Cisco IOS Buffer Overflow in Processing TFTP File Names May Let Remote Users Cause IOS-based Devices to Crash
|
|
SecurityTracker Alert ID: 1004858 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 27 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Advisory: Phenoelit Group
|
Version(s): Tested on 11.1 - 11.3
|
Description: A denial of service vulnerability was reported in Cisco's Internetwork Operating System (IOS) for Cisco routers and other devices. A remote user may be able to cause the device to crash in certain situations.
Phenoelit Group issued an advisory warning that the TFTP server integrated with Cisco IOS contains a buffer overflow. A remote user
can reportedly request a file name of approximately 700 characters in length to cause the device to crash and possibly reboot.
According to the report, this only occurs if the served file is on a flash device and no alias has been assigned to it.
The following
configuration is reported to be vulnerable:
router# conf t
router# tftp-server flash:ios_11.3_a-b-c-d.bin
The following
configuration is reported to be not vulnerable:
router# conf t
router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff
A
demonstration exploit example is provided:
OpenBSD# tftp [hostname]
tftp> get AAAAAAAAA....(700 times)
|
Impact: A remote user may be able to cause the device to crash and possibly reboot.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.cisco.com/ (Links to External Site)
|
Cause: Boundary error
|
Reported By: kim0 <kim0@phenoelit.de>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sat, 27 Jul 2002 12:01:29 +0200
From: kim0 <kim0@phenoelit.de>
Subject: Phenoelit Advisory, 0815 ++ * - Cisco_tftp
|
--------------070202040806020802040103
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--
kim0 <kim0@phenoelit.de>
Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0 FBEF 2D72 33C0 77FC CD42
--------------070202040806020802040103
Content-Type: text/plain;
name="Cisco_tftp.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Cisco_tftp.txt"
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++-->
[ Authors ]
FX <fx@phenoelit.de>
FtR <ftr@phenoelit.de>
kim0 <kim0@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
Advisory http://www.phenoelit.de/stuff/Cisco_tftp.txt
[ Affected Products ]
Cisco IOS
Tested on
IOS 11.1 - 11.3
Cisco Bug ID: <not assigned>
CERT Vulnerability ID: 689579
[ Vendor communication ]
06/29/02 Initial Notification,
security-alert@cisco.com & psirt@cisco.com
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
06/30/02 Human confirmation from PSIRT @ Cisco
06/30/02 (2) Discussion of detail
07/01/02 Continued discussion for reproducing problem
07/01/02 Receipt, ack. and clarification by CERT@CERT.ORG
07/03/02 Continued discussions with PSIRT
07/19/02 Notification of intent to post publically
in apx. 7 days.
07/25/02 Final coordination for release.
[ Overview ]
Cisco Systems Routers are the most widely used routers.
Cisco Routers are embedded network devices that run a dedicated
Operating System, the Cisco IOS.
[ Description ]
The Cisco IOS integrated TFTP server suffers from a buffer overflow
condition.
When requesting a file name with approximately 700 characters, the device
crashes and may reboot. This only happens, if the served file is on a
flash device and no alias is assigned to it.
Vulnerable:
router# conf t
router# tftp-server flash:ios_11.3_a-b-c-d.bin
Not vulnerable:
router# conf t
router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff
[ Example ]
OpenBSD# tftp cisco53.navy.smil.mil
tftp> get AAAAAAAAA....(700 times)
[ Solution ]
None available at this time
[ end of file ]
--------------070202040806020802040103--
|
|
