[26356] in bugtraq
Phenoelit Advisory, 0815 ++ * - Cisco_tftp
daemon@ATHENA.MIT.EDU (kim0)
Sat Jul 27 12:29:36 2002
Message-ID: <3D426F79.3020808@phenoelit.de>
Date: Sat, 27 Jul 2002 12:01:29 +0200
From: kim0 <kim0@phenoelit.de>
Reply-To: kim0@phenoelit.de
MIME-Version: 1.0
To: vuln-dev@securityfocus.com, bugtraq@securityfocus.com, darklab@darklab.org
Content-Type: multipart/mixed;
boundary="------------070202040806020802040103"
--------------070202040806020802040103
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--
kim0 <kim0@phenoelit.de>
Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0 FBEF 2D72 33C0 77FC CD42
--------------070202040806020802040103
Content-Type: text/plain;
name="Cisco_tftp.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Cisco_tftp.txt"
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++-->
[ Authors ]
FX <fx@phenoelit.de>
FtR <ftr@phenoelit.de>
kim0 <kim0@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
Advisory http://www.phenoelit.de/stuff/Cisco_tftp.txt
[ Affected Products ]
Cisco IOS
Tested on
IOS 11.1 - 11.3
Cisco Bug ID: <not assigned>
CERT Vulnerability ID: 689579
[ Vendor communication ]
06/29/02 Initial Notification,
security-alert@cisco.com & psirt@cisco.com
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
06/30/02 Human confirmation from PSIRT @ Cisco
06/30/02 (2) Discussion of detail
07/01/02 Continued discussion for reproducing problem
07/01/02 Receipt, ack. and clarification by CERT@CERT.ORG
07/03/02 Continued discussions with PSIRT
07/19/02 Notification of intent to post publically
in apx. 7 days.
07/25/02 Final coordination for release.
[ Overview ]
Cisco Systems Routers are the most widely used routers.
Cisco Routers are embedded network devices that run a dedicated
Operating System, the Cisco IOS.
[ Description ]
The Cisco IOS integrated TFTP server suffers from a buffer overflow
condition.
When requesting a file name with approximately 700 characters, the device
crashes and may reboot. This only happens, if the served file is on a
flash device and no alias is assigned to it.
Vulnerable:
router# conf t
router# tftp-server flash:ios_11.3_a-b-c-d.bin
Not vulnerable:
router# conf t
router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff
[ Example ]
OpenBSD# tftp cisco53.navy.smil.mil
tftp> get AAAAAAAAA....(700 times)
[ Solution ]
None available at this time
[ end of file ]
--------------070202040806020802040103--
