CVE-2022-31793
published 2022-08-04CVE-2022-31793: do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired…
PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.37%
95.4th percentile
do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired path on the filesystem. This occurs because the code skips over the first character when serving files. Arris NVG443, NVG599, NVG589, and NVG510 devices and Arris-derived BGW210 and BGW320 devices are affected.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inglorion | muhttpd | < 1.1.7 | 1.1.7 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
47455420612F6574632F706173737764
- →The exploit sends a raw TCP request with a single arbitrary character prepended before the target path (e.g., 'GET a/etc/passwd'). Detect HTTP GET requests where the path begins with a single non-slash character immediately followed by a filesystem path such as /etc/passwd. ↗
- →Detection over raw TCP: send hex payload '47455420612F6574632F706173737764' followed by '\n\n' and look for response body containing hex string '726f6f743a' (ASCII: 'root:'), indicating /etc/passwd content was returned. ↗
- →Affected devices include Arris NVG443, NVG599, NVG589, NVG510, BGW210, and BGW320. Prioritize scanning these device models running muhttpd <= 1.1.5. ↗
- →The vulnerability is unauthenticated and exploitable over the network with no user interaction required (CVSS AV:N/AC:L/PR:N/UI:N). Any exposed muhttpd port should be treated as a high-priority detection target. ↗
- ·The Nuclei template targets the default muhttpd TCP port via '{{Hostname}}'. Ensure your scanner resolves the correct port for muhttpd on target Arris/BGW devices, as it may not be standard HTTP port 80. ↗
- ·The NVD advisory states the fix is in version 1.1.7, but the Nuclei template remediation incorrectly states 'Update the application to version 1.10'. Use 1.1.7 as the authoritative patched version. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c4c9-87fm-m8qc: do_request in request
ghsa_unreviewed·2022-08-05
CVE-2022-31793 [HIGH] CWE-22 GHSA-c4c9-87fm-m8qc: do_request in request
do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired path on the filesystem. This occurs because the code skips over the first character when serving files. Arris NVG443, NVG599, NVG589, and NVG510 devices and Arris-derived BGW210 and BGW320 devices are affected.
VulnCheck
inglorion muhttpd Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 7.5
CVE-2022-31793 [HIGH] inglorion muhttpd Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
inglorion muhttpd Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired path on the filesystem. This occurs because the code skips over the first character when serving files. Arris NVG443, NVG599, NVG589, and NVG510 devices and Arris-derived BGW210 and BGW320 devices are affected.
Affected: inglorion muhttpd
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve
No detection rules found.
Nuclei
muhttpd <=1.1.5 - Local Inclusion
nuclei·CVSS 7.5
CVE-2022-31793 [HIGH] muhttpd <=1.1.5 - Local Inclusion
muhttpd <=1.1.5 - Local Inclusion
muhttpd 1.1.5 and before are vulnerable to unauthenticated local file inclusion. The vulnerability allows retrieval of files from the file system.
Template:
id: CVE-2022-31793
info:
name: muhttpd <=1.1.5 - Local Inclusion
author: scent2d
severity: high
description: |
muhttpd 1.1.5 and before are vulnerable to unauthenticated local file inclusion. The vulnerability allows retrieval of files from the file system.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the system.
remediation: Update the application to version 1.10
reference:
- https://derekabdine.com/blog/2022-arris-advisory.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-31793
- https://derekabdine.com/blog/2022-arris-advisory
- https://blog.malwarebytes.com/exp
No writeups or analysis indexed.
http://inglorion.net/software/muhttpd/https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks/https://derekabdine.com/blog/2022-arris-advisoryhttps://kb.cert.org/vuls/id/495801http://inglorion.net/software/muhttpd/https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks/https://derekabdine.com/blog/2022-arris-advisoryhttps://kb.cert.org/vuls/id/495801https://www.kb.cert.org/vuls/id/495801
2022-08-04
Published
Exploited in the wild