Cisco Vulnerability Testing Results

Jason Frisvold friz at corp.ptd.net
Fri Jul 18 14:48:45 UTC 2003


Hi all,

	First post..  I hope this is ok ...

	We tested the Cisco vulnerability and I wanted to share our results
with you ...

	The attack code we used is the same code that was posted to the Full
Disclosure list.   Compiled on a Redhat Linux 6.2 machine.

Testing scenario is this : 

Linux Machine (10.0.0.2/24)
Cisco 2514 
   Ethernet0 (10.0.0.1/24) is in from the attacker 
   Ethernet1 (192.168.0.1/24) is output to the 2501 
Cisco 2501 
   Ethernet0 (192.168.0.2/24) is in from the 2514 

First attack was to the 2514, ran the program as thus : 

./sc 192.168.0.1 1 

This produced unexpected results. Cisco indicated that the vulnerability
was on the interface specified in the packets. However, after running
this, it was actually the INPUT interface that the input queue increased
on. In our test, this was Ethernet0, not Ethernet1 as expected. 

Next attach was to the 2501 : 

./sc 192.168.0.2 2 

This produced expected results. Input queue did increase on the 2501. 

Next we tried a pass-through attack : 

./sc 192.168.0.2 0 
./sc 192.168.0.2 1 

No interfaces on either Cisco were affected. It seems that pass-through
attacks are not possible. The attack *must* terminate on an IP on one of
the router interfaces.

An additional test to both routers using a high TTL value was also run. 
No interfaces were affected.  This is in-line with Cisco's posting.

Code was then upgraded on the 2514 to 12.0.27 (non-vulnerable) .. Tests
were run again. This time, the 2514 was not affected by any tests. The
2501 was still vulnerable.

I will be testing ACL's in a moment, but I wanted to get these results
out and see if they were on-par with any testing anyone else has done.

-- 
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz at corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
      -- Albert Einstein [1879-1955]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030718/9cbbc3a1/attachment.sig>


More information about the NANOG mailing list