Howto modify AT commands to overcome a security issue?

ullixesp
Posts: 83
Joined: Wed Oct 16, 2019 9:34 am
Location: Germany

Howto modify AT commands to overcome a security issue?

Postby ullixesp » Sat Sep 18, 2021 11:45 am

I am using a device (a Geiger counter), which uses an ESP8266 for WiFi, acting as a client. Unfortunately, this device sends the GET request to the server with a CR termination, while it should use CRLF.

Apache sees this as a security risk, and rejects the request with "400 Bad Request" and logs it as "malformed request line" (https://httpd.apache.org/security/vul..., scroll to "important: Apache HTTP Request Parsing Whitespace Defects (CVE-2016-8743)"). More discussion here: https://ask.wireshark.org/question/2431 ... d-request/

The AT command `<AT+GMR>` gives: `AT+GMR\r\r\nAT version:1.2.0.0(Jul 1 2016 20:04:45)\r\nSDK version:1.5.4.1 (39cb9a32) ... `. This seems to be pretty old, but, unfortunately, even if a newer one were available which delivers properly formed request lines, I can't use it, as the firmware is closed source.

I can, however, use AT commands on the device, and so I am wondering whether there is any way to modify how such request lines are formed using AT commands?

ullixesp
Posts: 83
Joined: Wed Oct 16, 2019 9:34 am
Location: Germany

Re: Howto modify AT commands to overcome a security issue?

Postby ullixesp » Tue Sep 21, 2021 8:48 am

The above link to the Apache security issue is broken. Here is the proper one:
https://httpd.apache.org/security/vulne ... es_24.html

By the way: the Apache fix of this security issue was released in Dec 2016, so it came after the release of this AP version. Does anyone know whether later ESP-AT releases fixed this problem as well, or does it still exist in the code?

Helen L
Posts: 71
Joined: Thu Aug 16, 2018 9:07 am

Re: Howto modify AT commands to overcome a security issue?

Postby Helen L » Fri Sep 24, 2021 2:05 am

I'm a little confused..I thought the HTTP was added to AT since 2020? https://github.com/espressif/esp-at/rel ... .0_esp8266

ullixesp
Posts: 83
Joined: Wed Oct 16, 2019 9:34 am
Location: Germany

Re: Howto modify AT commands to overcome a security issue?

Postby ullixesp » Mon Sep 27, 2021 9:39 am

The ESP-AT was able to do http calls since 2016 at the latest. Albeit with that request, which is considered "malformed" since Dec 2106 at the latest.

ESP_Alson
Posts: 106
Joined: Mon Mar 22, 2021 3:37 am

Re: Howto modify AT commands to overcome a security issue?

Postby ESP_Alson » Thu Dec 30, 2021 7:19 am

AT version:1.2. 0.0 is too old!

Here I recommend that you use the latest AT version v2.2.1.0 for ESP8266 series. You can download firmware from https://github.com/espressif/esp-at/rel ... .0_esp8266.

Who is online

Users browsing this forum: No registered users and 36 guests