uC-HTTP 漏洞分析技术文档<\/h1>

1. 概述<\/h2>
uC-HTTP 是一个专为运行 µC\/OS II 或 µC\/OS III RTOS 内核的嵌入式系统设计的 HTTP 服务器实现。该服务器支持多种功能，包括持久连接、表单处理、分块传输编码、HTTP 标头字段处理、HTTP 查询字符串处理和动态内容。<\/p>
在 uC-HTTP v3.01.01 版本中发现了多个严重漏洞，包括：<\/p>
CVE-2023-28379<\/li>
CVE-2023-25181<\/li>
以及其他多个未分配CVE的漏洞<\/li> <\/ul>
2. 漏洞分析<\/h2>

2.1 HTTP请求处理流程<\/h3>
uC-HTTP 使用状态机处理HTTP请求，主要处理函数为 HTTPsReq_Handle<\/code>：<\/p>
void<\/span> HTTPsReq_Handle<\/span>(HTTPs_INSTANCE *<\/span>p_instance, HTTPs_CONN *<\/span>p_conn)
<\/span><\/span>{
<\/span><\/span>    done =<\/span> DEF_NO;
<\/span><\/span>    while<\/span> (done !=<\/span> DEF_YES) {
<\/span><\/span>        switch<\/span> (p_conn-><\/span>State) {
<\/span><\/span>            case<\/span> HTTPs_CONN_STATE_REQ_INIT:
<\/span><\/span>                \/\/ 初始化处理
<\/span><\/span><\/span><\/span>                break<\/span>;
<\/span><\/span>            case<\/span> HTTPs_CONN_STATE_REQ_PARSE_METHOD:
<\/span><\/span>                \/\/ 解析HTTP方法
<\/span><\/span><\/span><\/span>                break<\/span>;
<\/span><\/span>            case<\/span> HTTPs_CONN_STATE_REQ_PARSE_URI:
<\/span><\/span>                \/\/ 解析URI
<\/span><\/span><\/span><\/span>                break<\/span>;
<\/span><\/span>            case<\/span> HTTPs_CONN_STATE_REQ_PARSE_QUERY_STRING:
<\/span><\/span>                \/\/ 解析查询字符串
<\/span><\/span><\/span><\/span>                break<\/span>;
<\/span><\/span>            case<\/span> HTTPs_CONN_STATE_REQ_PARSE_PROTOCOL_VERSION:
<\/span><\/span>                \/\/ 解析协议版本
<\/span><\/span><\/span><\/span>                break<\/span>;
<\/span><\/span>            case<\/span> HTTPs_CONN_STATE_REQ_PARSE_HDR:
<\/span><\/span>                \/\/ 解析HTTP头
<\/span><\/span><\/span><\/span>                break<\/span>;
<\/span><\/span>            \/\/ 其他状态...
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 主要漏洞分析<\/h3>
2.2.1 OOB Write 漏洞 (方法解析漏洞)<\/h4>
漏洞位置<\/strong>: HTTPsReq_MethodParse<\/code> 函数<\/p>
漏洞原因<\/strong>:<\/p>

在计算HTTP方法长度时，没有正确考虑前面的无效字符<\/li>
导致 p_conn->RxBufLenRem<\/code> 被错误地减少了无效字符的长度<\/li>
<\/ol>
关键代码<\/strong>:<\/p>
p_request_method_start =<\/span> HTTP_StrGraphSrchFirst(p_conn-><\/span>RxBufPtr, len); \/\/ [1]
<\/span><\/span><\/span><\/span>len -=<\/span> p_request_method_start -<\/span> p_conn-><\/span>RxBufPtr; \/\/ [2] 正确的长度计算
<\/span><\/span><\/span><\/span>p_request_method_end =<\/span> Str_Char_N(p_request_method_start, len, ASCII_CHAR_SPACE); \/\/ [3]
<\/span><\/span><\/span><\/span>len =<\/span> p_request_method_end -<\/span> p_request_method_start; \/\/ [4] 错误的长度计算
<\/span><\/span><\/span><\/span>p_conn-><\/span>RxBufLenRem -=<\/span> len; \/\/ [5] 错误的长度减少
<\/span><\/span><\/span><\/code><\/pre>影响<\/strong>:<\/p>

导致后续的 HTTPsReq_BodyFormAppKeyValBlkAdd<\/code> 函数使用错误的长度<\/li>
最终在 HTTPsReq_URL_EncodeStrParse<\/code> 中造成越界写入NULL字节<\/li>
<\/ul>
2.2.2 Off-by-NULL 漏洞 (头解析漏洞)<\/h4>
漏洞位置<\/strong>: HTTPsReq_HdrParse<\/code> 函数<\/p>
漏洞原因<\/strong>:<\/p>

在解析失败的header时，没有正确处理长度等于最大长度的情况<\/li>
当 len == p_cfg->HdrRxCfgPtr->DataLenMax<\/code> 时，会在缓冲区末尾写入一个NULL字节，导致单字节溢出<\/li>
<\/ol>
关键代码<\/strong>:<\/p>
if<\/span> (len ><\/span> p_cfg-><\/span>HdrRxCfgPtr-><\/span>DataLenMax) { \/\/ [2] 缺少等于情况的检查
<\/span><\/span><\/span><\/span>    \/\/ 错误处理
<\/span><\/span><\/span><\/span>}
<\/span><\/span>p_str =<\/span> (CPU_CHAR *<\/span>)p_req_hdr_blk-><\/span>ValPtr +<\/span> len; \/\/ [3]
<\/span><\/span><\/span><\/span>*<\/span>p_str =<\/span> ASCII_CHAR_NULL; \/\/ [4] 单字节NULL溢出
<\/span><\/span><\/span><\/code><\/pre>2.2.3 Off-by-NULL 漏洞 (Host解析漏洞)<\/h4>
漏洞位置<\/strong>: Host头解析部分<\/p>
漏洞原因<\/strong>:<\/p>

