no effect on a cisco 677 running cbos 2.4.2(latest) - tried leaving the ping running for 10 minutes or so. ----- Original Message ----- From: "Johnson, Michael" <Michael.Johnsonat_private> To: "'Vladimir Kraljevic'" <vladimir_kraljevicat_private>; <VULN-DEVat_private> Cc: "'Geo.'" <georgerat_private> Sent: Monday, August 06, 2001 7:44 PM Subject: RE: Code red II crashes cisco 678 > Verified on a 677 also. > > -----Original Message----- > From: Vladimir Kraljevic [mailto:vladimir_kraljevicat_private] > Sent: Monday, August 06, 2001 11:55 AM > To: VULN-DEVat_private > Cc: 'Geo.' > Subject: RE: Code red II crashes cisco 678 > > > I've had problems with Cisco 677 (please take a search for > 20000814172811.28516.qmailat_private). > > It was possible to smash the router (only power off helped) by issuing ICMP > echo with record route flag set (succeeded even with Win32 ping from command > line). Problem appeared after several echo requests of that type, not > immediately (try ping -t -r 8 <some.non.local.ip.address> and wait 2-3 > minutes at most). However, I was not able (not enough time, as usual) to try > to craft fake ICMP response with recorded routes inside (maybe this allows > an DoS against complete families of Cisco 6xx routers). > > Maybe related. > > Vladimir > > > C:\>-----Original Message----- > C:\>From: Geo. [mailto:georgerat_private] > C:\>Sent: Monday, August 06, 2001 4:43 > C:\>To: Russ; VULN-DEVat_private; > C:\>NTBUGTRAQat_private; > C:\>Discussion regarding Windows-related security vulnerabilities and > C:\>risks.; Marc Maiffret; securityat_private > C:\>Subject: Code red II crashes cisco 678 > C:\> > C:\> > C:\>All day I've had customers calling with cisco 678 routers > C:\>running cbos 2.4.2 > C:\>with the web interface disabled. Seems their routers have > C:\>been crashing. > C:\> > C:\>We traced this back to the code red worm. For some reason > C:\>even with web > C:\>disabled on these routers port 80 remains open. Simply > C:\>running a port scan > C:\>and cutting off the connection is enough to crash the > C:\>router. Locks up > C:\>solid. > C:\> > C:\>I also found a solution, by doing a > C:\> > C:\>set web remote ipaddress > C:\> > C:\>where ipaddress is one of their internal IP's you can > C:\>prevent outside > C:\>addresses from being able to crash the router. > C:\> > C:\>Just a heads up guys, if you are seeing 678's crashing, > C:\>give it a try, it's > C:\>working here. > C:\> > C:\>Geo. > C:\> > C:\> > C:\> > C:\>
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 12:48:06 PDT