Serious bug in Cisco PIX

From: Robert Ståhlbrand (robertat_private)
Date: Wed Aug 19 1998 - 02:12:21 PDT

Next message: Michal Zalewski: "Re: Screen tmp race temp fix"

Previous message: Brian Martin: "Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Summary:
During security-testing of firewalls in our lab we found a serious bug
in Cisco PIX which makes it possible to do DOS-attacks to static
IP-addresses on the inside. The bug is reported to Cisco six weeks ago
including the source-code to our DOS-program but no response yet (more
then working on it).

Details:
Most of Cisco PIX is using NAT but if you need DNS, mail etc. you have
to have a static address for this server and many installations of Cisco
PIX are configured like this.
We sent a fragmented packet, splitted into 2 with the FIN-flag set and
noticed that the packet with the TCP-header was correctly dropped but
the second part was let through the PIX to the host on the inside!
Another strange thing was the the data was deformed so that all data was
7E! We tried with only ICMP allowed, mail etc. and with nothing allowed
and we had the same result every time. The part not included the
TCP-header was let through!
So how can you do a DOS-attack with this? Easy! Just send a lot those
packets (I really mean a lot!!!) to this host and see what happends. An
NT-server we tried against completely stopped! Couldn't even move the
mouse. Same thing with a Linux-box but NT-servers with more then one CPU
managed a little better. Only one CPU got up to 100%. We also tried
against a SUN Ultra 2 with a lot of memory but this attack did not seem
to affect this machine very much.
The reason why the smaller machine hangs could (must?!) be that it
collects a lot of fragmented packets but it never recieves the first
part of it which will end the memory after a while. It will also have a
great job collecting all these packets. The server will hang fast (1
second or so) if you have plenty of bandwith, slower if you don't but it
will always work. The funny thing is that it is the PIX who makes it
possible to perform this DOS-attack :-).
Of course what we where trying to do was to FIN-scan for open port on a
machine behind the PIX but this was even better...
Most source code was snatched from the Uriels and Fyodors FIN/fragment
scanners. Many thanks to them!

Who is affected?
Any company, organisation etc. who are using static addressing along
with Cisco PIX with any version of PIX software. Even tried the last
beta.
Pentagon, are you reading this?

Fixes:
No fix yet as far as I know. Cannot think of a quick but to remove all
static addressing and it's no good.

------------------------------------------------------------------------
------------------------------
Robert Ståhlbrand
Ericsson Telecom AB, Network Management Application Center
TeMa-Lab system responsible
robertat_private

"Real hackers don't die, their TTL expires."
------------------------------------------------------------------------
-----------------------------

Next message: Michal Zalewski: "Re: Screen tmp race temp fix"
Previous message: Brian Martin: "Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:02 PDT