当Host长度正好等于 p_cfg->HostNameLenMax<\/code> 时<\/li>
在字符串末尾写入NULL字节会导致单字节溢出<\/li>
<\/ol>
关键代码<\/strong>:<\/p>
len =<\/span> DEF_MIN(len, p_cfg-><\/span>HostNameLenMax); \/\/ [2]
<\/span><\/span><\/span><\/span>Str_Copy_N(p_conn-><\/span>HostPtr, p_val, len);
<\/span><\/span>p_conn-><\/span>HostPtr[len] =<\/span> ASCII_CHAR_NULL; \/\/ [3] 单字节NULL溢出
<\/span><\/span><\/span><\/code><\/pre>2.2.4 Heap Overflow 漏洞 (Boundary解析漏洞)<\/h4>
漏洞位置<\/strong>: 表单boundary解析部分<\/p>
漏洞原因<\/strong>:<\/p>

解析boundary时没有进行长度限制<\/li>
直接拷贝到固定大小的缓冲区中，导致堆溢出<\/li>
<\/ol>
关键代码<\/strong>:<\/p>
Str_Copy_N(p_conn-><\/span>FormBoundaryPtr, p_val, len); \/\/ [0] 无长度限制的拷贝
<\/span><\/span><\/span><\/code><\/pre>2.2.5 Buffer Overflow 漏洞 (协议解析漏洞)<\/h4>
漏洞位置<\/strong>: HTTPsReq_ProtocolVerParse<\/code> 函数<\/p>
漏洞原因<\/strong>:<\/p>

在跳过无效字符后没有更新剩余长度<\/li>
导致在缓冲区外搜索CRLF<\/li>
计算新长度时可能产生整数下溢<\/li>
<\/ol>
关键代码<\/strong>:<\/p>
p_protocol_ver_start =<\/span> HTTP_StrGraphSrchFirst(p_conn-><\/span>RxBufPtr, len); \/\/ [1]
<\/span><\/span><\/span>\/\/ len未更新
<\/span><\/span><\/span><\/span>p_protocol_ver_end =<\/span> Str_Str_N(p_protocol_ver_start, STR_CR_LF, len); \/\/ [2] 可能越界搜索
<\/span><\/span><\/span><\/span>p_conn-><\/span>RxBufLenRem -=<\/span> (p_protocol_ver_end -<\/span> p_conn-><\/span>RxBufPtr) +<\/span> 2<\/span>; \/\/ [3] 可能整数下溢
<\/span><\/span><\/span><\/code><\/pre>后续影响<\/strong>:<\/p>

下溢的长度值被用于 Mem_Copy<\/code>，可能导致缓冲区溢出<\/li>
错误的指针计算导致后续接收操作写入缓冲区外<\/li>
<\/ol>
3. 漏洞验证与利用<\/h2>
虽然原文未提供完整的PoC，但根据漏洞分析，可以构建以下利用思路：<\/p>


OOB Write利用<\/strong>:<\/p>

构造包含多个前导空白字符的HTTP请求<\/li>
精心设计方法名称长度，触发长度计算错误<\/li>
控制后续写入位置<\/li>
<\/ul>
<\/li>

Off-by-NULL利用<\/strong>:<\/p>

对于Host头漏洞，发送长度正好等于限制的Host头<\/li>
对于头解析漏洞，构造特定长度的header字段<\/li>
<\/ul>
<\/li>

Heap Overflow利用<\/strong>:<\/p>

发送超长的boundary字符串<\/li>
覆盖堆上的关键数据结构<\/li>
<\/ul>
<\/li>

Buffer Overflow利用<\/strong>:<\/p>

构造包含大量前导无效字符的请求<\/li>
触发整数下溢<\/li>
控制后续内存操作<\/li>
<\/ul>
<\/li>
<\/ol>
4. 修复建议<\/h2>
针对每个漏洞，应采取以下修复措施：<\/p>


OOB Write修复<\/strong>:<\/p>

在方法解析中正确计算长度，考虑前导无效字符<\/li>
<\/ul>
<\/li>

Off-by-NULL修复<\/strong>:<\/p>

对所有字符串拷贝操作添加严格长度检查<\/li>
确保缓冲区有额外空间存放NULL终止符<\/li>
<\/ul>
<\/li>

Heap Overflow修复<\/strong>:<\/p>

为boundary解析添加最大长度限制<\/li>
使用安全字符串拷贝函数<\/li>
<\/ul>
<\/li>

Buffer Overflow修复<\/strong>:<\/p>

在跳过无效字符后正确更新剩余长度<\/li>
添加边界检查防止整数下溢<\/li>
<\/ul>
<\/li>
<\/ol>
5. 参考资源<\/h2>

官方代码仓库: https:\/\/github.com\/weston-embedded\/uC-HTTP<\/li>
漏洞报告: https:\/\/talosintelligence.com\/vulnerability_reports\/TALOS-2023-1725<\/li>
uC-LIB库: https:\/\/github.com\/weston-embedded\/uC-LIB<\/li>
<\/ul>
6. 总结<\/h2>
uC-HTTP v3.01.01 中存在多个严重的内存安全漏洞，主要源于不正确的长度计算和缺乏边界检查。这些漏洞可导致远程代码执行、服务崩溃等严重后果。嵌入式设备开发者应特别注意这些安全问题，及时更新到修复版本或应用补丁。<\/p>