Forgot your password?
typodupeerror
Security Bug

Exploit Available for Cisco IOS Vulnerability 277

Posted by michael
from the there-goes-the-internet dept.
GNUman writes "Cisco's IOS vulnerability, posted by Slashdot and CERT, has now a published exploit available, as reported recently by CERT. While there are some some articles claiming that the Internet survived a major flaw, maybe with a publicly available exploit could script kiddies start creating havock?. jerw134 wanted to start a pool to find out when the exploit would be publicly available, here's the answer."
This discussion has been archived. No new comments can be posted.

Exploit Available for Cisco IOS Vulnerability

Comments Filter:
  • by inertia@yahoo.com (156602) * on Friday July 18, 2003 @02:03PM (#6472509) Homepage Journal
    About them Script Kiddies,
    the internet's old plight.
    Goin' all around,
    usin' hacks they didn't write.
    Them Script Kiddies lurk the net,
    as devious little foes.
    Keep them admins well employed,
    and keeps them on their toes!
    When Script Kiddies learn a trick,
    it makes for one tight spot.
    If you ain't patched up to date,
    think again, because you ought.
    How to be a Script Kiddy,
    logon the net ad hoc.
    Google for the hack you want,
    and start your own havoc.
  • Great... (Score:4, Interesting)

    by mfifer (660491) on Friday July 18, 2003 @02:04PM (#6472520)
    ...the 'sploit is more easily available than the fix!

    Anyone else gone through hell today trying to get the patch from Cisco?

    Grrr... >-/

    • Re:Great... (Score:5, Informative)

      by NerveGas (168686) on Friday July 18, 2003 @02:07PM (#6472556)

      The patch is extremely easy to come by. Do a "sh ver" on your router, and send the output to tac@cisco.com, and ask for an updated IOS. They'll likely be back to you within an hour or so.

      steve
      • Re:Great... (Score:2, Insightful)

        by rosewood (99925)
        I cant say that im in charge of any cisco routers. Well, I am but I luckily don't ever have to mess with them and have moved away from using them but thats another story.

        However, you have to email cisco to get an update from their screw up?

        ?????

        Ill remember this when it comes time to buy network hardware.
        • Re:Great... (Score:3, Informative)

          by NerveGas (168686)

          There are various channels from which to get the IOS. If you have a CCO account and know which version you want/need, you just log in and download it. There are also other ways of getting it, but as a "last-ditch" (or "too-lazy") method, you can email their support group directly.

          steve
      • Re:Great... (Score:2, Insightful)

        by Anonymous Coward
        You have either a bizarre definition of the phrase "extremely easy" or very little perspective on how easy it is to patch many other products.

        What would you call it if they had just provided in their advisory a publically-accessible link from which to download the patch? "ultra-easy"? How about running "apt-get upgrade"? "hyper-easy"? Or having the patch automatically installed for you by Windows Update? "mega-easy"?

        Obviously, I'm not saying that Cisco should adopt any of these specific methods, but
        • Re:Great... (Score:4, Informative)

          by Pii (1955) <jedi@nOSPAm.lightsaber.org> on Friday July 18, 2003 @03:06PM (#6473088) Journal
          Most Cisco code updates do not require TAC intervention, or email swapping. This is an isolated case.

          Also, I haven't had to mail TAC yet for any of the routers (30, and counting) I've had to upgrade. My new code has been available throught the traditional channel (Cisco's Software Center).

          People that are having to mail the TAC are doing so because they have no support contract (thus, no access to the Cisco Software Center), or because the code for their specific platform doesn't appear to be available through the Software center.

        • Re:Great... (Score:5, Informative)

          by NerveGas (168686) on Friday July 18, 2003 @03:41PM (#6473473)
          You have either a bizarre definition of the phrase "extremely easy" or very little perspective on how easy it is to patch many other products.

          I sent one email, and in return, got all of the IOS versions that I needed for my routers. I'd definitely say that was "extremely easy".

          Maybe you mean that I can just tell Linus what kind of computer I have, and he'll send me over a tarball of 2.4.21, pre-configured with the options I'd like?

          you don't have to email somebody and wait an hour to get the exploit

          If you have a CCO account, then you don't have to wait an hour, you log in and pick it up. Super-mega-fabuloso-easy.

          steve
          • So far it has been 4 hours since my e-mail... no response whatsoever, not even an autoresponder. I suspect they are becoming overworked trying to handle these by hand, but it sucks knowing that there is a file out there that could fix your problem, but it is up to some guy to answer your begging on his time. Why would a normal download point be so bad?

