The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Cisco CDP attacks


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 09 Oct 2001 16:44:53 +0200
From: FX <fx@phenoelit.de.>
To: BugTraq <bugtraq@securityfocus.com.>
Subject: Cisco CDP attacks

--------------9BD52A5A375DC6A086CAA4EF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi all,

attached is an advisory regarding a DoS condition in Cisco IOS. 
A copy can be found at http://www.phenoelit.de/stuff/CiscoCDP.txt. 
The CDP sender tool mentioned in the advisory is available in the IRPAS 
package at http://www.phenoelit.de/irpas/.

Regards,
FX

-- 
FX         <fx@phenoelit.de.>
Phenoelit  (http://www.phenoelit.de)
--------------9BD52A5A375DC6A086CAA4EF
Content-Type: text/plain; charset=us-ascii;
 name="CiscoCDP.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="CiscoCDP.txt"

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815++>

[ Authors ]
        FX		<fx@phenoelit.de.>
        FtR 		<ftr@phenoelit.de.>
        kim0		<kim0@phenoelit.de.> 
        smoovB		<not disclosed>

        Phenoelit Group	(http://www.phenoelit.de)

[ Affected Products ]
        Cisco IOS - several versions 

        Known vulnerable combinations:
        Cisco 1005	IOS 11.1.*
        Cisco 1603	IOS 11.2, 11.3.11b
        Cisco 2503	IOS 12.0.19
        Cisco 2600	IOS 12.1.?
        Catalyst 2940XL	IOS 12.0(5.1)XP

        Known to be not vulnerable:
        Catalyst 5505	CatOS 4.5(1)

        Cisco Bug ID: 		CSCdu09909

[ Vendor communication ]
        04/25/2001	Cisco contacted via [email protected]
        04/25/2001	Damir Rajnovic ([email protected]) reply
        04/26/2001	Gaus confirmed vulnerability, fix planed
        05/16/2001	Gaus had no feedback from the developers
        06/12/2001	Gaus still left in the cold by his developer contacts
        06/29/2001	Gaus reports that work on the issue has started but
        release date is unknown.
        07/03/2001	Cisco expects fix between September and October for
        the major IOS releases
        09/27/2001	This advisory goes to Cisco for coordination
        10/02/2001	Final coordination response from Gaus
        10/09/2001	Joint release with Cisco Systems (Gaus)

        Phenoelit wants to thank [email protected] (Damir Rajnovic) for the
        outstanding communication and cooperation. 

[ Overview  ]
        Cisco Systems IOS is vulnerable to a denial-of-service attack using
        Cisco's proprietary Cisco Discovery Protocol (CDP). 

        When flooded with CDP neighbor announcements, the IOS uses up all it's
        memory to store the neighbor information. The device is then unable to
        perform operations that need additional memory such as receiving
        routing updates and accepting inbound telnet(1) connections.

        Some device/IOS combinations tested reboot, others simply stop
        working completely.
        
[ Decription ]
        The Cisco Discovery Protocol is a layer two protocol and therefore
        independent from layer three protocols configured on the device. 
        A Cisco device sends out periodic updates out of it's interfaces to
        make itself known to it's neigbors. Since it is a layer two protocol,
        these packets (frames) are not routed. The updates are send on
        Ethernet to the multicast address 01:00:0C:CC:CC:CC. 

        If a Cisco device receives a CDP frame from another device, it copies
        the contents into internal data structures that can be viewed by the
        operator using the 'show cdp neighbors' command. The information
        includes the Device ID, capabilities, platform and sender's port ID.
        The CDP frames also include a hold timer value to tell the neighbor
        when he has to discard the information. The maximum values for this
        timer is 255 seconds (4 minutes, 15 seconds). 

        The internal data structure seems to use the remote device ID as key.
        When receiving two identical but long device IDs, some IOS versions are
        unable to identify them as identical and stores both of them as 
        independent records. 

        When flooding a network segment with large CDP frames containing a
        random device ID and comming from a random data link address,
        different IOS versions react differently. The range of possible
        reactions includes:
        + Reboot after 3 to 5 frames are received
        + Completely stop working after some thousands of frames
        + Use all available memory to store CDP neighbor information
          until the hold timer expires
        
        While the memory of the device is completely filled with CDP
        information, it is unable to perform other operations that need
        additional memory allocated. This includes accepting dynamic routing
        updates or new inbound telnet(1) sessions.

        If an operator on the device console tries to debug the CDP traffic
        using the command 'debug cdp packets', all tested devices crashed.

        Interesting is the reaction of the command line 'shell' when flooding
        the device as seen in the example. At least the help doesn't work
        anymore. It is not known if this behavior can be used for further
        exploitation of the device.

[ Example ]
        To send CDP messages, the cdp sender tool from the Phenoelit IRPAS
        package is used (http://www.phenoelit.de/irpas/). The command line to
        send maximum sized cdp frames with random data link addresses and
        device names is:

        linuxbox# ./cdp -i eth0 -m0 -n 100000 -l 1480 -r -v

        Be careful when running this! All vulnerable Cisco devices in the
        data link multicast domain will be affected (read: all Ciscos
        connected to your Ethernet hub/switch).


        Reaction of a Cisco 1603 / IOS 11.2(4):

        radio#
        %SYS-2-MALLOCFAIL: Memory allocation of 1480 bytes failed from 
        0x81B3BE6, pool Processor, alignment 0
        -Process= "CDP Protocol", ipl= 0, pid= 9
        -Traceback= 80ABDCC 80ACF46 81B3BEE 81B3B72 81B276A 81B224C
        radio#
        %SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from 
        0x81B26D2, pool Processor, alignment 0
        -Process= "CDP Protocol", ipl= 0, pid= 9
        -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
        %SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from 
        0x81B26D2, pool Processor, alignment 0
        -Process= "CDP Protocol", ipl= 0, pid= 9
        -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
        radio#sh ?
        % Unrecognized command
        radio#show ?
        % Unrecognized command
        radio#

        Reaction after 'debug cdp packets':

        %Log packet overrun, potential memory corruption, PC 0x81B2720, format:
        %s
        %Log packet overrun, potential memory corruption, PC 0x81B2720, format:
        %s
        ....[lots of these].....
        %Log packet overrun, potential memory corruption, PC 0x81B2720, format:
        %s
        %Log packet overrun, potential memory corruption, PC 0x81B2720, format:
        %s


  • BUS ERROR *** access address = 0x5f227998 program counter = 0x80ad45a status register = 0x2700 vbr at time of exception = 0x4000000 special status word = 0x0045 faulted cycle was a longword read monitor: command "boot" aborted due to exception System Bootstrap, Version ..... Copyright (c) 1994-1996 by cisco Systems, Inc. C1600 processor with 2048 Kbytes of main memory program load complete, entry point: 0x4018060, size: 0x1da950 [ Solution ] Include the command 'no cdp run' in all configurations of Cisco devices and update your IOS to a fixed version when these become available. [ end of file ] --------------9BD52A5A375DC6A086CAA4EF--

  • << Previous INDEX Search src Set bookmark Go to bookmark Next >>



    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру