[Full-Disclosure] DoS Downplay?

From: KF (dotslash@snosoft.com)
Date: 02/22/03

  • Next message: Daniel Ahlberg: "[Full-Disclosure] GLSA: (200302-12)"
    From: KF <dotslash@snosoft.com>
    To: Full-Disclosure <Full-Disclosure@lists.netsys.com>
    Date: Sat, 22 Feb 2003 12:47:10 -0500
    

    I think I have been censored or at least subject to temporary moderation
      or possibly just a slow mail server or a sleepy moderator... I should
    not make assumptions either way but I definately have a comment to make
    and don't feel like waiting on it to hit bugtraq. See attached forward.

    -KF

    
    

    attached mail follows:


    Date: Fri, 21 Feb 2003 20:24:31 -0500
    From: KF <dotslash@snosoft.com>
    To: Mike Caudill <mcaudill@cisco.com>
    
    

    <div class="moz-text-flowed" style="font-family: -moz-fixed">I am currious to what part of executing shellcode intails a denial of
    service... I think that is a bit of down play... remote code execution
    is not a DOS...denial of service could however be a side effect of a bad
    offset in an exploit.

    Alot of vendors make this sort of downplay on issues that could allow
    remote code execution... they simply call it a DOS. For example the
    Squid proxy "ftp DOS"... the exploit I saw caused a bit more than denial
    of service.

    how does "basicaly own the router" become ... "is vulnerable to a denial
    of service if..."

    ---- snipet -----

    The attached program is a PoC to exploit
      * this vulnerability by executing "shell code" on the router and write
    the
      * attached configuration into NVRAM to basicaly own the router.

    -KF

    Mike Caudill wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    >
    > Cisco can confirm the statement made by FX from Phenoelit in his message
    > "Cisco IOS OSPF exploit" posted on 2003-Feb-20. The OSPF implementation in
    > certain Cisco IOS versions is vulnerable to a denial of service if it
    > receives a flood of neighbor announcements in which more than 255 hosts
    > try to establish a neighbor relationship per interface.
    >
    >
    > One workaround for this issue is to configure OSPF MD5 authentication.
    > This may be done per interface or per area.
    >
    > Another possible workaround is to apply inbound access lists to explicitly
    > allow certain OSPF neighbors only:
    >
    > access-list 100 permit ospf host a.b.c.x host 224.0.0.5
    > access-list 100 permit ospf host a.b.c.x host interface_ip
    > access-list 100 permit ospf host a.b.c.y host 224.0.0.5
    > access-list 100 permit ospf host a.b.c.y host interface_ip
    > access-list 100 permit ospf host a.b.c.z host 224.0.0.5
    > access-list 100 permit ospf host a.b.c.z host interface_ip
    > access-list 100 permit ospf any host 224.0.0.6
    > access-list 100 deny ospf any any
    > access-list 100 permit ip any any
    >
    >
    > Cisco IOS Versions 11.1 - 12.0 are subject to this vulnerability.
    > This bug has been resolved. The following versions of Cisco IOS software
    > are the first fixed releases, meaning that any subsequent releases also
    > contain the fix:
    >
    > 12.0(19)S
    > 12.0(19)ST
    >
    > 12.1(1)
    > 12.1(1)DB
    > 12.1(1)DC
    > 12.1(1)T
    >
    >
    > We would like to thank FX for his continued cooperation with us in the
    > spirit of responsible disclosure and working to increase awareness of
    > security issues.
    >
    > For information on working with the Cisco PSIRT regarding potential security
    > issues, please see our contact information at
    >
    > http://www.cisco.com/warp/public/707/sec_incident_response.shtml#Problems
    >
    > Thank you,
    >
    > - -Mike-
    >
    >
    >
    >>Hi there,
    >>
    >>attached you may find the exploit for the Cisco IOS bug ID CSCdp58462. The bug
    >>is long fixed, so if you still run OSPF on a old version of IOS, now is a good
    >>time to give your routers some attention.
    >>
    >>FX
    >>
    >>--
    >> FX <fx@phenoelit.de>
    >> Phenoelit (http://www.phenoelit.de)
    >>672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
    >>
    >>/* Cisco IOS IO memory exploit prove of concept
    >> * by FX of Phenoelit <fx@phenoelit.de>
    >> * http://www.phenoelit.de
    >> *
    >> * For:
    >> * 19C3 Chaos Communication Congress 2002 / Berlin
    >> * BlackHat Briefings Seattle 2003
    >> *
    >> * Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow
    >> * Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory
    >> * structure (small buffer header). The attached program is a PoC to exploit
    >> * this vulnerability by executing "shell code" on the router and write the
    >> * attached configuration into NVRAM to basicaly own the router.
    >> *
    >
    >
    > - --
    > - ----------------------------------------------------------------------------
    > | || || | Mike Caudill | mcaudill@cisco.com |
    > | || || | PSIRT Incident Manager | 919.392.2855 |
    > | |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
    > | ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
    > | C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
    > - ----------------------------------------------------------------------------
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 6.5.2
    >
    > iQA/AwUBPlaoLYpjyUnrvVJxEQLcZgCgxAkatIdM5EjV4uMcDgJqd/aFx9EAoPbm
    > Sw0/fZvhc3uuv0NnuBwfSWnw
    > =McnI
    > -----END PGP SIGNATURE-----
    >

    </div>

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html