            • So far it has been 4 hours since my e-mail... no response whatsoever

              Lemme guess.

              Your request for help to cisco.com is not really going to go to 198.133.219.25 but to, uhm, a new different, uh, help center, that will be happy to send you an IOS sploit^H^H^H^H^H^H update to have you up and going in a jiffy.

    • Re:Great... (Score:3, Interesting)

      by silas_moeckel (234313)
      Well I havent had any issues just go login to your CCO account and grab the new IOS's actualy my local mirror updated yesterday automaticaly. As for going through TAC thats allways a PITA to say a couple hundred dollars a year.
    • There's an uncommon delay of 3 or 4 hours to get a response, but they're just giving away the correct IOS updates if you give them your serial number. Heck, sounds like some people arent even giving them their serial numbers. *shrug*


      But here's my insightful comment for the day- Cisco is going to have a mint spam list at the end of this. "Hey boss? I just realized that 30,000 people with 100 thousand dollar routers just emailed us with verified addresses." Boss: "I need a paper towel"

    • Re:Great... (Score:3, Informative)

      by doogles (103478)
      Anyone else gone through hell today trying to get the patch from Cisco?

      ftp://user:pass@ftp.cisco.com/cisco/ios/
  • by nacturation (646836) <nacturation AT gmail DOT com> on Friday July 18, 2003 @02:06PM (#6472540) Journal
    If you haven't yet received notification from your NOC that they're going to be doing maintenance, you really need to impress upon them to get this fixed. In a nutshell, this flaw could allow a malicious hacker to shut down traffic to your servers.
  • Tell me why (Score:5, Insightful)

    by broothal (186066) <christian@fabel.dk> on Friday July 18, 2003 @02:13PM (#6472622) Homepage Journal
    Ok, maybe it's just me, but why is it that I have to provide Ciso with serial number, date of purchase and the name of my cat to get this fix? I mean - the fix is software, and it will only work on Ciso units. So - for crying out loud - put the patch on an FTP site and get over with it. Jumping through hoops to get the patch isn't going to speed things up.
    • Re:Tell me why (Score:5, Informative)

      by jht (5006) on Friday July 18, 2003 @02:24PM (#6472712) Homepage Journal
      Gee, I just had to call TAC up and give them the serial number to get in (our router doesn't have a service contract). Within an hour, I had a callback from the engineer who was given my case and an e-mail in my inbox looking for the specific info needed (the version of IOS I was running and the exact name of the binary - all produced by "sh ver").

      After I got him the info, it was only a few minutes before the patch link was sent to me for download. The whole thing was done before lunch today - and that's for a little piss-ant customer with no service contract and a single router.

      I think that's about as simple as it needs to be, personally. There's different versions of IOS for different devices, and all sorts of supported code revisions to deal with - it's not like Windows where you have a core version and service packs/hotfixes you may or may not have applied in random combination. Typically, if you have a Cisco router and it's working you'll only want to apply the minimum possible fix to the specific version you're running. So it's a pretty darned complex upgrade matrix. I, for one, am perfectly happy to let TAC guide me through it.
      • Well, you have a point - but on the side of the coin, there should be another option like the previous poster wants. Let's say that you are an experienced network admin who knows exactly what version of the IOS you need, and you know how to install it. Wouldn't it be a pain in the ass for you to have to go through this ridiculous process for every router you were responisble for if you didn't have a contract with Cisco like many companies don't? I'm half-way wondering if this isn't an easy way for Cisco t
        • Re:Tell me why (Score:2, Insightful)

          by Penguinshit (591885)
          It seems to me that it's Cisco's way of preventing even worse problems by someone fat-fingering the upgrade themselves. It's a little bit slower, but in the end you're assured that you get exactly what you need for your systems. I find that extremely conscientious of Cisco.
          • Well, sure, but there are other ways to get this. If Cisco had a web form that you pasted the output of "sh ver" to, it could direct you to the exact file. Email is a pathetic solution.
    • What were you saying ? [cisco.com] (works if you have a CCO login)
  • by MattRog (527508) on Friday July 18, 2003 @02:16PM (#6472647)
    They'll be creating something but I don't know what. Hopefully it won't resemble havoc.
  • by Papa Legba (192550) on Friday July 18, 2003 @02:19PM (#6472665)
    Once again we see the power of open source! From anounced flaw to exploit in two days. Beat that Microshaft!..... Oh.... Wait.... This is not a good thing is it....

