[28986] in bugtraq
Re: Cisco IOS OSPF exploit
daemon@ATHENA.MIT.EDU (KF)
Sun Feb 23 12:10:14 2003
Message-ID: <3E56D13C.6060602@snosoft.com>
Date: Fri, 21 Feb 2003 20:24:12 -0500
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: Mike Caudill <mcaudill@cisco.com>
In-Reply-To: <200302212229.h1LMToD25063@rtp-cse-184.cisco.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
I am currious to what part of executing shellcode intails a denial of
service... I think that is a bit of down play... remote code execution
is not a DOS...denial of service could however be a side effect of a bad
offset in an exploit.
Alot of vendors make this sort of downplay on issues that could allow
remote code execution... they simply call it a DOS. For example the
Squid proxy "ftp DOS"... the exploit I saw caused a bit more than denial
of service.
how does "basicaly own the router" become ... "is vulnerable to a denial
of service if..."
---- snipet -----
The attached program is a PoC to exploit
* this vulnerability by executing "shell code" on the router and write
the
* attached configuration into NVRAM to basicaly own the router.
-KF
Mike Caudill wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Cisco can confirm the statement made by FX from Phenoelit in his message
> "Cisco IOS OSPF exploit" posted on 2003-Feb-20. The OSPF implementation in
> certain Cisco IOS versions is vulnerable to a denial of service if it
> receives a flood of neighbor announcements in which more than 255 hosts
> try to establish a neighbor relationship per interface.
>
>
> One workaround for this issue is to configure OSPF MD5 authentication.
> This may be done per interface or per area.
>
> Another possible workaround is to apply inbound access lists to explicitly
> allow certain OSPF neighbors only:
>
> access-list 100 permit ospf host a.b.c.x host 224.0.0.5
> access-list 100 permit ospf host a.b.c.x host interface_ip
> access-list 100 permit ospf host a.b.c.y host 224.0.0.5
> access-list 100 permit ospf host a.b.c.y host interface_ip
> access-list 100 permit ospf host a.b.c.z host 224.0.0.5
> access-list 100 permit ospf host a.b.c.z host interface_ip
> access-list 100 permit ospf any host 224.0.0.6
> access-list 100 deny ospf any any
> access-list 100 permit ip any any
>
>
> Cisco IOS Versions 11.1 - 12.0 are subject to this vulnerability.
> This bug has been resolved. The following versions of Cisco IOS software
> are the first fixed releases, meaning that any subsequent releases also
> contain the fix:
>
> 12.0(19)S
> 12.0(19)ST
>
> 12.1(1)
> 12.1(1)DB
> 12.1(1)DC
> 12.1(1)T
>
>
> We would like to thank FX for his continued cooperation with us in the
> spirit of responsible disclosure and working to increase awareness of
> security issues.
>
> For information on working with the Cisco PSIRT regarding potential security
> issues, please see our contact information at
>
> http://www.cisco.com/warp/public/707/sec_incident_response.shtml#Problems
>
> Thank you,
>
> - -Mike-
>
>
>
>>Hi there,
>>
>>attached you may find the exploit for the Cisco IOS bug ID CSCdp58462. The bug
>>is long fixed, so if you still run OSPF on a old version of IOS, now is a good
>>time to give your routers some attention.
>>
>>FX
>>
>>--
>> FX <fx@phenoelit.de>
>> Phenoelit (http://www.phenoelit.de)
>>672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
>>
>>/* Cisco IOS IO memory exploit prove of concept
>> * by FX of Phenoelit <fx@phenoelit.de>
>> * http://www.phenoelit.de
>> *
>> * For:
>> * 19C3 Chaos Communication Congress 2002 / Berlin
>> * BlackHat Briefings Seattle 2003
>> *
>> * Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow
>> * Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory
>> * structure (small buffer header). The attached program is a PoC to exploit
>> * this vulnerability by executing "shell code" on the router and write the
>> * attached configuration into NVRAM to basicaly own the router.
>> *
>
>
> - --
> - ----------------------------------------------------------------------------
> | || || | Mike Caudill | mcaudill@cisco.com |
> | || || | PSIRT Incident Manager | 919.392.2855 |
> | |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
> | ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
> | C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
> - ----------------------------------------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.2
>
> iQA/AwUBPlaoLYpjyUnrvVJxEQLcZgCgxAkatIdM5EjV4uMcDgJqd/aFx9EAoPbm
> Sw0/fZvhc3uuv0NnuBwfSWnw
> =McnI
> -----END PGP SIGNATURE-----
>
