--
kim0 <kim0@phenoelit.de>
Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0 FBEF 2D72 33C0 77FC CD42
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++-->
[ Authors ]
FX <fx@phenoelit.de>
FtR <ftr@phenoelit.de>
kim0 <kim0@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
Advisory http://www.phenoelit.de/stuff/Cisco_tftp.txt
[ Affected Products ]
Cisco IOS
Tested on
IOS 11.1 - 11.3
Cisco Bug ID: <not assigned>
CERT Vulnerability ID: 689579
[ Vendor communication ]
06/29/02 Initial Notification,
security-alert@cisco.com & psirt@cisco.com
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
06/30/02 Human confirmation from PSIRT @ Cisco
06/30/02 (2) Discussion of detail
07/01/02 Continued discussion for reproducing problem
07/01/02 Receipt, ack. and clarification by CERT@CERT.ORG
07/03/02 Continued discussions with PSIRT
07/19/02 Notification of intent to post publically
in apx. 7 days.
07/25/02 Final coordination for release.
[ Overview ]
Cisco Systems Routers are the most widely used routers.
Cisco Routers are embedded network devices that run a dedicated
Operating System, the Cisco IOS.
[ Description ]
The Cisco IOS integrated TFTP server suffers from a buffer overflow
condition.
When requesting a file name with approximately 700 characters, the device
crashes and may reboot. This only happens, if the served file is on a
flash device and no alias is assigned to it.
Vulnerable:
router# conf t
router# tftp-server flash:ios_11.3_a-b-c-d.bin
Not vulnerable:
router# conf t
router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff
[ Example ]
OpenBSD# tftp cisco53.navy.smil.mil
tftp> get AAAAAAAAA....(700 times)
[ Solution ]
None available at this time
[ end of file ]
