MiniWeb HTTP Server 0-day Vulnerability (CVE-2020-29596)

MiniWeb HTTP Server 0-day Vulnerability (CVE-2020-29596)

MiniWeb is open-source software that often acts as a tiny HTTP server for small systems. The software was developed in C language and received the latest update in 2018.

As a result of our researches, we detected the buffer overflow vulnerability in the POST parameter sent to the MiniWeb server.

How Did We Detect MiniWeb HTTP Server Buffer Overflow Vulnerability? 

As the Security For Everyone team, we regularly look for vulnerabilities in the software we have chosen to find 0-day. One of the software we chose was the MiniWeb HTTP server, which serves as an HTTP server. After deciding on the application that we will look for vulnerability, we performed the following steps in turn:

  1. We used the Boofuzz ​​framework, an open-source project, to automate the vulnerability search process.

  2. Our HTTP fuzz codes found a crash in the software.

  3. When we examined the pcap file of the crash that was received, we determined that this crash was caused by sending a large number of characters instead of one of the parameters in the POST request sent to the server.

  4. We verified the vulnerability by manually repeating the same case so that the finding is not a false positive.

  5. We worked to transform the vulnerability into Remote Code Execution vulnerability, not as Denial of Service, but the vulnerability was not exploitable, so we published it as Denial of Service.

Finally, we applied to Mitre and got our CVE code.

What to Do?

Although the software was last updated in 2018, we tried to contact the developer after detecting the vulnerability but did not deal with it. Since the software does not receive an update or patch anymore, Security For Everyone team recommends using a more stable HTTP server software that receives updates and patches instead of this software.