Long Live Traversals and LFI

Ladies and gentlemen ;

I have gathered you here today to discuss the life of another fallen one. It is with great sadness that we announce the LFI on BOA webserver ; BOA is a favorite among many using embedded nix systems to use as a webserver due to its efficiency but alas it has found a slay point.

In regard to CVE-2017-9833 ; it suffers an LFI in one of its parameters. The thing runs as root so yes we don’t stop at passwd we go all the way to the shadow 🙁 but why ???????

Finding Targets

They can be found via the web server signature on shodan or the indexed urls on google.

on google it can be found using the dork below:

inurl:/cgi-bin/wapopen?

On Shodan it can be found using the search below:

Boa/0.94.14rc21

Attack Workflow

The attack follows a very simple workflow on Boa.

  • Provide URL
  • Check if the /cgi-bin/wapopen path is accessible
  • If this is affirmative simply include payloads and start attacking

 
Exploiting Boa Webserver
The exploit that follows this workflow can be found on github.

 

Leave a Reply

Your email address will not be published. Required fields are marked *