cbcvebase.
CVE-2007-4915
published 2007-09-17

CVE-2007-4915: The Intersil isl3893 extensions for Boa 0.93.15, as used on the FreeLan RO80211G-AP and other devices, do not prevent stack writes from entering memory…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.65%
99.2th percentile
The Intersil isl3893 extensions for Boa 0.93.15, as used on the FreeLan RO80211G-AP and other devices, do not prevent stack writes from entering memory locations used for string constants, which allows remote attackers to change the admin password stored in memory via a long username in an HTTP Basic Authentication request.

Affected

1 ranges
VendorProductVersion rangeFixed in
boaboa_webserver

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.0.1/home/index.shtml
path/home/index.shtml
commandUSERNAME = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
versionBoa/0.93.15
  • Detect HTTP Basic Authentication requests where the username field exceeds 127 bytes in length, targeting Boa 0.93.x–0.94.11 servers with Intersil extensions.
  • Monitor for HTTP Basic Auth requests where the Authorization header username is a long repeated-character string (e.g., 127+ 'a' characters), indicative of a memory overwrite attempt.
  • The exploit targets the realm string 'LOGIN(default username & password is admin)' — alert on Basic Auth attempts using this exact realm string as it is specific to vulnerable Intersil-extended Boa devices.
  • The attack may also produce a denial-of-service condition on the target device; correlate authentication failures or device unresponsiveness with oversized Basic Auth username fields.
  • Ensure the monitored URI is the directory requiring Basic Authentication; the exploit specifically targets protected paths such as /home/index.shtml.
  • ·This vulnerability only affects Boa builds that include the Intersil isl3893 extensions; stock Boa installations are not vulnerable.
  • ·The exploit overwrites the admin password in memory (not on disk); a device reboot may restore the original password, but the attacker gains temporary unauthorized access.
  • ·The default target IP used in public exploit code is 192.168.0.1 (typical LAN gateway address for affected devices such as the FreeLan RO80211G-AP); detections should not be limited to this address.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.