Advisory:               mini-httpd daemon (<= v1.30) robustness bug handling unsupported crypt(3) htpasswd hashes
Advisory ID:            SPADV2018-01
Revision:               0.1
Release Date:           2018/12/05
Last Modified:          2018/14/05
Date Reported:          2018/12/05
Author:                 Salva Peiró (speiro.fr at gmail.com)
Affected Software:      mini_httpd-1.30
Remotely Exploitable:   Yes
Locally Exploitable:    Yes
Vendor URL:             http://www.acme.com/software/mini_httpd/
Vendor Status:          Vendor has been notified

Vulnerability details
=====================

SPOILER ALERT: After a detailed analysis, this turned out to be a robustness bug 
handing an htpasswd file with an unsupported crypt(3) hash, see the discussion at [2].

The mini-httpd daemon (version <= v1.30) contains a NULL pointer dereference
that leads to a response discrepancy information exposure (CWE-204)
that allows a remote attacker to enumerate valid authentication users (RFC 7617).

Note that the mini-httpd and the thttpd share the code that performs the
HTTP basic authentication (RFC 7617), therefore, the CWE-204 weakness detailed below
also affects thttpd (version <= v2.29) http://www.acme.com/software/thttpd/.

Technical Details
=================

Consider the scenario below where mini-httpd protects the access to the /auth/
directory by an .htpasswd that defines that the username "user" has access to
the /auth/ directory:

~~~
user@box $ curl http://user:@127.0.0.1:8000/auth/
curl: (52) Empty reply from server
user@box $
~~~

When the basic authentication string "user:pass" is composed only of the user
part without the password part, ie. "user:", then the authpass at
mini_httpd.c:2372 becomes the empty string "".
When the empty string is passed to the crypt(3) this returns the NULL string.
The NULL string is later dereferenced by the strcmp(3) call at mini_httpd.c:2407
causing an invalid memory access that triggers the SIGSEGV, and kills the forked process.

The NULL pointer dereference is a bug in itself that causes the forked mini_httpd
child serving the connection to unexpectedly terminate with a SIGSEGV, however,
an interesting takeaway is that from a remote attacker point of view,
this leads to a different response of the mini_httpd daemon that can be
exploited by a remote attacker to perform valid username enumeration.
For example, given a string in form "user:" two things can happen:

- The "user" is not defined in the .htpasswd file:
    then mini_httpd answers with HTTP "401 Unauthorized".
- The "user" is defined in the .htpasswd:
    then mini_httpd segfaults and terminates the connection.

This difference in the behaviour enables to enumerate valid users defined in htpasswd.

The problem is the missing check of the encrypted password returned by crypt(3)
that does not consider the case where crypt(3) returns a NULL pointer.
The fix consists in checking the crypt(3) return value for NULL:

~~~
2406         /* So is the password right? */
2407         if (strcmp(crypt( authpass, cryp ), cryp ) == 0)
2408         {
2409         /* Ok! */
~~~

After performing the above corrections the mini-httpd daemon
properly handles the case where the authentication is in the "user:" form, and,
does not enable a remote attacker to enumerate valid authentication usernames (CWE-204).

Solution
========

Apply the proposed fixes, contained in the patch below to mini-httpd/thttpd.

~~~
From 62eff179b34cd1435017438ab99ed1906b6cc6c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
Date: Wed, 5 Dec 2018 18:46:46 +0100
Subject: [PATCH] Fix NULL pointer dereference at mini_httpd.c:2407 (SPADV-2018-01)

---
 mini_httpd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mini_httpd.c b/mini_httpd.c
index 03d0cdd..77f030f 100644
--- a/mini_httpd.c
+++ b/mini_httpd.c
@@ -2404,7 +2404,8 @@ auth_check( char* dirname )
 	    /* Yes. */
 	    (void) fclose( fp );
 	    /* So is the password right? */
-	    if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
+        char *cryptpass = crypt( authpass, cryp );
+	    if ((cryptpass != NULL) && (strcmp(cryptpass, cryp ) == 0) )
 		{
 		/* Ok! */
 		remoteuser = line;
--
2.11.0

~~~

Affected versions
=================

All versions of mini-httpd below <= v1.30.
    http://www.acme.com/software/mini_httpd/

All versions of thttpd below <= v2.29.
    http://www.acme.com/software/thttpd/

Debian: https://packages.debian.org/stretch/mini-httpd
mini-httpd version 1.23-1.2

Ubuntu: https://launchpad.net/ubuntu/+source/mini-httpd
mini-httpd version 1.23-1.2

History
=======

  2018/12/05 - Author notified of the security issue [1].
  2018/12/05 - Debian maintainer notified [1].
  2018/12/13 - oss-security notified [2].

Credits
=======

  Vulnerability found and advisory written by Salva Peiró.


References
==========

 [1] https://speirofr.appspot.com/files/advisory/SPADV-2018-01.md
 [2] https://www.openwall.com/lists/oss-security/2018/12/13/7


Changes
=======

  Revision 0.1 - Initial draft release to the vendor
  Revision 0.2 - Update to reflect that this is a robustness bug after discussion at [2].
                 The initial advisory was: "mini-httpd affected by a response discrepancy information exposure (CWE-204)"

Disclaimer
==========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


Copyright 2018 Salva Peiró. All rights reserved.