lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BFD4D243999BA5458F6A8AC2CB3575050177456B@xmb-hkg-416.apac.cisco.com>
Date: Thu, 7 Sep 2006 10:21:17 +0800
From: "Paul Oxman \(poxman\)" <poxman@...co.com>
To: "FX" <fx@...noelit.de>, <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Cc: 
Subject: RE: Cisco IOS GRE issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
    This is a Cisco response to an advisory published by FX of
Phenoelit posted as of September 06, 2006 at 
http://www.securityfocus.com/archive/1/445322/30/0/threaded, and 
entitled "Cisco Systems IOS GRE decapsulation fault".

An official response is located at: 
http://www.cisco.com/warp/public/707/cisco-sr-20060906-gre.shtml

This issue is being tracked by the following Cisco bug IDs:

  * CSCuk27655 -- GRE: make implementation RFC 2784 and RFC 2890 
                  compliant
  
  * CSCea22552 -- GRE: implementation of Reserved0 field not RFC2784
                  compliant

  * CSCei62762 -- GRE: IP GRE Tunnel with Routing Present Bit not 
                  dropped

We would like to thank FX from Phenoelit for reporting this issue to
Cisco. We greatly appreciate the opportunity to work with researchers
on security vulnerabilities, and welcome the opportunity to review
and assist in product reports.

Additional Information
======================

Generic Routing Encapsulation (GRE) is a generic packet encapsulation
protocol. GRE is documented in RFC1701 and RFC2784.

Vulnerable Products
+------------------ 
* Cisco IOS 12.0, 12.1 and 12.2 based trains
* All devices running affected versions of Cisco IOS software and
configured with GRE IP or GRE IP multipoint tunnels.

Products not affected by this vulnerability
+------------------------------------------
* Cisco IOS 12.3 and 12.4.
* Cisco IOS 12.0S release train, with a revision later than 
  12.0(23)S, with CEF enabled (Default behaviour)

In RFC1701, the GRE Header field (described in RFC2784 as Reserved0)
contains a number of flag bits which RFC2784 deprecates. In
particular, the Routing Present and Strict Source Route bits along
with Routing Information fields have been deprecated. All versions of
Cisco IOS software that support RFC2784 will not be affected by this
vulnerability, as any packet where any of the bits 1-5 are non-zero
will be discarded.

Cisco IOS versions that contain ANY of the following three fixes are
RFC2784 compliant and are not affected by this vulnerability:

  * CSCuk27655 -- GRE: make implementation RFC 2784 and RFC 2890
                  compliant
  
  * CSCea22552 -- GRE: implementation of Reserved0 field not RFC2784 
                  compliant

  * CSCei62762 -- GRE: IP GRE Tunnel with Routing Present Bit not 
                  dropped

Vulnerability Impact Overview
+----------------------------

Upon receiving a specially crafted GRE packet, depending on the
data within a specific packet memory location, the GRE code will 
decapsulate a packet using the contents of referenced memory 
buffers.  

With "debug tunnel" enabled, output similar as shown below will be 
produced:

  GRE decapsulated IP 0.3.74.0->0.0.1.30 (len=65407, ttl=39)
  GRE decapsulated IP 176.94.8.0->0.0.0.0 (len=64904, ttl=0)
  GRE decapsulated IP 0.15.31.193->176.94.8.0 (len=64894, ttl=237)
  GRE decapsulated IP 128.42.131.220->128.0.3.74 (len=64884, ttl=128)


Only if the referenced memory buffers data decapsulates to a valid 
IPv4 packet, will this packet be forwarded.  Invalid IPv4 packets 
will be dropped at the router.

This potentially could be used to bypass ACLs on the router.

Workarounds and Mitigations
===========================

The following workaround is applicable to 12.0S based trains only:

  * Cisco Express Forwarding (CEF)
    If running Cisco IOS 12.0S release train, with a revision later
    than 12.0(23)S, with CEF enabled will mitigate this 
    vulnerability.  

    CEF is enabled by default for 12.0S releases. 

    To check the status of CEF on the router issue the CLI command 
    "sh ip cef" or "sh ip cef interface".
    Refer to: http://www.ciscosystems.ro/univercd/cc/td/doc/product/
    software/ios122/122cgcr/fswtch_c/swprt1/xcfcefc.htm for further
    information on CEF.

The following mitigations may be applied to vulnerable Cisco IOS
versions:

  * Anti-spoofing mechanisms of the tunnel source and destination end
    points.
    Refer to: http://www.cisco.com/warp/public/707/21.html#sec_ip
    and http://www.ietf.org/rfc/rfc2827.txt for further 
    further information on deploying anti-spoofing mechanisms.

  * Encrypt the GRE tunnel with IPSec:
    Refer to: http://www.cisco.com/univercd/cc/td/doc/product/
    software/ios123/123tcr/123tir/int_t1gt.htm#wp1161892 for further
    information.

