CVE-2024-23771

Vulnerability

darkhttpd before version 1.15 used strcmp() to compare the Base64-encoded user-supplied password against the expected authentication key [1]. strcmp() is not constant-time; its execution time varies based on the number of matching characters, making it susceptible to timing side-channel attacks [2]. The affected versions are those prior to 1.15 [1].

Exploitation

An attacker with network access to the darkhttpd server can exploit this by measuring the response time for authentication attempts [2]. By sending crafted Basic auth headers and timing the responses, the attacker can iteratively guess the correct credentials character by character, eventually recovering the full authentication key [2].

Impact

Successful exploitation allows an attacker to bypass HTTP Basic authentication, gaining access to protected resources without knowing the actual password. This could lead to unauthorized information disclosure or further compromise depending on the content served.

Mitigation

The vulnerability is fixed in darkhttpd version 1.15, released on December 6, 2022 [1]. The commit f477619d49f3c4de9ad59bd194265a48ddc03f04 replaced strcmp() with a constant-time password_equal() function [3]. Users should upgrade to version 1.15 or later.