Main Vulnerability Database Vulnerabilities #VU58

Buffer overflow when processing HTTP requests in mini_httpd - CVE-2015-1548

Published: June 29, 2016

Vulnerability identifier: #VU58

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Clear

CVE-ID: CVE-2015-1548

CWE-ID: CWE-87

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ACME Labs

Affected software:
mini_httpd

Detailed vulnerability description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper handling of long string passed via HTTP request. A remote attacker can send a specially crafted HTTP GET request with protocol name longer than 10000 bytes, cause out-of-bounds read and obtain potentially sensitive information from system memory.

Exploitation example:

perl -e 'print "GET / " . "X"x65536 . "/Y" . "\r\n\r\n"' | ncat localhost 80

Successful exploitation of this vulnerability may allow an attacker to obtain potentially sensitive data stored in RAM, such as passwords, private encryption keys etc.

How to mitigate CVE-2015-1548

Install the latest version 1.23.

Sources

https://www.itinsight.hu/blog/posts/2015-01-23-mini_httpd-v1-21-information-disclosure.html

Buffer overflow when processing HTTP requests in mini_httpd - CVE-2015-1548

Detailed vulnerability description

How to mitigate CVE-2015-1548

Sources

Please verify you're human