[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <002e01c35147$19fbb500$230b240a@corp.paetec.com>
From: bill.noren at paetec.com (bill.noren@...tec.com)
Subject: Cisco Bug 44020 - Final Thoughts
I thought I'd share the final results of my testing of the recent Cisco
exploit with the list here. I had the concern that the new IOS versions
released by Cisco would be immune to the original exploit but may not cover
variants or other protocols that are susceptible. I recompiled the exploit
code in such a way as to run through all protocol numbers from 1 to 1024 and
ran that against my test router; a 2611 running IOS 12.1(16). I realize
that the field that contains the protocol number is 8 bits in length so
anything above 255 is academic but the results were interesting. I
witnessed failures on the following port numbers: 53, 55, 77, 103, 309 and
823. I did NOT get a failure on protocol 46 as someone else here suggested
(do you have details on that?). Note that if you only count the right most
8 bits of 309 and 823, they are the same as 53 and 55 respectively so
there's probably a couple more numbers that also cause the failure.
I then upgraded my router to IOS 12.1(20)GD and ran my tests again looking
for any sign of the vulnerability. The patch appears to work well and I
didn't find anything of note afterward except that the router seemed to
handle the input queue more efficiently.
Cheers,
-Bill
Powered by blists - more mailing lists