A vulnerability has been identified in MegaRAC firmware from American Megatrends (AMI), which is used in BMC (Baseboard Management Controller) controllers used by server manufacturers to organize autonomous equipment management, allowing an unauthenticated attacker to remotely read the contents of the memory of the process that provides the functioning of the web interface. The vulnerability appears in firmware released since 2019 and is caused by shipping an old version of the Lighttpd HTTP server containing an unpatched vulnerability.
In the Lighttpd codebase, this vulnerability was fixed back in 2018 in version 1.4.51, but the fix was made without assigning a CVE identifier and without publishing a report describing the nature of the vulnerability. The release note mentioned security fixes, but focused on a vulnerability in mod_userdir involving the use of the ".." and "." characters. in the username.
The list of changes also mentioned a problem with processing HTTP headers, but this fix was missed by the firmware developers and was not transferred to the product, since the note about the potential elimination of the use-after-free class vulnerability was present only in the text of the commit, and in the general list no changes were made to indicate that the error results in a memory access after free.
The vulnerability allows the contents of memory to be read outside the allocated buffer. The issue is caused by a bug in the HTTP header merging code used when specifying multiple instances of the "If-Modified-Since" HTTP header. When processing the second instance of the header, lighttpd allocated a new buffer to hold the merged value and freed memory for the buffer that contained the value from the first header. In this case, the con->request.http_if_modified_since pointer did not change and continued to point to the already freed memory area.
Since this pointer was used in operations comparing the contents of the If-Modified-Since header, the result of which led to the generation of different return codes, the attacker could, by brute force, guess the new contents of the memory that was previously occupied by the first buffer. The issue could be used in combination with other vulnerabilities, for example to determine the memory layout to bypass security mechanisms such as ASLR (Address Space Randomization).
The presence of the vulnerability has been confirmed in Lenovo and Intel server platforms, but these companies do not plan to release firmware updates due to the expiration of support time for products using these firmwares and the low severity level of the vulnerability. The problem manifests itself in firmware for the Intel M70KLP and Lenovo HX3710, HX3710-F and HX2710-E platforms (the vulnerability is present, among other things, in the latest firmware versions Lenovo 2.88.58 and Intel 01.04.0030). Additionally, it is reported that the vulnerability in lighttpd also appears in the firmware for Supermicro equipment and in servers that use BMC controllers from Duluth and AETN.
Source: opennet.ru