
Embedthis fixed the vulnerability in GoAhead versions 4.1.4 and 5.1.2. Version 2.2 is not affected.
Embedthis “responded very quickly,” patching the flaw on April 5, four days after it was reported, Rindels said.
In addition to applying the update, O’Brien urges users to avoid serving JST templates “from directories that do not overlap download directories.” You should NEVER have file uploads in a directory that allows streaming content and processing JST templates”.
Vendor claims GoAhead is the world’s most popular embedded web server, hosting “dynamic embedded web applications via an event-driven, single-threaded core” in medical devices, networking equipment, and automation systems factory, among other devices.
This article was updated on April 28 with comments from Embedthis CEO Michael O’Brien.
DON’T FORGET TO READ Pwn2Own 2021: No-Click Zoom Feat Among Winners as Payout Record Breaks