Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Boa HTTPd Basic Authentication Overflow #453

wants to merge 9 commits into


None yet
2 participants

mdietz94 commented Jun 6, 2012

Boa HTTP Server 0.93.x - 0.94.11 built with Intersil (i.e. common routers) allows denial of service or possibly authentication bypass via a Basic Authentication header with a user string greater than 127 characters. You must set the request URI to the directory that requires basic authentication. Depending on the version of the server either the administrator password will be overwritten in memory or the web server will be shut down.


wchen-r7 commented Jun 8, 2012

Hi there,

Could you please run msftidy.rb on your module? It will tell you which line should be corrected. Also, please make sure you're using hard tabs instead of spaces for indentation. You're using spaces mostly. When you're done, please remember to do another push for this branch.



wchen-r7 commented Jun 10, 2012

How do you configure basic auth for BOA? I see that there's a send_r_unauthorized() function defined in the source, but it's actually not used anywhere. This web server dev work looks incomplete.

The actual vulnerability is not inside Boa, but inside Intersil (a firmware boa frequently runs on) that are used for basic authentication by boa servers. It is used frequently on routers and the like. The page for Intersil is http://isl3893.sourceforge.net/ . If you are having problems testing it I can post some packet captures or something.


wchen-r7 commented Jun 10, 2012

Actually, yeah, a pcap would be great! Could you please e-mail it to msfdev[at]metasploit.com? Thanks!

Sounds great, I'm out of town and won't be back until Friday, so I should be able to send you the pcap file over the weekend.


wchen-r7 commented Jun 11, 2012

Wonder, thanks! Holding it in the untested branch (aka the incomplete branch) for now, and then I'll move it to master once I get the pcap.



wchen-r7 commented Jun 11, 2012

Placed it in here for now:

Will reopen this weekend. Thanks again!

@wchen-r7 wchen-r7 closed this Jun 11, 2012

@wchen-r7 wchen-r7 reopened this Jun 16, 2012


wchen-r7 commented Jun 16, 2012

Got a pcap. Reopened.

@wchen-r7 wchen-r7 pushed a commit to wchen-r7/metasploit-framework that referenced this pull request Jun 17, 2012

@sinn3r sinn3r Add Intersil HTTP Basic auth pass reset (originally #453)
The modified version of pull request #453. This addresses a couple
of things including:
* Change the description to better explain what the vulnerability is.
  The advisory focuses the problem as an auth bypass, not DoS,
  although it can end up dosing the server.
* The title and filename are changed as a result of matching that
  advisory's description.
* Use 'TARGETURI' option instead of 'URI'.
* The reset attempt needs to check if the directory actually has
  401 in place, otherwise this may result a false-positive.
* The last HTTP request needs to check a possible nil return value.
* More verbose outputs.

wchen-r7 commented Jun 17, 2012

Committed as #453: e72303a

@wchen-r7 wchen-r7 closed this Jun 17, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment