EmbedThis GoAhead is a simple and compact embedded web server which can be used to efficiently host embedded web applications. GoAhead is a very popular web server and is known to have 1.3 million installations worldwide.
A researcher from Cisco Talos discovered two security bugs in GoAhead Embedded Web Server. The two vulnerabilities are tracked as CVE-2019-5096 and CVE-2019-5097. These vulnerabilities arise due to a flaw in the processing of a multi-part/form-data HTTP request. The multi-part/form-data is a content type used in HTTP requests for submitting forms that contain files, non-ASCII data, and binary data.
The chief in mischief: CVE-2019-5096
CVE-2019-5096 is a use-after-free (CWE-416) issue that occurs during the processing of HTTP requests within the base GoAhead web server application. An attacker who sends a crafted HTTP request can corrupt heap structures and achieve code execution.
The processing of a multi-part/form-data in HTTP GET/POST requests with multiple Content-Disposition headers in the same request, can give rise to a use-after-free condition when cleaning the heap structures which are used to store different parts of the requests.
The vulnerability resides in ‘freeUploadFile()‘ in upload.c . A double free memory vulnerability exists here as the product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
CVE-2019-5097 is a denial of service vulnerability that occurs during the processing of HTTP requests within the base GoAhead web server. An attacker can create an infinite loop during processing by sending a crafted HTTP request.
The infinite loop created using the crafted request leads to 100% CPU utilization. In case the client connection terminates before the entire length of data specified by Content-Length header has been received, the server continuously tries to send responses to the disconnected socket. Though the requests are handled by the process at this time, further denial of service conditions can be created depending on the available system resources.
The crafted data used could be an unauthenticated GET or POST request and does not require the requested resource to be present on the server. While certain route configurations could deny access to the vulnerabilities, the default build configuration can be used for exploitation. This is true because the default build configuration inherits permissions from the parent path and does not require the existence of the requested page. The advisory indicates that for successful exploitation, MEGOAHEADUPLOAD compile time flag should be enabled along with the existence of path specified in MEGOAHEADUPLOAD_DIR. Thus, the default configuration is known to be vulnerable. Also, the pages that require authentication would not give way to access vulnerability without authentication.
EmbedThis GoAhead Web Server versions 5.0.1, 4.1.1 and 3.6.5
Successful exploitation allows an attacker to remotely execute code or conduct denial of service attacks.
EmbedThis has issued an update to resolve the vulnerability. We strongly recommend o install the latest updates without further delay.