Ladies and gentlemen ;
I have gathered you here today to discuss the life of another fallen one. It is with great sadness that we announce the LFI on BOA webserver ; BOA is a favorite among many using embedded nix systems to use as a webserver due to its efficiency but alas it has found a slay point.
In regard to CVE-2017-9833 ; it suffers an LFI in one of its parameters. The thing runs as root so yes we don’t stop at passwd we go all the way to the shadow 🙁 but why ???????
They can be found via the web server signature on shodan or the indexed urls on google.
on google it can be found using the dork below:
On Shodan it can be found using the search below:
The attack follows a very simple workflow on Boa.
- Provide URL
- Check if the /cgi-bin/wapopen path is accessible
- If this is affirmative simply include payloads and start attacking
The exploit that follows this workflow can be found on github.