darkhttpd: timing attack and local leak of HTTP basic auth credentials
This report deals with HTTP basic auth issues in the darkhttpd project. Darkhttpd is a minimal HTTP web server implemented in the C programming language, for serving static files. The version under review was 1.14.
A version 1.15 bugfix release containing a bugfix and an additional warning message is available.
Basic Auth Timing Attack (CVE-2024-23771)
The issue is found in darkhttpd.c line 2272. Here the HTTP
basic authentication string supplied by a client is compared against the
secret configured via the --auth command line parameter. For this comparison
a regular strcmp() function call is used.
Since strcmp() performs an efficient linear comparison, it will terminate
earlier if the first bytes of the supplied authentication string don’t match
compared to if they do match. This difference in runtime can be used for
timing attacks to try and find out the correct authentication credentials to
access the web server.
To fix this, a constant-time string comparison function needs to be used
that always takes the same amount of computation time for the comparison
independently of how many bytes of the provided data match the actual
authentication secret. An example for such a function is the
CRYPTO_memcmp() function provided by the openSSL library.
Darkhttp does not support SSL encrypted traffic by itself. When darkhttpd is used for unencrypted http:// over the Internet then it could be argued that the authentication data will be sent unencrypted over an untrusted channel anyway. If darkhttpd is used behind a reverse proxy that uses SSL and thus uses a secure channel, then a major security property will be violated by this issue though.
Bugfix
After discussing the available options with him, the upstream author decided to implement a custom constant-time string comparison algorithm to address the issue. This algorithm is a rather simple xor operation over the complete range of bytes.
Local Leak of Authentication Parameter in Process List (CVE-2024-23770)
The only way to configure the HTTP basic auth string in darkhttpd is to pass
it via the --auth command line parameter. On Linux all local users can view
the parameters of other programs running on the system. This means if there
are other users or programs running in different security domains, then these
can obtain the authentication credentials for the web server.
To fix this an alternative mechanism needs to be provided to pass the
authentication credentials in a safe way. Typically this can be solved by
using an environment variable or a protected configuration file. If the
existing --auth command line switch is kept around, then the fact that this
leaks the authentication credentials on Linux systems should be documented.
Bugfix
The upstream author decided to only document the security implications by adding a warning to the command line usage output.
Review Summary
Apart from these HTTP basic authentication related issues, I have not found any problematic spots in the code base of darkhttpd. I focused on the potential for log file spoofing, escaping the web root via crafted URLs and memory corruption, e.g. through specifying bad byte ranges in HTTP headers. The code is robust in these areas.
Timeline
| 2024-01-12 | I reported the findings to the upstream author emikulic@gmail.com, offering coordinated disclosure. |
| 2024-01-13 | The author confirmed the security issues but declined a formal embargo period. |
| 2024-01-15 | I requested two CVEs from Mitre to track the two findings found during the review. |
| 2024-01-18 | After some discussions about the bugfixes, the author published the new version 1.15 containing the changes. |
| 2024-01-25 | Mitre assigned the CVEs. |