多种D-Link路由器UPNP远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110622 漏洞类型 缓冲区溢出
发布时间 2006-07-17 更新时间 2006-08-15
CVE编号 CVE-2006-3687 CNNVD-ID CNNVD-200607-297
漏洞平台 Hardware CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28230
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-297
|漏洞详情
D-Link是台湾友讯集团所创立的网络公司,致力于局域网、宽带网、无线网、语音网及相关网络设备的研发、生产和行销。各种有线和无线D-Link路由器的uPnP实现存在栈溢出漏洞,远程攻击者可能利用此漏洞控制设备。如果攻击者能够向有漏洞D-Link设备的LAN接口发送有超长参数(大约800字节)的M-SEARCH请求的话,就会出发栈溢出,导致可靠的执行任意指令。攻击不会影响网络的连接性,不会显现任何迹象。在某些情况下,可能需要软重启设备,导致暂时中断连接性。
|漏洞EXP
source: http://www.securityfocus.com/bid/19006/info

D-Link wired and wireless routers are prone to a buffer-overflow vulnerability because these devices fail to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Successful exploits can allow remote attackers to execute arbitrary machine code in the context of the affected device.

Attackers can exploit this issue by sending a request of the form:

M-SEARCH <800 byte string> HTTP/1.0

to UDP port 1900.
|参考资料

来源:US-CERT
名称:VU#971705
链接:http://www.kb.cert.org/vuls/id/971705
来源:XF
名称:dlink-upnp-bo(27755)
链接:http://xforce.iss.net/xforce/xfdb/27755
来源:BID
名称:19006
链接:http://www.securityfocus.com/bid/19006
来源:BUGTRAQ
名称:20060722RE:[EEYEB-20060227]D-LinkRouterUPNPStackOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/440852/100/100/threaded
来源:BUGTRAQ
名称:20060717[EEYEB-20060227]D-LinkRouterUPNPStackOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/440298/100/0/threaded
来源:VUPEN
名称:ADV-2006-2829
链接:http://www.frsirt.com/english/advisories/2006/2829
来源:MISC
链接:http://www.eeye.com/html/research/advisories/AD20060714.html
来源:SECTRACK
名称:1016511
链接:http://securitytracker.com/id?1016511
来源:SECUNIA
名称:21081
链接:http://secunia.com/advisories/21081
来源:OSVDB
名称:27333
链接:http://www.osvdb.org/27333
来源:FULLDISC
名称:20060717[EEYEB-20060227]D-LinkRouterUPNPStackOverflow
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0363.html