BugTraq
Back to list
|
Post reply
Re: CISCO as5350 crashes with nmap connect scan
Oct 29 2002 08:11PM
Thomas Munn (munn bigfoot com)
In-Reply-To: <20021028165345.11929.qmail (at) mail.securityfocus (dot) com [email concealed]>
>Received: (qmail 7861 invoked from network); 28 Oct
2002 22:14:00 -0000
>Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 28 Oct 2002
22:14:00 -0000
>
>I have managed to "reduplicate" at least five times the
>following scenario with a cisco as5250, with firmwrare
>12.2 (11t) release firmware of cisco:
>
>nmap -dinsane -p 1-65535 ip.of.as5350 This causes a
>"hard" lockup, and the device must be powered off in
>order to have functionality restored to it.
>
>Mentioned to PSIRT at cisco, they didn't do anything.
>
>Sincerely,
>
>Thomas J. Munn
>
It seems to be the -p 1-65535 that causes a disconnect
on the unit (via ssh) but doesn't crash it, the
-dinsane part seems to lock it.A gentlemen emailed me
that there is a known "ssh" bug, and yes, ssh was
enabled. When just using nmap -sT -p 1-65535 ssh
disconnects me, but doesn't kill the box.
List of ports, quite fascinating by the way!
22/tcp open ssh
23/tcp open telnet
111/tcp filtered sunrpc
1720/tcp open H.323/Q.931
2216/tcp open unknown
2217/tcp open unknown
2218/tcp open unknown
2219/tcp open unknown
2220/tcp open unknown
2221/tcp open unknown
2222/tcp open unknown
2223/tcp open unknown
2224/tcp open unknown
2225/tcp open unknown
2226/tcp open unknown
2227/tcp open unknown
2228/tcp open unknown
2229/tcp open unknown
2230/tcp open unknown
2231/tcp open unknown
2232/tcp open ivs-video
2233/tcp open unknown
2234/tcp open unknown
2235/tcp open unknown
2236/tcp open unknown
2237/tcp open unknown
2238/tcp open unknown
2239/tcp open unknown
2240/tcp open unknown
2241/tcp open ivsd
2242/tcp open unknown
2243/tcp open unknown
2244/tcp open unknown
2245/tcp open unknown
2246/tcp open unknown
2247/tcp open unknown
2248/tcp open unknown
2249/tcp open unknown
2250/tcp open unknown
2251/tcp open unknown
2252/tcp open unknown
2253/tcp open unknown
2254/tcp open unknown
2255/tcp open unknown
2256/tcp open unknown
2257/tcp open unknown
2258/tcp open unknown
2259/tcp 2260/tcp open unknown
2261/tcp open unknown
2262/tcp open unknown
2263/tcp open unknown
2264/tcp open unknown
2265/tcp open unknown
2266/tcp open unknown
2267/tcp open unknown
2268/tcp open unknown
2269/tcp open unknown
2270/tcp open unknown
2271/tcp open unknown
2272/tcp open unknown
2273/tcp open unknown
2274/tcp open unknown
2275/tcp open unknown
3001/tcp open nessusd
4216/tcp open unknown
4217/tcp open unknown
4218/tcp open unknown
4219/tcp open unknown
4220/tcp open unknown
4221/tcp open unknown
4222/tcp open unknown
4223/tcp open unknown
4224/tcp open unknown
4225/tcp open unknown
4226/tcp open unknown
4227/tcp open unknown
4228/tcp open unknown
4229/tcp open unknown
4230/tcp open unknown
4231/tcp open unknown
4232/tcp open unknown
4233/tcp open unknown
4234/tcp open unknown
4235/tcp open unknown
4236/tcp open unknown
4237/tcp open unknown
4238/tcp open unknown
4239/tcp open unknown
4240/tcp open unknown
4241/tcp open unknown
4242/tcp open unknown
4243/tcp open unknown
4244/tcp open unknown
4245/tcp open unknown
4246/tcp open unknown
4247/tcp open unknown
4248/tcp open unknown
4249/tcp open unknown
4250/tcp open unknown
4251/tcp open unknown
4252/tcp open unknown
4253/tcp open unknown
4254/tcp open unknown
4255/tcp open unknnown
Goes up far more
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
>Received: (qmail 7861 invoked from network); 28 Oct
2002 22:14:00 -0000
>Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 28 Oct 2002
22:14:00 -0000
>
>I have managed to "reduplicate" at least five times the
>following scenario with a cisco as5250, with firmwrare
>12.2 (11t) release firmware of cisco:
>
>nmap -dinsane -p 1-65535 ip.of.as5350 This causes a
>"hard" lockup, and the device must be powered off in
>order to have functionality restored to it.
