[20061] in bugtraq
PIX Firewall 5.1 DoS Vulnerability
daemon@ATHENA.MIT.EDU (Claudiu Calomfirescu)
Fri Apr 6 14:18:04 2001
Message-ID: <20010406070650.6755.qmail@securityfocus.com>
Date: Fri, 6 Apr 2001 07:06:50 -0000
Reply-To: claudiu@DATANETS.RO
From: Claudiu Calomfirescu <claudiu@DATANETS.RO>
To: BUGTRAQ@SECURITYFOCUS.COM
06.04.2001
Datanet Systems
Claudiu Calomfirescu
claudiu@datanets.ro
PIX Firewall 5.1 DoS Vulnerability
Description:
------------
An attacker from inside or outside interfaces of a
PIX Firewall 515 or 520, 5.1.4 version running aaa
authentication against a TACACS+ Server could
cause the PIX to crash and reload by overwhelming
it with authentication requests.
Products affected:
------------------
Vulnerable Product: PIX Firewall 515, 520
Vulnerable OS: 5.1.4 - General Deployment
Release
Non Vulnerable OS: 5.3.1 - General Deployment
Release
Vendor response:
----------------
The vendor (Cisco Systems) was noticed on 14 March
(TAC case number B215177) and till now they only
asked about the environment in which was found,
without really trying to reproduce. They received
the exploit program, PIX configuration, detailed
description about whats happened, stack trace from
the crash, logs.
How was found:
--------------
1. A user from inside without aaa permission to go
out, play a game (Jewels) from zapspot.com. - he
does not know a thing about what is happening in
the background.
2. At a certain time, the game try to connects to
the address api.zapspot.com on port 80 from port
2000.
3. The pix start an authentication process, but
the game is not a browser and the user dont see a
thing, after that, the game try to connects to the
address api.zapspot.com on port 80 from port 2001,
2002, 2003 and so on very very quickly (hundreds
per seconds)
4. The pix has too many authentication in progress
and crash.
Discussion:
------------
To reproduce the problem do the following:
1. Configure the PIX Firewall version 5.1.4 for
aaa authentication against a TACACS+ server:
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server grup protocol tacacs+
aaa-server grup (inside) host 10.10.10.20 cheia
timeout 5
aaa authentication include http outbound 0.0.0.0
0.0.0.0 0.0.0.0 0.0.0.0 grup
aaa authorization include http outbound 0.0.0.0
0.0.0.0 0.0.0.0 0.0.0.0 grup
aaa accounting include http outbound 0.0.0.0
0.0.0.0 0.0.0.0 0.0.0.0 grup
2. From an inside host generate http request with
sweep source port directed to a global address on
port 80.
In our case we generate a http request from port
2000, the pix start an authentication process:
109001: Auth start for user '???' from
10.10.10.1/2000 to 216.46.233.11/80
after that we generate a http request from port
2001,
109001: Auth start for user '???' from
10.10.10.1/2001 to 216.46.233.11/80
and so on. After 426 requests (this number is not
always the same) generated in 3 seconds the PIX
give the message:
Panic: uauth1 - open: no more channels
(tcp/UNPROXY/1/0)!
and crashed in:
Thread Name: uauth1 (Old pc 0x80070b4f ebp
0x810c56dc)
and reloads.
Very simple and nice.
Version 5.3.1 is more stable, till now I could not
get it down, I could consume all resources, but it
didnt crash:
701001: alloc_user() out of Tcp_user objects
109010: Auth from 10.10.10.1/2440 to
216.46.233.11/80 failed (too many pending auths)
on interface inside
We had available only PIX Firewall models 515 and
520.
--------------------------------------------------
------------
Claudiu Calomfirescu Datanet
Systems SRL
IT Security Consultant Zarii 14,
sector 5
mobile: + 40 94 20 33 55 Bucharest,
Romania
email: claudiu@datanets.ro tel: + 40
1 22 33 755
http://www.datanets.ro fax: + 40
1 22 33 747
--------------------------------------------------
------------