  • by Anonymous Coward
    I've already compiled this and tested against an internal router, fills up the input queue quite nicely. Requires libnet.h

    -orbit0r
  • Whew. (Score:5, Funny)

    by CrackerJackz (152930) on Friday July 18, 2003 @02:24PM (#6472716) Homepage
    Glad I dodged the bullet, I've got every last router patKL()*$OFD_)#@ [LINK DOWN]
  • by Anonymous Coward on Friday July 18, 2003 @02:24PM (#6472719)

    Thanks heaps.

    Regards,
    Cisco Systems.

  • by jkc120 (104731) on Friday July 18, 2003 @02:24PM (#6472720)
    If I'm reading this page [cisco.com] correctly, the protocol type of the packet that causes the problem appears to be the PIM protocol:

    grep 103 /etc/protocols
    pim 103 PIM # Protocol Independent Multicast

  • by lanner (107308) on Friday July 18, 2003 @02:31PM (#6472776)
    Importance of shaming those who published this exploit

    There was very little time to act upon the new IOS version that Cisco provided to the public. The software upgrades were available to the public on Thursday morning at 00:00. CERT made their announcement about 15 minutes later. Today, the exploit is public. That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.

    This is the most important security event effecting the Internet since the root DNS server attacks some time back, and this one is potentially much more severe. I have been surprised at the lack of media attention of this issue, or how some of my technical colleges have treated it. They don't seem to understand how many Cisco routers are out there.

    It needs to be shown that by making the exploit of this vulnerability public so soon, the persons who did this only did so for publicity gain at the expense of others.

    They hurt others to profit themselves, and that is no more cool than slavery is. And what did they get out of it? "My dick is bigger than yours."

    I just don't want this to pass over and the people who made this exploit public think that what they did was cool, or that they are going to get a lot of admiration or karma for it. If they like the Internet, which they probably do, they just did the most harmful thing to it as they could have possibly done.

    • Here's the letter I received from Serverbeach yesterday afternoon:

      July 17, 2003

      Notice to Customers: Maintenance Window, July 18, 2003 - 12:00-2:00 am CST

      Dear XXXX:


      This letter is to inform you of a network maintenance window that will take place this evening, July 18, 2003, from 12:00-2:00 am central time.

      We received an advisory today, sent to all Cisco IOS customers, that requires a network patch to ensure ongoing security and performance of the system. We have made the decision that, given

    • Today, the exploit is public. That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world

      That's less than 48 hours, depending on which timezone you live in. Should be an interesting weekend for some.

    • Importance of shaming those who published this exploit

      Why? Most ISPs are very grateful to have something to test if their countermeasures are effective.

      Do you really want to upgrade all your core routers at once, and take the risk of introducing a bug which brings down your whole network? It's often better to apply some workaround and schedule an incremental update. In this case, you really want to test if your workaround is effective.
      • I am not against making the exploit public at all -- just not within the first few days of the exploit discovery. Considering the quantity of systems effected and the fact that many Cisco devices are remote makes patching difficult.

        Personally, I want to throw the exploit against some of my own equipment just for fun too.

        There will be Cisco devices vulnerable to this exploit for years to come. As a consultant, I commonly come across old Cisco routers that have not had their software upgraded in years. N
    • I have been surprised at the lack of media attention of this issue, or how some of my technical colleges have treated it. They don't seem to understand how many Cisco routers are out there.

      Your colleagues don't realize how many Cisco routers are out there? What, are your colleagues monkeys or something? That's like saying they didn't know how many copies of windows are running out there. Man, do I feel sorry for you. How many emails do *you* get a day that consist of "What's my password?" ?

    • by realdpk (116490) on Friday July 18, 2003 @03:50PM (#6473548) Homepage Journal
      Without full disclosure, what % of the routers out there would be patched right now? 10? Maybe.

      It sounds to me like Cisco needs to get their genius engineers together to come up with a better way to distribute IOS images - one that does not involve e-mail, perhaps!

      What the people did _was_ cool. They contacted Cisco a while back. Then they released the exploit almost *2 days* after the patch was announced.

      Nice try bringing slavery in to this. That's rediculous.

