search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.15k stars 13.97k forks source link

Add in CVE-2017-9833 and CVE-2021-33558 #17302

Closed gwillcox-r7 closed 1 year ago

gwillcox-r7 commented 1 year ago

Summary

These two CVEs have been found in the now discontinued Boa web server however according to https://securityaffairs.co/wordpress/138916/hacking/boa-web-servers-attacks.html the Boa web server has seen attacks against it as late as 2020 even after the server was discontinued in 2005.

It would be ideal to include checks for this as part of the framework in order to allow users to identify if they are vulnerable and the risk should they be compromised, and for pentesters to better identify if this is part of the networks they are testing.

Basic example

The description of CVE-2017-9833 at https://nvd.nist.gov/vuln/detail/CVE-2017-9833 mentions BOA Webserver 0.94.14rc21, the latest development version prior to the project being discontinued, allows directory traversal via the FILECAMERA GET parameter in /cgi-bin/wapopen which can be used to read files with root privileges. There is an exploit PoC code for this at https://www.exploit-db.com/exploits/42290.

The other bug aka CVE-2021-33558 is similar in that it allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. It appears given the CVE details this is exploitable as an unauthenticated attacker over the network. There is some basic info at https://github.com/mdanzaruddin/CVE-2021-33558. which explains this bug (yes that period does need to be in the path name idk why).

Motivation

To provide better coverage of bugs that are likely to be or have been exploited in the wild within Metasploit Framework.

gwillcox-r7 commented 1 year ago

Woops forgot to mention the server and its downloads are available at the official server website at http://www.boa.org/

space-r7 commented 1 year ago

I'm not sure that writing a module for these two vulnerabilities will be trivial. It looks like the /cgi-bin/wapopen path that's referenced for CVE-2017-9833 is part of IP CCTV Camera software from what I could find, and I'm not sure it would be easy to determine whether arbitrary software is being served by Boa web server. Looks like a similar situation for CVE-2021-33558.

smcintyre-r7 commented 1 year ago

This is pretty old at this point so I'm going to close this issue out in favor of more recent vulnerabilities.