Headline
CVE-2021-33254: EmbedThis Appweb NPD Bug
An issue was discovered in src/http/httpLib.c in EmbedThis Appweb Community Edition 8.2.1, allows attackers to cause a denial of service via the stream paramter to the parseUri function.
Summary
A npd bug in EmbedThis Appweb Community Edition latest Version 8.2.1 will lead to server crash.
Appweb and GoAhead are embedded web servers that are embedded in hundreds of millions of devices and applications. This includes printers, routers, switches, IP phones, mobile applications, data acquisition, military applications, WIFI gateways, factory automation, medical devices and many more.
Analysis
The bug exists in src/http/httpLib.c
static void parseUri(HttpStream *stream)
hostname = rx->hostHeader ? rx->hostHeader : stream->host->name;
When a HTTP request without a valid Host header is processed by the parseUri(), rx->hostHeader should be 0x00, so hostname = stream->host->name.
However, stream->host is also 0x00, thus stream->host->name will dereference a null pointer and the appweb process will crash due to segfault.
Reproduce
To reproduce this bug, build Appweb Community Edition Version 8.2.1 with make on a x64 Linux Distro, run the server with ./appweb --verbose . 127.0.0.1:8081, and send the poc to it with cat npd.txt | nc 127.0.0.1 8081, and a segmentation fault should be expected.