Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 saves post data, including credentials, to /tmp/boa-temp

Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 (and possibly other) saves post data, including credentials, to /tmp/boa-temp. Moreover this file is not sanitized after request has been processed, which allow retrieval of login credential possible until another POST request is made.

This vulnerability was assigned CVE-2019-9976.


CWE-377: Insecure Temporary File weakness exists in Boa Webserver. Exploitation requires ability to login on device. This could be accomplished using CVE-2019-8950.

Exploitation is possible for users logged in over telnet of SSH. If user logged though Web UI and until he make any other POST request, his credentials can be retrieved with:

$ cat /tmp/boa-temp
StatusActionFlag=-1&Username=admin&Password=vertex25

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.