From core.lists.bugtraq@CORE-SDI.COM Thu Oct 26 20:02:29 2000 From: "[iso-8859-1] Iván Arce" To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 26 Oct 2000 17:21:57 -0300 Subject: [BUGTRAQ] [CORE SDI ADVISORY] Cisco IOS HTTP server DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] CORE SDI http://www.core-sdi.com Vulnerability Report For Cisco IOS Web Administration DoS Date Published: 2000-10-25 Advisory ID: CORE-20002510 Bugtraq ID: 1838 CVE CAN: None currently assigned. Title: Cisco IOS Web Administration Denial of Service Class: Denial of Service Remotely Exploitable: Yes Locally Exploitable: Yes Vulnerability Description: The HTTP service facility in the Cisco IOS provides remote management capabilities using any web browser as client. It is commonly used to manage remote routers and switches with a simple and user-friendly Web interface. A flaw in the HTTP server permits an attacker with access to the HTTP service port to crash the device and force a software re-load. The service is enabled by default ONLY in Cisco 1003, 1004 and 1005 routers. Vulnerable Packages/Systems: Virtually all Cisco routers and switches running IOS versions 12.0 through 12.1 inclusive are vulnerable. The following list of products are affected if they are running a release of Cisco IOS software that has the defect. To determine if a Cisco product is running IOS, log in to the device and issue the command show version. Classic Cisco IOS software will identify itself simply as "Internetwork Operating System Software" or "IOS (tm)" software and will display a version number. Other Cisco devices either will not have the show version command, or will give different output. Cisco devices that may be running affected releases include: Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series. Most recent versions of the LS1010 ATM switch. The Catalyst 6000 if it is running IOS. Catalyst 2900XL LAN switch if it is running IOS. The Cisco DistributedDirector. For some products, the affected software releases are relatively new and may not be available on every device listed above. If you are not running classic Cisco IOS software then you are not affected by this vulnerability. Cisco products that do not run classic Cisco IOS software and thus are not affected by this defect include: 700 series dialup routers (750, 760, and 770 series) are not affected. Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are not affected except for some versions of the Catalyst 2900XL. However, optional router modules running Cisco IOS software in switch backplanes, such as the RSM module for the Catalyst 5000 and 5500, are affected (see the Affected Products section above). The Catalyst 6000 is not affected if it is not running IOS. WAN switching products in the IGX and BPX lines are not affected. The MGX (formerly known as the AXIS shelf) is not affected. No host-based software is affected. The Cisco PIX Firewall is not affected. The Cisco LocalDirector is not affected. The Cisco Cache Engine is not affected. Solution/Vendor Information/Workaround: For a software fix refer to the vendor field notice at: http://www.cisco.com/warp/public/707/httpserverquery-pub.shtml Or as a workaround, the following actions can be taken to prevent explotation of the problem: - Disable the HTTP service using the global configuration command: no ip http server or - Restrict access to the HTTP service port (80/tcp or as set by the ip http port command) using a standard access list on the device. For example, if only a browser on host 10.10.10.1 needs to remotely manage the Cisco device use the following global configuration command: access-list 1 permit 10.10.10.1 ip http access-class 1 If access list 1 is in use choose another number in the range 0-99. - Restrict access to the HTTP service on border routers or devices in the network path to the service port. Vendor notified on: July 18th, 2000 Credits: This vulnerability was discovered by Alberto Solino of CORE SDI,S.A. Buenos Aires, Argentina. Information regarding the extent of the problem, fixes and workarounds was provided by the Cisco PSIRT Team. This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com. Technical Description - Exploit/Concept Code: By sending an HTTP request with the following URI: http://switch-server/cgi-bin/view-source?/ The switch crashes and performs a software re-load, network connectivity is disrupted while this is done. By repeatly sending such HTTP requests, a denial of service attack can be performed against the switch and the entire network connected to it. Tests were performed on the following switch model and software version: Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-H2S-M), Version 12.0(5.1)XP, MAINTENANCE INTERIM SOFTWARE Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Fri 10-Dec-99 10:57 by cchang Image text-base: 0x00003000, data-base: 0x002BA814 ROM: Bootstrap program is C2900XL boot loader Switch uptime is 21 minutes System returned to ROM by power-on System image file is "flash:c2900XL-h2s-mz-120.5.1-XP.bin" cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K bytes of memory. Processor board ID 0x0E, with hardware revision 0x01 Last reset from power-on Processor is running Enterprise Edition Software Cluster member switch capable 24 FastEthernet/IEEE 802.3 interface(s) Copyright notice The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. $Id: CataDOS-advisory.txt,v 1.8 2000/10/25 23:46:13 iarce Exp $ --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce@core-sdi.com http://www.core-sdi.com Florida 141 2do cuerpo Piso 7 C1005AAG Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 ===================================================================== --- For a personal reply use iarce@core-sdi.com