lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <440DCC9C.20703@arhont.com>
Date: Tue Mar  7 18:10:45 2006
From: mlists at arhont.com (Konstantin V. Gavrilenko)
Subject: Cisco PIX embryonic state machine 1b data DoS

Arhont Ltd - Information Security

Arhont Advisory by:	Konstantin V. Gavrilenko (http://www.arhont.com)
				     http://www.hackingciscoexposed.com
Arhont ref:		arh200601-1
Advisory:		Cisco PIX embryonic state machine 1b data DoS
Class:			design bug?
Version:		Tested on PIX535,  PIX OS ver 6.3(4)
			Tested on PIX515E, PIX OS ver 7.0(4)
Model Specific:		Other versions might have the same bug


DETAILS
Further to the advisory from Arhont Information Security released on
22/11/2005 and named Cisco PIX TCP Connection Prevention, I would like
to report that it is possible to perform an additional DoS attack
utilising the same flaw in the embryonic connection mechanism on the
PIX, but from the outside interface.

It is possible to prevent new communication establishment to a specific
port on a server located behind the PIX firewall, when a permanent
static mapping is applied between a local and a global ip address,
similar to the Network setup diagram below.

Network Setup
Attacker ------ Internet ------ PIX ------ Server

By sending a legitimate packet and specifying a meaningless data in the
data field of the packet, it is possible to disable communication
between the source and destination port pair for the duration of
approximately 120 seconds on PIXOS version 6 and 30 seconds on PIXOS
version 7.

Although, it would take a lot of packets to disrupt the communication
between the hosts completely, we assume that the attacker's aim is to
prevent the communication to a specific service located on the machine
behind the PIX firewall (e.g. HTTP/S, SMTP) and some other host on the
Internet, whose source address can be spoofed. Depending on the
bandwidth, it might take as little as 15 seconds to generate and send
out 65535 packets with a custom source port.
The attack can be performed using the interactive packet constructors
such as hping, e.g.

if you want to prevent new communication establishment between SOURCE_IP
source port 31337 and TARGET_IP destination port 80, execute:
arhontus / # hping2 -a $SOURCE_IP -S -c 1 -s 31337 -p 80 $TARGET_IP -d 1

if you want to prevent new communication establishment between SOURCE_IP
port ranges 0-63535 and TARGET_IP destination port 80, execute:
arhontus / # hping2 -a $SOURCE_IP -S -s 0 -p 80 --faster $TARGET_IP -d 1


The attack was tested on two PIX 535 firewalls with 1Gb of RAM each
performing static permanent mapping and running in the failover mode
with PIXOS ver 6.3(4), and on a single PIX 515E with 64Mb of RAM running
PIXOS ver 7.0(4)


RISK FACTOR: Medium


WORKAROUNDS: PSIRT response with workarounds to follow this disclosure


COMMUNICATION HISTORY:
Issue discovered:  24/01/2006
PSIRT notified:    24/01/2006
Public disclosure: 07/03/2006

ADDITIONAL INFORMATION:
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
before releasing them to the public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this issue, please do
not hesitate to contact Arhont team on info@...ont.com

-- 
Respectfully,
Konstantin V. Gavrilenko

Managing Director
Arhont Ltd - Information Security

web:    http://www.arhont.com
	http://www.wi-foo.com
e-mail: k.gavrilenko@...ont.com

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