Full Report
Crow is an HTTP server written in a C++. While triaging a different vulnerability, they stumbled across an issue that required nothing special! If a file was smaller than 16KB, then the request would be padded with information from the uninitialized stack buffer it was copied from. It is amazing that this information disclosure was never caught beforehand, since it was easy to trigger. Good bug find!
Analysis Summary
# Vulnerability: Crow HTTP Framework Information Disclosure (Crowbleed)
## CVE Details
- CVE ID: CVE-2022-38668
- CVSS Score: 7.5 High (NIST/NVD rating: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
- CWE: (Not explicitly specified, but related to Improper Neutralization of Data When Copying or Concatenating Data to a Buffer)
## Affected Systems
- Products: Crow HTTP/WebSocket framework
- Versions: Version 1.0+4 and older (for both the maintained fork `CrowCpp/Crow` and the original version `ipkn/crow`)
- Configurations: Any configuration serving static files smaller than 16KB.
## Vulnerability Description
The vulnerability is an information disclosure flaw occurring when the Crow HTTP framework serves static files that are smaller than 16KB. Due to improper handling of static resources, the framework copies the requested file content but fails to restrict the read size correctly. As a result, the response buffer is padded with arbitrary, uninitialized data originating from the stack buffer used during the file copy operation, leading to the disclosure of sensitive memory contents.
## Exploitation
- Status: PoC available (The nature of the bug implies exploitability via simple HTTP requests, making PoC implementation straightforward.)
- Complexity: Low (Triggered by a simple network request to a small static file.)
- Attack Vector: Network
## Impact
- Confidentiality: High (Disclosure of up to 16KB of stack memory contents per request.)
- Integrity: None
- Availability: None
## Remediation
### Patches
- The vulnerability was fixed by ensuring the actual size of bytes read during the static file copy is correctly passed to the `asio::buffer` constructor.
- Users should upgrade to Crow version **1.0+5** or newer (or the corresponding patched version of the original repository).
### Workarounds
- Since the issue is related to serving files smaller than 16KB, one potential workaround (though not officially listed) would be to ensure static files served are either larger than 16KB, or to disable serving static files if possible until an upgrade can be performed.
## Detection
- Indicators of Compromise: Monitoring network traffic for responses containing unexpected, random, or non-content-related binary/text data appended to legitimate small static file responses.
- Detection methods and tools: Automated scanning for the specific conditions (requesting small files via HTTP) combined with response content analysis.
## References
- Vendor advisories: The issue was fixed rapidly (Patch merged on 2022-08-22).
- Relevant links - defanged:
- https[:]//gynvael.coldwind.pl/?id=752 (Original disclosure blog post)