Off-by-one buffer overflow in Basic Authentication in Acme Labs thttpd 1.95 through 2.20 allows remote attackers to cause a denial of service and possibly execute arbitrary code.
Acme Labs thttpd versions 1.95 through 2.20 are vulnerable to a critical buffer overflow in the Basic Authentication process, allowing remote attackers to trigger a denial-of-service (DoS) condition and potentially achieve remote code execution (RCE). Successful exploitation could lead to complete system compromise. This vulnerability is particularly dangerous due to its potential for unauthorized access and control.
Step 1: Request Initiation: The attacker sends a crafted HTTP request to the vulnerable thttpd server. This request includes an Authorization header.
Step 2: Header Parsing: The thttpd server receives the request and parses the HTTP headers, including the Authorization header.
Step 3: Authentication Processing: The server identifies the Basic Authentication scheme and extracts the username and password from the base64 encoded string in the Authorization header.
Step 4: Buffer Overflow Trigger: The server attempts to copy the extracted username or password into a fixed-size buffer without proper bounds checking. If the username or password length exceeds the buffer's capacity, a buffer overflow occurs.
Step 5: Memory Corruption: The overflow overwrites adjacent memory locations, potentially corrupting program data, function pointers, or other critical elements.
Step 6: Denial of Service (DoS) or Remote Code Execution (RCE): The memory corruption can lead to a crash (DoS) or, if the attacker can control the overwritten data, the execution of arbitrary code (RCE).
The vulnerability lies within the Basic Authentication implementation of thttpd. Specifically, an off-by-one error occurs when handling the user credentials provided in the Authorization header. The code fails to properly validate the length of the input string before copying it into a fixed-size buffer. This leads to a buffer overflow, where an attacker can supply a crafted Authorization header with an overly long username or password. This overwrites adjacent memory, potentially corrupting critical program data, leading to a crash (DoS) or, with careful crafting, the execution of arbitrary code (RCE). The root cause is a lack of bounds checking on the input string length before the strcpy or similar function is used to copy the user-supplied credentials into a fixed-size buffer. The vulnerability is triggered during the authentication process, when thttpd attempts to verify the provided credentials.