Boa Web Server v0.94.14 – Authentication Bypass

• Exploit Database
• 11 阅读

• 作者： George Tsimpidas
  日期： 2023-03-30
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/51139/

• # Exploit Title: Boa Web Server v0.94.14 - Authentication Bypass
  #Date: 19-11-2022
  # Exploit Author: George Tsimpidas 
  # Vendor: https://github.com/gpg/boa
  # CVE: N/A 
  # Tested on: Debian 5.18.5
  
  Description :
  
  Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate the
  correct security constraint on the HEAD http method allowing everyone
  to bypass the Basic Authorization Mechanism.
  
  Culprit :
  
  if (!memcmp(req->logline, "GET ", 4))
  req->method = M_GET;
  else if (!memcmp(req->logline, "HEAD ", 5))
  /* head is just get w/no body */
  req->method = M_HEAD;
  else if (!memcmp(req->logline, "POST ", 5))
  req->method = M_POST;
  else {
  log_error_doc(req);
  fprintf(stderr, "malformed request: \"%s\"\n", req->logline);
  send_r_not_implemented(req);
  return 0;
  }
  
  The req->method = M_HEAD; is being parsed directlyon theresponse.c
  file, looking at how the method is being implemented for one of the
  response codes :
  
  /* R_NOT_IMP: 505 */
  void send_r_bad_version(request * req)
  {
  SQUASH_KA(req);
  req->response_status = R_BAD_VERSION;
  if (!req->simple) {
  req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n");
  print_http_headers(req);
  req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminate
  header */
  }
  if (req->method != M_HEAD) {
  req_write(req,
  "<HTML><HEAD><TITLE>505 HTTP Version Not
  Supported</TITLE></HEAD>\n"
  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP
  versions "
  "other than 0.9 and 1.0 "
  "are not supported in Boa.\n<p><p>Version encountered: ");
  req_write(req, req->http_version);
  req_write(req, "<p><p></BODY></HTML>\n");
  }
  req_flush(req);
  }
  
  
  Above code condition indicates that if (req->method != M_HEAD)therefore
  if the the requested method does not equal to M_HEAD then
  
  req_write(req,
  "<HTML><HEAD><TITLE>505 HTTP Version Not
  Supported</TITLE></HEAD>\n"
  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP
  versions "
  "other than 0.9 and 1.0 "
  "are not supported in Boa.\n<p><p>Version encountered: ");
  req_write(req, req->http_version);
  req_write(req, "<p><p></BODY></HTML>\n");
  }
  
  So if the method actually contains the http method of HEAD it's being
  passedfor every function that includes all the response code methods.