[NEWS] Sending 2GB Data in GET Request Causes Buffer Overflow in Cisco IOS Software

• Previous message: SecuriTeam: "[NEWS] Data Leak in UDP Echo Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 10 Aug 2003 16:42:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Get Thawte's New Step-by-Step SSL Guide for MSIIS

In this guide you will find out how to test, purchase, install
and use a Thawte Digital Certificate on your MSIIS web server.
Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates. Get your copy of this new guide now:
http://ad.doubleclick.net/clk;5903126;8265119;j

- - - - - - - - -

  Sending 2GB Data in GET Request Causes Buffer Overflow in Cisco IOS
Software
------------------------------------------------------------------------

SUMMARY

If Hypertext Transfer Protocol (HTTP) server is enabled on a Cisco IOSŪ
software device, it is vulnerable to a malformed HTTP GET request that
contains two gigabytes of data. This will cause the router to reload with
a buffer overflow condition. It may be exploited to execute arbitrary code
on the router.

HTTP server is enabled on a Cisco IOS device if ip http server is present
in the configuration.

DETAILS

Affected Products:
All Cisco IOS software versions except 12.3 and 12.3T are affected. CatOS
and PIX are not affected.

This vulnerability has been assigned the Cisco bug ID CSCeb50339
(registered customers only). Workarounds are available to mitigate the
effects.

This vulnerability has been discovered by FX of Phenoelit.

Fixed Software:
This vulnerability is currently fixed or scheduled to be fixed in the
following Cisco IOS software versions:

Train - Description - Interim - Maintenance
12.0S - Core/ISO - 12.0(25.4)S1 - 12.0(26)S (2003-Aug)
12.1 - General Deployment - - 12.1(22) (2003-Dec)
12.lE - Enterprise Support - 12.1(19.3)E (2003-Aug-01) - 12.1(20)E
(2003-Sep-29)
12.2 - 12.2 Mainline - 12.2(18.2) - 12.2(19) (2003-Aug-25)
12.2T - Technology Train - 12.2(15)T - 12.2(15)T5
12.2JA - Access Point Special - 12.2(11)JA1 - 12.2(11)JA1

Note: 12.3 and 12.3T-based images are not vulnerable.
 
Workaround:
The workaround is to configure access lists to explicitly permit
authorized hosts or networks to the http service.

The syntax for this command for routers and switches running Cisco IOS
software is:

ip http access-class <access-list number>

access-list <access-list number> permit host <authorized host #1>
access-list <access-list number> permit host <authorized host #2>
....
access-list <access-list number> deny any

The <access-list number> in the above example needs to be in the range of
1-99.

Exploit:
The exploit can also be downloaded:
<http://www.phenoelit.de/ultimaratio/CiscoCasumEst.tgz>
http://www.phenoelit.de/ultimaratio/CiscoCasumEst.tgz

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
<http://www.cisco.com/warp/public/707/cisco-sn-20030730-ios-2gb-get.shtml>
http://www.cisco.com/warp/public/707/cisco-sn-20030730-ios-2gb-get.shtml.

The information has been provided by <mailto:fx@phenoelit.de> FX and
Cisco Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Data Leak in UDP Echo Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]