Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Boa HTTPd Basic Authentication Overflow #453

Closed
wants to merge 9 commits into
from

Conversation

Projects
None yet
2 participants

mdietz94 commented Jun 6, 2012

Boa HTTP Server 0.93.x - 0.94.11 built with Intersil (i.e. common routers) allows denial of service or possibly authentication bypass via a Basic Authentication header with a user string greater than 127 characters. You must set the request URI to the directory that requires basic authentication. Depending on the version of the server either the administrator password will be overwritten in memory or the web server will be shut down.

Contributor

wchen-r7 commented Jun 8, 2012

Hi there,

Could you please run msftidy.rb on your module? It will tell you which line should be corrected. Also, please make sure you're using hard tabs instead of spaces for indentation. You're using spaces mostly. When you're done, please remember to do another push for this branch.

Thanks.

Contributor

wchen-r7 commented Jun 10, 2012

How do you configure basic auth for BOA? I see that there's a send_r_unauthorized() function defined in the source, but it's actually not used anywhere. This web server dev work looks incomplete.

The actual vulnerability is not inside Boa, but inside Intersil (a firmware boa frequently runs on) that are used for basic authentication by boa servers. It is used frequently on routers and the like. The page for Intersil is http://isl3893.sourceforge.net/ . If you are having problems testing it I can post some packet captures or something.

Contributor

wchen-r7 commented Jun 10, 2012

Actually, yeah, a pcap would be great! Could you please e-mail it to msfdev[at]metasploit.com? Thanks!

Sounds great, I'm out of town and won't be back until Friday, so I should be able to send you the pcap file over the weekend.

Contributor

wchen-r7 commented Jun 11, 2012

Wonder, thanks! Holding it in the untested branch (aka the incomplete branch) for now, and then I'll move it to master once I get the pcap.

Cheers!

Contributor

wchen-r7 commented Jun 11, 2012

Placed it in here for now:
https://github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/boa_auth_dos.rb

Will reopen this weekend. Thanks again!

@wchen-r7 wchen-r7 closed this Jun 11, 2012

@wchen-r7 wchen-r7 reopened this Jun 16, 2012

Contributor

wchen-r7 commented Jun 16, 2012

Got a pcap. Reopened.

@wchen-r7 wchen-r7 pushed a commit to wchen-r7/metasploit-framework that referenced this pull request Jun 17, 2012

@sinn3r sinn3r Add Intersil HTTP Basic auth pass reset (originally #453)
The modified version of pull request #453. This addresses a couple
of things including:
* Change the description to better explain what the vulnerability is.
  The advisory focuses the problem as an auth bypass, not DoS,
  although it can end up dosing the server.
* The title and filename are changed as a result of matching that
  advisory's description.
* Use 'TARGETURI' option instead of 'URI'.
* The reset attempt needs to check if the directory actually has
  401 in place, otherwise this may result a false-positive.
* The last HTTP request needs to check a possible nil return value.
* More verbose outputs.
e72303a
Contributor

wchen-r7 commented Jun 17, 2012

Committed as #453: e72303a

@wchen-r7 wchen-r7 closed this Jun 17, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment