This report deals with HTTP basic auth issues in the darkhttpd project. Darkhttpd is a minimal HTTP web server implemented in the C programming language, for serving static files. The version under review was 1.14.

A version 1.15 bugfix release containing a bugfix and an additional warning message is available.

Basic Auth Timing Attack (CVE-2024-23771)

The issue is found in darkhttpd.c line 2272. Here the HTTP basic authentication string supplied by a client is compared against the secret configured via the --auth command line parameter. For this comparison a regular strcmp() function call is used.

Since strcmp() performs an efficient linear comparison, it will terminate earlier if the first bytes of the supplied authentication string don’t match compared to if they do match. This difference in runtime can be used for timing attacks to try and find out the correct authentication credentials to access the web server.

To fix this, a constant-time string comparison function needs to be used that always takes the same amount of computation time for the comparison independently of how many bytes of the provided data match the actual authentication secret. An example for such a function is the CRYPTO_memcmp() function provided by the openSSL library.

Darkhttp does not support SSL encrypted traffic by itself. When darkhttpd is used for unencrypted http:// over the Internet then it could be argued that the authentication data will be sent unencrypted over an untrusted channel anyway. If darkhttpd is used behind a reverse proxy that uses SSL and thus uses a secure channel, then a major security property will be violated by this issue though.

Bugfix

After discussing the available options with him, the upstream author decided to implement a custom constant-time string comparison algorithm to address the issue. This algorithm is a rather simple xor operation over the complete range of bytes.

Local Leak of Authentication Parameter in Process List (CVE-2024-23770)

The only way to configure the HTTP basic auth string in darkhttpd is to pass it via the --auth command line parameter. On Linux all local users can view the parameters of other programs running on the system. This means if there are other users or programs running in different security domains, then these can obtain the authentication credentials for the web server.

To fix this an alternative mechanism needs to be provided to pass the authentication credentials in a safe way. Typically this can be solved by using an environment variable or a protected configuration file. If the existing --auth command line switch is kept around, then the fact that this leaks the authentication credentials on Linux systems should be documented.

Bugfix

The upstream author decided to only document the security implications by adding a warning to the command line usage output.

Review Summary

Apart from these HTTP basic authentication related issues, I have not found any problematic spots in the code base of darkhttpd. I focused on the potential for log file spoofing, escaping the web root via crafted URLs and memory corruption, e.g. through specifying bad byte ranges in HTTP headers. The code is robust in these areas.

Timeline

2024-01-12 I reported the findings to the upstream author emikulic@gmail.com, offering coordinated disclosure.
2024-01-13 The author confirmed the security issues but declined a formal embargo period.
2024-01-15 I requested two CVEs from Mitre to track the two findings found during the review.
2024-01-18 After some discussions about the bugfixes, the author published the new version 1.15 containing the changes.
2024-01-25 Mitre assigned the CVEs.

References