[NEWS] Sending 2GB Data in GET Request Causes Buffer Overflow in Cisco IOS Software
From: SecuriTeam (support_at_securiteam.com)
Date: 08/10/03
- Previous message: SecuriTeam: "[NEWS] Data Leak in UDP Echo Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 10 Aug 2003 16:42:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Get Thawte's New Step-by-Step SSL Guide for MSIIS
In this guide you will find out how to test, purchase, install
and use a Thawte Digital Certificate on your MSIIS web server.
Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates. Get your copy of this new guide now:
http://ad.doubleclick.net/clk;5903126;8265119;j
- - - - - - - - -
Sending 2GB Data in GET Request Causes Buffer Overflow in Cisco IOS
Software
------------------------------------------------------------------------
SUMMARY
If Hypertext Transfer Protocol (HTTP) server is enabled on a Cisco IOSŪ
software device, it is vulnerable to a malformed HTTP GET request that
contains two gigabytes of data. This will cause the router to reload with
a buffer overflow condition. It may be exploited to execute arbitrary code
on the router.
HTTP server is enabled on a Cisco IOS device if ip http server is present
in the configuration.
DETAILS
Affected Products:
All Cisco IOS software versions except 12.3 and 12.3T are affected. CatOS
and PIX are not affected.
This vulnerability has been assigned the Cisco bug ID CSCeb50339
(registered customers only). Workarounds are available to mitigate the
effects.
This vulnerability has been discovered by FX of Phenoelit.
Fixed Software:
This vulnerability is currently fixed or scheduled to be fixed in the
following Cisco IOS software versions:
Train - Description - Interim - Maintenance
12.0S - Core/ISO - 12.0(25.4)S1 - 12.0(26)S (2003-Aug)
12.1 - General Deployment - - 12.1(22) (2003-Dec)
12.lE - Enterprise Support - 12.1(19.3)E (2003-Aug-01) - 12.1(20)E
(2003-Sep-29)
12.2 - 12.2 Mainline - 12.2(18.2) - 12.2(19) (2003-Aug-25)
12.2T - Technology Train - 12.2(15)T - 12.2(15)T5
12.2JA - Access Point Special - 12.2(11)JA1 - 12.2(11)JA1
Note: 12.3 and 12.3T-based images are not vulnerable.
Workaround:
The workaround is to configure access lists to explicitly permit
authorized hosts or networks to the http service.
The syntax for this command for routers and switches running Cisco IOS
software is:
ip http access-class <access-list number>
access-list <access-list number> permit host <authorized host #1>
access-list <access-list number> permit host <authorized host #2>
....
access-list <access-list number> deny any
The <access-list number> in the above example needs to be in the range of
1-99.
Exploit:
The exploit can also be downloaded:
<http://www.phenoelit.de/ultimaratio/CiscoCasumEst.tgz>
http://www.phenoelit.de/ultimaratio/CiscoCasumEst.tgz
ADDITIONAL INFORMATION
The original advisory can be downloaded from:
<http://www.cisco.com/warp/public/707/cisco-sn-20030730-ios-2gb-get.shtml>
http://www.cisco.com/warp/public/707/cisco-sn-20030730-ios-2gb-get.shtml.
The information has been provided by <mailto:fx@phenoelit.de> FX and
Cisco Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Data Leak in UDP Echo Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [Full-disclosure] Cisco Security Advisory: Crafted IP Option Vulnerability
... Cisco Security Advisory: Crafted IP Option Vulnerability ... Message Protocol
(ICMP) packet, Protocol Independent Multicast ... This issue affects all Cisco devices
running Cisco IOS or Cisco IOS ... Packets which transit the device (packets not sent
to one of the ... (Full-Disclosure) - Cisco Security Advisory: Crafted IP Option Vulnerability
... Cisco Security Advisory: Crafted IP Option Vulnerability ... Message Protocol
(ICMP) packet, Protocol Independent Multicast ... This issue affects all Cisco devices
running Cisco IOS or Cisco IOS ... Packets which transit the device (packets not sent
to one of the ... (Bugtraq) - [VulnWatch] Cisco Security Advisory: Crafted IP Option Vulnerability
... Cisco Security Advisory: Crafted IP Option Vulnerability ... Message Protocol
(ICMP) packet, Protocol Independent Multicast ... This issue affects all Cisco devices
running Cisco IOS or Cisco IOS ... Packets which transit the device (packets not sent
to one of the ... (VulnWatch) - [NEWS] Cisco Web-Browser Interface Vulnerability
... Get your security news from a reliable source. ... Cisco IOS Software
Release 12.3JA ... HTTP secure) are not vulnerable. ... http server or ip
http secure-server. ... (Securiteam) - [EXPL] Multiple Cisco Exploit Codes
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * Cisco 677/678 Telnet Buffer
Overflow Vulnerability ... * Cisco IOS Router Denial of Service Vulnerability ...
if ($expvuln eq "1") { ... (Securiteam)
