COMMAND
aux
SYSTEMS AFFECTED
CISCO, other routers?
PROBLEM
HD Moore found following. The tcp access / configuration ports on
most routers can be disabled remotely. These sit on port numbers
like 23,2001,4001,6001, and 9001. The attack simply consists of
shoving a few thousand bytes of any character down the connection,
a couple times may be needed for some routers, with the length of
time of the DoS related to the amount of bytes you send down the
initial connection. Some routers has to be reseted after attack.
The impact of this is that an administrator would need physical
access to reconfigure a router after an attack like this. This
is merely annoying for those who have a rack in the closet, and a
huge pain in the ass for those 'remote' admins who may or may not
be able to have someone reset them for them. The exploit is just
pathetic, and may need 3-6 runs of varying lengths to any
substantial damage. Shorter attacks result in shorter downtimes
for those ports, longer attacks do everything from locking the
port out until it is reset to crashing the router itself. The one
line bash$ exploit is:
perl -e'print 0xFF x 10000' | telnet router.example.org 2001
After disconnecting try to connect to that port again, it should
say connection refused. While some routers will recover within 30
seconds to 5 minutes, older models tend to take days to ??? to
fix themsleves. Since the TCP connection isn't deleted, the
virtual TTY (VTY) is not being released. If you run a bunch of
attacks, you eventually end up with all your VTYs hung up on
nonexistent connections. If you can reach the router at all, you
can reclaim them with the "clear line" command, but if they're all
hung up, you may not have a way to get in and do that.
Although the router's getting into this state under these
circumstances is very probably caused by a bug, and we will
address that bug, it's very important that everybody understand
that it would be possible to create the same condition *without*
any bug. The easiest way would be to keep opening (and not
closing) TELNET sessions to the router, until it refused to accept
any more, then simply turn off the power on the initiating system,
so that the sessions were never closed properly. That's just the
way TCP works. It affects any system that accepts TELNET
connections and doesn't use TCP keepalives. It may be aggravated
by a bug in this case, but you can definitely make it happen
without having a bug.
SOLUTION
Some Cisco's would have to be reset manually to fix this, others
will recover by themselves given a few minutes, hours, or days.
ComOS seems to be in the manual-reset category, as HD hasn't
found one yet that recovers from a 1 minute attack onto thier
access ports. Normal operation continues, only in a few freak
cases did the router drop the entire network / reset connections
as a result. There are several ways to mitigate this
vulnerability in your Cisco configuration:
1. Don't accept TELNET connections from just any old host on the
network. Do something like this:
access-list 1 permit host <trusted-host-1>
access-list 1 permit host <trusted-host-2>
...
access-list 1 deny any
line vty 0 4 ! Select all 5 VTYs
transport input telnet ! Don't accept non-TELNET connections
access-class 1 in ! ... and only from listed machines
This is known to work, and should be the primary defense.
2. Configure "service tcp-keepalives-in". This will make the
router detect dropped TCP connections. By default, it won't
detect a dropped session unless it has output to send to that
session... which it usually won't have for a long time, if
ever.
3. Configure timeouts on the VTY lines, so that an idle session
can't permanently occupy a line. You might do:
line vty 0 4
exec-timeout 10 ! Disconnect if no commands for 10 minutes
session-timeout 10 ! Disconnect if outgoing session and no input