Bugtraq mailing list archives

Re: Three possible DoS attacks against some IOS versions.

From: "Big Poop" <ste0000 () hotmail com>
Date: Sun, 09 Jun 2002 13:41:25 +0100

a bit of source code i wrote a couple of month as proof of concept for theHSRP DoS..... needs libpcap installed to sniff the packets to get theauthentication details + various other stuff. Spoofed packets are then sendto the multicast address informing the group that there is a new router (thehackers machine / fake IP address) that has the top priority 255 thuspre-empting the active router and causing a DoS


the prog runs on linux and was tested on mandrake 8

--------8<--------8<------- from previous post
an excerpt form RFC 2281 - Cisco HSRP

7. Security Considerations

   This protocol does not provide security.  The authentication field
   found within the message is useful for preventing misconfiguration.
   The protocol is easily subverted by an active intruder on the LAN.
   This can result in a packet black hole and a denial-of-service
   attack.  It is difficult to subvert the protocol from outside the
 LAN as most routers will not forward packets addressed to the
 all-routers multicast address (224.0.0.2).

- ----

Cisco is considering using MD5 to improve the protection of HSRP in
future releases of IOS.

However, there are some other factors that must be considered in
this context:

- - this vulnerability can be exploited only from the local segment
  (not over the Internet).
- - the same effect, denial of service, can be produced by using ARP,
  which can not be protected in any way.

The last factor is especially important since it may cause a false
sense of security if the user is using a hardened version of HSRP as an
attacker can still disrupt the network by using crafted ARP packets.

Another aspect of this issue is that in its current implementation, HSRP
doesn't seem to perform a validity check on the IP addresses. This is
under active investigation as Cisco Bug ID CSCdu38323.

Cisco HSRP documentation can be found at -
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs009.htm

- --
Sharad Ahlawat.
Product Security Incident Response Team (PSIRT) Incident Manager
http://www.cisco.com/go/psirt
Phone:+1 (408) 527-6087 (Land line and Mobile)
DH/DSS key Id: 0xC12A996C
Fingerprint: 9A93 2A20 43E5 7F01 2954  C427 1A81 A898 C12A 996C

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
Worldwide Web site at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE8/+eLGoGomMEqmWwRAvQuAKDD0QUix/yYu+9R7ZgdJh0AK8pQdACeNa8q
ENh90WxBZqYLg3sjuLjxE0w=
=pCHF
-----END PGP SIGNATURE-----

------8<--------------8<-------------- end of previous post


--
Big Poop
root () networkpenetration com



_________________________________________________________________

Join the worlds largest e-mail service with MSN Hotmail.http://www.hotmail.com

Attachment: hsrp.tar.gz
Description:

Current thread:

Three possible DoS attacks against some IOS versions. Andrew Vladimirov (Jun 05)
- Re: Three possible DoS attacks against some IOS versions. Sharad Ahlawat (Jun 07)
  - Re: Three possible DoS attacks against some IOS versions. Felix Lindner (Jun 10)
    - Re: Three possible DoS attacks against some IOS versions. Sharad Ahlawat (Jun 12)
- <Possible follow-ups>
- Re: Three possible DoS attacks against some IOS versions. Big Poop (Jun 10)
- Re: Three possible DoS attacks against some IOS versions. Shane Gibson (Jun 11)