Re: [c-nsp] Cisco Security Advisory: Crafted IP Option Vulnerability

• From: Andre Gironda
• Date: Thu Jan 25 02:41:58 2007

• Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=Y40b1ke2yajS4TU8NqOYX8NjMV7a17orstFLMY8adKu8CNynhs0hkAdAt25QdTMMbKHGijK2tHFJqV9u+o3HXJ1z5wGFHH/Fli8btM2BGSH0+85RimbOPjwGY34+eZPRRjAluBLZsT5/8C89Gwn8JUFCzW1VQ48FwFV+2mPxkdA=

I would say that this would work:
http://addxorrol.blogspot.com/2007/01/one-of-most-amusing-new-features-of.html

It requires expensive software, BinNavi and IDA Pro Advanced, but
anyone equipped with those tools could do it.

I heard that parts of PaiMei work under BSD/Linux, and certainly GPF
and Autodafé could be used for fault injection during step-mode
debugging.  PaiMei also uses IDA.  The other tools are open-source
including PaiMei itself.

Using PyDBG in PaiMei could speed up the debugging faster than gdb by
way of scripting, which could allow things like process stalking.  If
that's the case, I could invision anyone with a symbol table could get
PoC remote code execution (ala Mike Lynn and Hacking Exposed: Cisco
Networks) within 3 hours and have a reliable exploit within 10 hours.

But PaiMei doesn't do that (yet), and nobody has the rest of the
resources to accomplish this task.  Right?

But, you don't really even need a symbol table if you have lots of
time to debug and design the exploit.  This is more advanced and would
require somebody like Halvar Flake, FX, or Pedram Amini.  All three of
which I credit for this vulnerability information feasibility
fact-finding.

So it's too late.  Don't bother upgrading now; you're already owned.
Unless they are blocking it at the ISP borders in the same way they
blocked out the Cisco IPv4 Crafted DoS vulnerability in 2003.  ISP's
probably got the patch (or at least Cisco's ISP's did) a week ago.
Had rolling reboots lately?  Don't know why?  Lots of "miscellaneous"
ISP maintenace.  I wonder...

Hey Cisco - listen up.  Hire some vulnerability assessors before the
future probable Month-of-Cisco-Bugs becomes Year-of-Cisco-Bugs aka
loss of 10B US dollars in revenue.  Or whatever John Chambers makes,
whichever is lower.

On Wed, 24 Jan 2007, Cisco Systems Product Security Incident Response
Team wrote:

> Cisco Security Advisory: Crafted IP Option Vulnerability

If I recall correctly, this is the first (PSIRT acknowledged)
stack/heap vulnerability since Michael Lynn's much-publicized BlackHat
presentation. While there was plenty of brief speculation at the time
of what Chinese/Russian/American-xenophobic-target hax0rs had already
implemented, not much bubbled up to the operational world...

Does anyone more active in the security community have pointers as to
how generic (and common) are tools targeting IOS exist?

On 1/24/07, Paul Stewart <[email protected]> wrote:

> I have read over this and am "fearful" of what I read.. my first thought
is
> to drop everything, get emergency maintenance window releases and spend a
> couple of nights upgrading like crazy...

"20070124-crafted-tcp" seems obvious enough (though it would've been
good for PSIRT to indicate how "small" the leakage per packet is to
gauge CoPP values), but "20070124-crafted-ip-option" likely should
tingle your spine.
_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

• References:
  • Cisco Security Advisory: Crafted IP Option Vulnerability Cisco Systems Product Security Incident Response Team
  • Re: Cisco Security Advisory: Crafted IP Option Vulnerability Gadi Evron

• Prev by Date: Re: Cable Tying with Waxed Twine
• Next by Date: Re: Cable-Tying with Waxed Twine
• Date Index
• Thread Index
• Author Index
• Historical