>
>Mentioned to PSIRT at cisco, they didn't do anything.
>
>Sincerely,
>
>Thomas J. Munn
>
It seems to be the -p 1-65535 that causes a disconnect
on the unit (via ssh) but doesn't crash it, the
-dinsane part seems to lock it.A gentlemen emailed me
that there is a known "ssh" bug, and yes, ssh was
enabled. When just using nmap -sT -p 1-65535 ssh
disconnects me, but doesn't kill the box.
List of ports, quite fascinating by the way!
22/tcp open ssh
23/tcp open telnet
111/tcp filtered sunrpc
1720/tcp open H.323/Q.931
2216/tcp open unknown
2217/tcp open unknown
2218/tcp open unknown
2219/tcp open unknown
2220/tcp open unknown
2221/tcp open unknown
2222/tcp open unknown
2223/tcp open unknown
2224/tcp open unknown
2225/tcp open unknown
2226/tcp open unknown
2227/tcp open unknown
2228/tcp open unknown
2229/tcp open unknown
2230/tcp open unknown
2231/tcp open unknown
2232/tcp open ivs-video
2233/tcp open unknown
2234/tcp open unknown
2235/tcp open unknown
2236/tcp open unknown
2237/tcp open unknown
2238/tcp open unknown
2239/tcp open unknown
2240/tcp open unknown
2241/tcp open ivsd
2242/tcp open unknown
2243/tcp open unknown
2244/tcp open unknown
2245/tcp open unknown
2246/tcp open unknown
2247/tcp open unknown
2248/tcp open unknown
2249/tcp open unknown
2250/tcp open unknown
2251/tcp open unknown
2252/tcp open unknown
2253/tcp open unknown
2254/tcp open unknown
2255/tcp open unknown
2256/tcp open unknown
2257/tcp open unknown
2258/tcp open unknown
2259/tcp 2260/tcp open unknown
2261/tcp open unknown
2262/tcp open unknown
2263/tcp open unknown
2264/tcp open unknown
2265/tcp open unknown
2266/tcp open unknown
2267/tcp open unknown
2268/tcp open unknown
2269/tcp open unknown
2270/tcp open unknown
2271/tcp open unknown
2272/tcp open unknown
2273/tcp open unknown
2274/tcp open unknown
2275/tcp open unknown
3001/tcp open nessusd
4216/tcp open unknown
4217/tcp open unknown
4218/tcp open unknown
4219/tcp open unknown
4220/tcp open unknown
4221/tcp open unknown
4222/tcp open unknown
4223/tcp open unknown
4224/tcp open unknown
4225/tcp open unknown
4226/tcp open unknown
4227/tcp open unknown
4228/tcp open unknown
4229/tcp open unknown
4230/tcp open unknown
4231/tcp open unknown
4232/tcp open unknown
4233/tcp open unknown
4234/tcp open unknown
4235/tcp open unknown
4236/tcp open unknown
4237/tcp open unknown
4238/tcp open unknown
4239/tcp open unknown
4240/tcp open unknown
4241/tcp open unknown
4242/tcp open unknown
4243/tcp open unknown
4244/tcp open unknown
4245/tcp open unknown
4246/tcp open unknown
4247/tcp open unknown
4248/tcp open unknown
4249/tcp open unknown
4250/tcp open unknown
4251/tcp open unknown
4252/tcp open unknown
4253/tcp open unknown
4254/tcp open unknown
4255/tcp open unknnown
Goes up far more
[ reply ]