From: Church, Chuck (cchurch@netcogov.com)
Date: Mon Aug 01 2005 - 23:50:22 GMT-3
It's starting to look more and more that this vulnerability is a real
shot in the dark. Doing a 'sh ip sockets' on a few routers I've got on
the 'net (various customers, etc), shows the 12.1 and 12.2T not
listening on any ports above SNMP - 162. But a 12.3 I looked at was
listening on 52122, not really sure why. 'sh ip sock' doesn't appear to
give you info about TCP ports, not sure if there is an equivalent
command. So it seems that sending these crafted packets to random high
ports would be real trick, because they may not exist. Even if they do
exist, control plane policing may drop some if the rate is too high.
Certainly an IDS watching for these packets aimed at a router interface
would have time to shun that remote host before anything was
compromised. At least that's what I'm thinking. Of course, an internet
connected router with no access lists at all is probably just waiting to
be compromised. Next week or so should be interesting...
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 864-266-3978
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Church, Chuck
Sent: Monday, August 01, 2005 5:42 PM
To: Scott Morris; Simon Hamilton-Wilkes; security@groupstudy.com
Subject: RE: The Cisco, Black Hat News....
That makes sense. So a locked-down control plane on a router should be
fairly resistant to attack? Assume I've got an internet-facing router,
with an access-list that blocks all IP where the destination is the
router's interface itself. (Or perhaps I'm only allowing in
authenticated BGP and ICMP echo). No other traffic is allowed to hit
router interfaces directly from the outside. Would that stop the crash,
or could more insidious methods crash the stack, such as a transiting
packet with IP options set, or something else that forces it to hit the
CPU, rather than be fast switched? With all the anti-DOS stuff Cisco
has rolled into IOS lately, it seems there might be a non-upgrade method
of mitigating this...
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 864-266-3978
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: Monday, August 01, 2005 4:00 PM
To: Church, Chuck; 'Simon Hamilton-Wilkes'; security@groupstudy.com
Subject: RE: The Cisco, Black Hat News....
He did a pseudo-telnet through a higher port by specially crafted
packets
that crashed the stack within IPv6 processing and gave him a terminal
prompt. So it's certainly nothing that a "normal" person does to access
a
router, but nobody ever accused hackers of being normal. :)
It is an attack that certainly involves much more code-level programming
knowledge than any normal sane person has.
Scott
-----Original Message-----
From: Church, Chuck [mailto:cchurch@netcogov.com]
Sent: Monday, August 01, 2005 3:13 PM
To: Scott Morris; Simon Hamilton-Wilkes; security@groupstudy.com
Subject: RE: The Cisco, Black Hat News....
The thing that I'm still unsure about is how this 'vulnerability' is
actually exploited. The details of the conference told of Lynn running
a
shell script on the router -
http://www.tomsnetworking.com/Sections-article131-page4.php
How exactly did he connect? Console, telnet, some remote unix-type
command?
To my knowledge, no self-respecting ISP is going to leave any of those
access methods open to the outside. Nor are they going to hack their
own
routers from the inside. Is this whole thing blown out of proportion?
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team 1210 N. Parker
Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 864-266-3978
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: Monday, August 01, 2005 12:23 PM
To: 'Simon Hamilton-Wilkes'; security@groupstudy.com
Subject: RE: The Cisco, Black Hat News....
I have gone through the preso, and spoken to some that were there.
Yes, the preso is about stack heaps and memory-related things. But not
every compiled routine has vulnerabilities. :) It's kind of like me
describing to you that locks are easy to pick. Some are, some aren't
and
not everything that has a lock has a vulnerable one.
The code he used to demonstrate the attack was IPv6-related.
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Simon Hamilton-Wilkes
Sent: Monday, August 01, 2005 10:47 AM
To: security@groupstudy.com
Subject: RE: The Cisco, Black Hat News....
This is not correct at all, have you read the presentation?
The IPv6 is unrelated, this one is an architectural issue within IOS,
and
though it's specific to an IOS version (due to requiring a specific
memory
offset for each one) it's still out there.
Cisco should know better than to try and suppress the presentation now
anyhow, it's mirrored all over the Internet now.
Simon
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: Friday, July 29, 2005 9:05 PM
To: chon_mon@nym.hush.com; ccielab@groupstudy.com;
security@groupstudy.com
Subject: RE: The Cisco, Black Hat News....
Only if you are running IPv6. And only if someone is on a locally
attached
network...
And only if that person doing so has some really good coding
capabilities.
And only when three moons of Jupiter are in perfect alignment. (This is
where the entertainment comes in for weighing statistical POSSIBILITY
against statistical PROBABILITY, especially when it's a vulnerability
created with very specific knowledge that most people don't have.)
It's an interesting presentation all in all, and sure, it's a
vulnerability.
But there's more hoopla about the whole PROCESS that happened at Black
Hat
than any other part. :) It was a horrible day or two in PR for all
involved.
Check out PSIRT. There's a free IOS upgrade in it even for non-contract
holders (gotta call TAC).
HTH,
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
chon_mon@nym.hush.com
Sent: Friday, July 29, 2005 9:08 PM
To: ccielab@groupstudy.com; security@groupstudy.com
Subject: The Cisco, Black Hat News....
Did anyone catch the news on this particular IOS flaw?
http://cbs2.com/finance/CA--Cisco-SecurityCra-
kf/resources_news_html
Does anyone know which versions have this flaw? Does it affect all
Cisco
devices?
Thanks,
Sean
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3