Regards
Paul Oxman
Cisco Systems PSIRT
 

- -----Original Message-----
From: FX [mailto:fx@...noelit.de] 
Sent: Thursday, 7 September 2006 12:34 AM
To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: Cisco IOS GRE issue

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +---->

[ Title ]
        Cisco Systems IOS GRE decapsulation fault

[ Authors ]
        FX              <fx@...noelit.de>

        Phenoelit Group (http://www.phenoelit.de)
        Advisory        http://www.phenoelit.de/stuff/CiscoGRE.txt

[ Affected Products ]
        Cisco IOS 

        Tested on:      C3550 IOS 12.1(19)

        Cisco Bug ID:   CSCuk27655, CSCea22552, CSCei62762
        CERT Vu ID:     <not assinged>

[ Vendor communication ]
        07.07.05        Initial Notification, gaus@...co.com
        27.07.05        PSIRT realized that nobody took this bug, Paul
Oxman
                        took over
        28.07.05        Paul successfully reproduces the issue
        04.08.05        Paul notifies FX about availabe fixes
        05.08.05        Paul notifies FX about new side effects
discovered
                        by Cisco
        06.09.06        Final advisory going public as coordinated
release
                        *Note-Initial notification by phenoelit
                        includes a cc to cert@...t.org by default

[ Overview ]
        Cisco Systems IOS contains a bug when parsing GRE packets
        with GRE source routing information. A specially crafter GRE
packet
        can cause the router to reuse packet packet data from unrelated 
        ring buffer memory. The resulting packet is reinjected in the
routing
        queues.

[ Description ]
        The GRE protocol according to RFC1701 supports source routing
        different from the one known in IPv4. An optional header is
added to
        the GRE header containing Source Route Entries for further
routing.
        
        GRE header:
         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |C|R|K|S|s|Recur|  Flags  | Ver |         Protocol Type
|
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |      Checksum (optional)      |       Offset (optional)
|
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                         Key (optional)
|
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                    Sequence Number (optional)
|
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                         Routing (optional)
|
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

        When a specially crafted GRE packet with routing information is 
        received by a Cisco IOS device, the offset field is not verified
        to point inside the packet but is subtracted from what appears 
        to be a short integer holding the overall length of the IP
packet,
        causing an overflow of the same.

        This causes other memory contents of the packet ring buffers to
        be interpreted as the payload IP packet and reinjected into the
        routing queue with fairly large length information:

        GRE decapsulated IP 0.3.74.0->0.0.1.30 (len=65407, ttl=39)
        GRE decapsulated IP 176.94.8.0->0.0.0.0 (len=64904, ttl=0)
        GRE decapsulated IP 0.15.31.193->176.94.8.0 (len=64894, ttl=237)
        GRE decapsulated IP 128.42.131.220->128.0.3.74 (len=64884,
ttl=128)

        The outer IP packet must come from the configured tunnel source
        and be sent to the configured tunnel destination IP address.

        By carefully filling the ring buffers with legitimate traffic
like
        ICMP, containing an IP header at the right offset, an attacker
can
        create IP packets with large length values inside IOS. PSIRT 
        believes this cannot be done, Phenoelit differs on that.

[ Example ]
        Internet Protocol, 
                Src Addr: 85.158.1.110 (85.158.1.110), 
                Dst Addr: 198.133.219.25 (198.133.219.25)
            Version: 4
            Header length: 20 bytes
            Differentiated Services Field: 0x00
            Total Length: 28
            Identification: 0xaffe (45054)
            Flags: 0x00
            Fragment offset: 0
            Time to live: 30
            Protocol: GRE (0x2f)
            Header checksum: 0xf409 (correct)
            Source: 85.158.1.110 (85.158.1.110)
            Destination: 198.133.219.25 (198.133.219.25)
        Generic Routing Encapsulation (IP)
            Flags and version: 0x4000
                0... .... .... .... = No checksum
                .1.. .... .... .... = Routing
                ..0. .... .... .... = No key
                ...0 .... .... .... = No sequence number
                .... 0... .... .... = No strict source route
                .... .000 .... .... = Recursion control: 0
                .... .... 0000 0... = Flags: 0
                .... .... .... .000 = Version: 0
            Protocol Type: IP (0x0800)
            Checksum: 0x0000
            Offset: 99

[ Notes ]
        IOS implements GRE source routing as forwarding of the inner IP
        packet. Thus, a Source Route Entry of 255.255.255.255 will cause
        IOS to resend the GRE packet to the specified address according
        to the routing table (all in this case) on the appropriate 
        interface (all in this case).
        The source address of the new packet will be the router's IP 
        address, the destination address according to the received
packet.
        This can be used to circumvent Access Control Lists with GRE.

[ Solution ]
        Stop using GRE. There is no way in IOS to turn off source
routing
        for GRE tunnels.

        To correct the parsing issue, try to install an IOS version
        containing the fixes CSCuk27655 or CSCea22552 or CSCei62762.

[ end of file ($Revision: 1.3 $) ]

- -- 
         FX           <fx@...noelit.de>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRP964fDVAGwZg2sUEQKTgwCfSky1Ea6DbRWDXl6SQbjKIf/0l8wAn0eI
HC75BVSxyL4ZXG+pRgqxz5Q7
=/HeP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