Ladies and gentlemen ;
I have gathered you here today to discuss the life of another fallen one. It is with great sadness that we announce the LFI on BOA webserver ; BOA is a favorite among many using embedded nix systems to use as a webserver due to its efficiency but alas it has found a slay point.
In regard to CVE-2017-9833 ; it suffers an LFI in one of its parameters. The thing runs as root so yes we don’t stop at passwd we go all the way to the shadow 🙁 but why ???????
Finding Targets
They can be found via the web server signature on shodan or the indexed urls on google.
on google it can be found using the dork below:
inurl:/cgi-bin/wapopen?
On Shodan it can be found using the search below:
Boa/0.94.14rc21
Attack Workflow
The attack follows a very simple workflow on Boa.
- Provide URL
- Check if the /cgi-bin/wapopen path is accessible
- If this is affirmative simply include payloads and start attacking
The exploit that follows this workflow can be found on github.