Re: Phenoelit Advisory, 0815 ++ * - Cisco_tftp

From: Mike Caudill (mcaudillat_private)
Date: Sat Jul 27 2002 - 11:19:03 PDT

Next message: http-equivat_private: "WHERE'S THE CA$H: Internet Explorer 6.00. Outlook Express 6.00"

Previous message: kim0: "Phenoelit Advisory #0815 +-+"
In reply to: kim0: "Phenoelit Advisory, 0815 ++ * - Cisco_tftp"
Next in thread: Mike Caudill: "Re: Phenoelit Advisory, 0815 ++ * - Cisco_tftp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We can confirm the finding made by kim0at_private  The issue has been 
assigned Cisco Bug ID CSCdy03429.  Workarounds exist which can prevent the
router affected from a device reset.  At this time Cisco does not believe 
that software upgrades are necessary to resolve this issue.  Cisco IOS 
versions 12.0 and higher are not affected by this problem.

Cisco IOS versions 11.1, 11.2 and 11.3 (most trains) contain a buffer 
overflow in the embedded Trivial FTP (TFTP) server which can cause a 
reset of the device.  The buffer overflow occurs due to an unchecked 
buffer containing the filename reqested via a TFTP read-request.  From 
our testing, to cause the device to reset requires the use of a crafted 
TFTP packet, as the TFTP client side software which we tested would not 
permit a long enough filename to demonstrate the problem.

The workarounds are for all users running affected Cisco IOS versions who 
have enabled the tftp server on the device, to either disable the server 
or to add an alias onto the filenames being served via TFTP.

If TFTP server functionality is not needed the service may be disabled by
removing all commands beginning with the string "tftp-server" from the 
configuration.

In order to add an alias onto the filename being served via TFTP, you will 
need to first remove that line and add it back.

For instance, if the following configuration existed:

	tftp-server flash c2500-js-l.112-20

you would need to issue the following commands.

	#config terminal
	Enter configuration commands, one per line.  End with CNTL/Z.
	(config)#no tftp-server flash c2500-js-l.112-20
	(config)#tftp-server flash c2500-js-l.112-20 alias CiscoIOS

If multiple filenames are being served via TFTP on the device and you desire
to use the workaround of adding an alias to the filename, you will have to
add an alias on each entry.  Any "tftp-server" entry without an alias on a
device running an affected version of Cisco IOS would be sufficient to be
vulnerable to a device reset.

- -Mike-

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPULi05PS/wbyNnWcEQLtegCgi+7+96I5Ur1z0JHSU0OHauUnpsEAn0jC
SoK69ovAbXtWqAyzeoQcf45d
=GWjh
-----END PGP SIGNATURE-----

> kim0 <kim0at_private> [2002-07-27 12:52] wrote:
> 
> -- 
>            kim0   <kim0at_private>
>        Phenoelit (http://www.phenoelit.de)
> 90C0 969C EC71 01DC 36A0  FBEF 2D72 33C0 77FC CD42

> Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++-->
> 
> [ Authors ]
> 	FX		<fxat_private>
> 	FtR 		<ftrat_private>
> 	kim0 		<kim0at_private>
> 
> 	Phenoelit Group	(http://www.phenoelit.de)
> 	Advisory	http://www.phenoelit.de/stuff/Cisco_tftp.txt
> 
> [ Affected Products ]
> 	Cisco IOS 
> 
> 	Tested on
> 			IOS 11.1 - 11.3
> 
> 	Cisco Bug ID: 	<not assigned>
>         CERT Vulnerability ID: 689579
> 
> [ Vendor communication ]
>         06/29/02        Initial Notification,
> 			security-alertat_private & psirtat_private
>                         *Note-Initial notification by phenoelit
>                         includes a cc to certat_private by default
>         06/30/02        Human confirmation from PSIRT @ Cisco
>         06/30/02 (2)    Discussion of detail
>         07/01/02        Continued discussion for reproducing problem
>         07/01/02        Receipt, ack. and clarification by CERTat_private
>         07/03/02        Continued discussions with PSIRT
>         07/19/02        Notification of intent to post publically
>                         in apx. 7 days.
>         07/25/02        Final coordination for release.         
> 
> [ Overview ]
> 	Cisco Systems Routers are the most widely used routers.  
> 	Cisco Routers are embedded network devices that run a dedicated 
> 	Operating System, the Cisco IOS.
> 	
> [ Description ]
> 	The Cisco IOS integrated TFTP server suffers from a buffer overflow 
> 	condition. 
> 	When requesting a file name with approximately 700 characters, the device 
> 	crashes and may reboot. This only happens, if the served file is on a 
> 	flash device and no alias is assigned to it.
> 
> 	Vulnerable:
> 	router# conf t
> 	router# tftp-server flash:ios_11.3_a-b-c-d.bin
> 	
> 	Not vulnerable:
> 	router# conf t
> 	router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff
> 	
> [ Example ]
> 	OpenBSD# tftp cisco53.navy.smil.mil
> 	tftp> get AAAAAAAAA....(700 times)
> 
> [ Solution ]
> 	None available at this time
> 
> [ end of file ]
> 
> 

> [    ----- End of Included Message -----    ]

-- 
----------------------------------------------------------------------------
|      ||        ||       | Mike Caudill              | mcaudillat_private |
|      ||        ||       | PSIRT Incident Manager    | 919.392.2855       |
|     ||||      ||||      | DSS PGP: 0xEBBD5271       | 919.522.4931 (cell)|
| ..:||||||:..:||||||:..  | RSA PGP: 0xF482F607       ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt                  |
----------------------------------------------------------------------------

Next message: http-equivat_private: "WHERE'S THE CA$H: Internet Explorer 6.00. Outlook Express 6.00"
Previous message: kim0: "Phenoelit Advisory #0815 +-+"
In reply to: kim0: "Phenoelit Advisory, 0815 ++ * - Cisco_tftp"
Next in thread: Mike Caudill: "Re: Phenoelit Advisory, 0815 ++ * - Cisco_tftp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jul 27 2002 - 12:57:49 PDT