This is really no surprise: embedded system vendors aren't good at carrying out quality assurance on their firmware images, and their embedded Web server software is what you'd expect from something written in the last 20 minutes of Friday afternoon.
And it'll be no surprise to The Register's readers that the bugs land in all sorts of stuff, from SOHOpeless broadband devices to CCTV cameras and VoIP phones.
That's the conclusion of researchers from Eurecom, in collaboration with Ruhr-University Bochum. Their study, on Arxiv here, tested Web interfaces in products from 54 vendors, and found that a quarter of those vendors had vulnerable implementations.
At the product level, things were marginally better. The researchers said that of 1,925 individual firmware products, buggy and insecure Web servers were present in 185 images.
The research found that cross-site scripting vulnerabilities were the most common, followed by file manipulation, and in third place, command injection.
The tool they created, they write, is designed to perform “full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices.”
There are some caveats that apply to the study: so it was of manageable scope and scale, they focussed on firmware that they were able to obtain as an online download, and the research was biased toward ARM, MIPS and MIPSel firmware, to fit within their Debian-based QEMU emulation environment.
The Web server sources tested in the research included minihttpd, lighthttpd, boa, thttpd, and Empty Banner. ®