Month: April 2021

Exploitation requires additional vulnerability or device misconfiguration

UPDATE Embedthis fixed a null byte injection vulnerability in GoAhead, the embedded web server deployed in hundreds of millions of devices.

“A specially crafted URL with an embedded character before the extension can result in an incorrect file with a truncated filename serving,” read a security advisory on GitHub documenting the bug.

Quoting the hypothetical URL https://example.com/example%00.html, the notice states that “the is decoded to be NULL”, causing the file manager to serve as “example” instead of ” example.html ”.

As a result, “remote attackers could access documents whose names are strict subsets of longer valid URLs.”

The advisory nonetheless describes the severity of the bug as “low” because “an exploit requires [either] additional vulnerability via downloaded malicious files ”or device configuration errors.

“Unlikely configuration”

The fault was discovered by Luc Rindel, infosec master’s student at Carnegie Mellon University, during a 2021 PlaidCTF challenge earlier this month that involved manipulating the values ​​of the camera and IoT sensor.

“The vulnerability abuses the mismatch between the scan of the route extension and the decoded filename to trick GoAhead into believing that a file should be sent to the JST [JavaScript Template] manager even if it has an incorrect extension, ”says Rindels The daily sip.

“GoAhead should only send .html files to the JST manager, but the vulnerability allows any file to be sent to the JST manager.”

While Rindels achieved XSS via a CSP bypass, it was done, he conceded, “using a highly personalized and unlikely setup.”

With the correct incorrect device configurations and ‘combined vulnerabilities required – this could cause a DoS or [an attacker to] take unwanted control of the device, ”said Michael O’Brien, CEO and founder of Embedthis. The daily sip.

Obstacles to exploitation

However, real-world exploitation appears to be an unlikely scenario.

The server must be misconfigured to “allow file downloads to a directory that can also run JST templates” and a JST template must be uploaded “to a file in the download directory of the same base name without the extension, ”before the file is served with it, O’Brien explains.

But “if an attacker can modify the configuration of the route, he already has access to the whole server and documents anyway”.

Keep up to date with the latest infosec research news

Additionally, the vulnerability “requires that a file with the same base name without an extension be present.” i.e. ‘example’ and example.html. Needless to say, most device manufacturers don’t and [it] It would be rather strange to do it on purpose.

JST expressions are also device-specific, he adds, so source code access is likely required as well.

Find the loophole

While looking for evidence of an incorrect extension analysis during CTF, Rindels realized that “the request URL must have been decoded, otherwise it couldn’t call with and delimiters,” Rindels says in a blog post published yesterday (April 26).

He suspected that a null byte exploit would fail, perhaps because “dangerous URL encodings like” would not be allowed or decoded, resulting in an error or an “attempt to serve.”

Alternatively, he speculated, “if the is decoded, in an extension request will simply be cut. There will be no overtime and GoAhead will attempt to serve.”

Undeterred, he downloaded a snapshot with the name containing, issued a request for, “and to my amazement the nuncio was there!”

Incidentally, the exploit failed to secure the CTF flag because Chrome blocks “URL encoded null bytes” but could pave the way for Rindels’ very first CVE.

Patching, attenuation

Embedthis fixed the vulnerability in GoAhead versions 4.1.4 and 5.1.2. Version 2.2 is not affected.

Embedthis “responded very quickly,” correcting the flaw on April 5, four days after it was reported, Rindels said.

In addition to applying the update, O’Brien urges users to avoid serving JST templates “from directories that do not overlap with download directories.” You should NEVER upload files to a directory that allows content to be served and JST models to be processed ”.

Vendor Says GoAhead is the World’s Most Popular Embedded Web Server, Hosting “Dynamic Embedded Web Applications Through a Single-Threaded, Event-Driven Kernel” in medical devices, network equipment and automation systems factory, among other devices.

This article was updated on April 28 with comments from Embedthis CEO Michael O’Brien.

DON’T FORGET TO READ Pwn2Own 2021: Zoom exploit without click among winners as payout record was broken

Go is an exciting programming language for building modern web applications as well as system software. It swept the tech industry upon its release and powers services like Docker, Kubernetes, Terraform, Dropbox, and Netflix.

Plus, Go’s solid collection of built-in packages make it a great choice for web programming. This article will teach you how to write a basic web server in Go.

Importing the necessary packages

The net / HTTP package provides everything needed to create web servers and clients. This package exposes several useful functions for handling web programming.

You can import it by adding the line below at the top of your source code:

import "net/http"

We will also use the fmt package for formatting strings and Newspaper package to handle errors. You can either import them individually as shown above, or factor all packages using a single import statement:

import (
"fmt"
"log"
"net/http"
)

You can proceed to write the main function after importing the required packages. Go ahead and save the source file with a .go extension. If you are using Vim, use the command below to save and exit Vim:

:wq server.go

Writing the main function

Go programs live in the main function, aptly named “main”. You will need to implement the server call here. Add the following lines to your source code and see what they do:

func main() {
http.HandleFunc("https://www.makeuseof.com/", index)
log.Fatal(http.ListenAndServe(":8080", nil))
}

We define the main function using the function keyword. Go has strict rules regarding the placement of the opening splint, so make sure the starting splint is on the correct line. The first statement in main defines that all web requests arriving at root (“https://www.makeuseof.com/”) the path will be managed by index, a function of the type http.HandlerFunc.

The second line starts the web server through the http.ListenAndServe function. It signals the server to constantly listen for incoming HTTP requests on port 8080 of the host machine. The second parameter of this function is necessary to block the program until the end.

Since http.ListenAndServe always returns an error, we wrap this call in a log.Fatal call. This statement logs all error messages generated on the server side.

Implementing the manager function

As you can see, the main function calls the index of the manager’s function to process customer requests. However, we have not yet defined this function for our server.

Let’s add the instructions needed to make the index function usable:

func index(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hi there, welcome to %s!", r.URL.Path[1:])
}

This function takes two different arguments of type http.ResponseWriter and http.Query. The http.ResponseWriter parameter contains the server’s response to the incoming request, which is in the form of an http.Request object.

The Fprintf function of the fmt package is used to display and manipulate text strings. We use it to display the server response to our web requests. Finally, the r.URL.Path[1:] The component is used to retrieve data that comes after the root path.

Add all parts together

Your Go web server should be ready once you’ve added everything together. The code should look like the following:

package main
import (
"fmt"
"log"
"net/http"
)
func index(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hi there, welcome to %s!", r.URL.Path[1:])
}
func main() {
http.HandleFunc("https://www.makeuseof.com/", index)
log.Fatal(http.ListenAndServe(":8080", nil))
}

The first line is required to compile this Go web server code as an executable file.

Create web servers with Go

Go’s robust library packages make web programming easy for beginners. You can quickly develop simple web servers with just a few lines of code.

In addition, the powerful testing features of this programming language also facilitate the implementation of Agile programming methodologies. It is a group of software development strategies based on iterative development and extensive collaboration between teams.

Read more

About the Author