      "most harmful thing to it they could have possibly done." Please. Even if they released it 2 seconds before the patch was available, the Internet may have had instability for a day or two while Cisco ships out CDRs to everyone so they can fix it.

      To those that choose full disclosure for security - I applaud you! I really appreciate having a program available that allows me to test if my systems are vulnerable and remain vulnerable post-patching.
    • That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.

      So do them in parallel.

      Hell, give me access. I'll upgrade a few million routers in less than 48 hours, no prob.

      And I am a lazy pothead sys admin. I don't even work on routers.
      • You serious? Sure, go nuts. I look forward to seeing what happens when the build you pick for a router three hops down doesn't support the STM-4 card you had in there, and stops you reaching the 20 networks behind it. Oh, and there's one over here that's running a new build with a BGP bug, so these 100 have fallen off the network. And three of these six in New York just plain didn't come back, we're not sure why yet. You've got out of band access to them all, right? right?

        Upgrade with care. Even the most r
  • Imagine your typical packet kiddie running dozens of instances of the following pseudocode on his farm of a few hundred trojaned boxes:


    while (1) {

    $x = random(255);
    $y = random(255);
    $z = random(255);
    @hops = traceroute("$x.$y.$z.1");
    for $hopnum (5..@#hops) { # don't kill nearby routers
    system("shadowchode", $hops[$hopnum], 255 - $hopnum);

    }

    }

    If you haven't patched already - do it now.

  • Just Fix It (Score:5, Insightful)

    by vinn (4370) on Friday July 18, 2003 @02:38PM (#6472828) Homepage Journal


    Cisco released the fix two days ago to backbone providers. Other large customers could get the fix early yesterday. If you're affected by this vulnerability and it's not fixed yet:

    • You're not subscribed to the proper news channels (i.e. you're not doing your job) or
    • You're lazy (i.e. you're not doing your job) or
    • You're not as important as you thought (i.e. someone else isn't doing their job.)

    It seems like Cisco handled this one correctly with the providers. I'm not sure how well large customers were handled, my guess is the .edu folks probably got screwed again.

    • Re:Just Fix It (Score:3, Insightful)

      by davew (820)
      I'm really, truly trying not to troll here, but this attitude pisses me off.

      I work for an ISP. We have about 40-odd routers of various sizes. Six months ago we began upgrading their IOSes to handle IPv6. Last Wednesday we finished. We weren't pissing about; we were picking builds, checking to make sure they supported the features we needed, checking for critical known bugs, deploying them, finding bugs, sometimes scaling back. Some of these problems didn't reveal themselves for a week or two after deployme
  • by nolife (233813) on Friday July 18, 2003 @02:49PM (#6472902) Homepage Journal
    I just tried this on our routers at work, it does not appear to work. I did n tice som pkt lss but a r nn
  • by CraigV (126819) on Friday July 18, 2003 @02:50PM (#6472915) Homepage
    I had the impression that routing was a fairly straight-forward task and that 100% reliable software should be available for the routers. Has Cisco added frills to such an extent that the basic routing is compromised? Is this current problem associated with unnecessary features?
  • Any good suggestions on scripting the upgrades? What happens if you have over a few hundred routers? Life sucks I guess.
    • Re:updates (Score:3, Informative)

      by Pii (1955)
      If your enterprise is such that you have a few hundred routers, then I'd certainly hope that you'd have ponied up for Cisco Works, which would then allow you to push out the upgrades in an automated manner.

      Of course, there are also freely available perl and expect scripts out there that would allow you to do the same thing.

  • Back in middle school, where they told us all, "here's exactly what drug x looks like, what it does,and how to get it & use it... but please don't use it. That would be bad!"
    4 years later... dang! Why are all the students on crack? :) aieee!
  • A big middle finger to all of the idiots that don't belive in full disclosure:

    Cisco IOS Exploit [idefense.com]

    You can also easily create the exploit using hping2.
    • How is this a big middle finger to people that don't believe full disclosure is a good idea for something of this gravity? Major ISP's and Major providers (for which I work) didn't hear about this but 48 hours before the exploit was made public.

      Cisco tried their hardest to prevent info from getting out to make it easy to create an exploit, but data was leaked. What has this done? It's left hundreds of thousands to millions of routers, with not nearly enough admins to patch, vulnerable to the losers who
  • by pope1 (40057) on Friday July 18, 2003 @03:07PM (#6473107) Homepage
    In case you want to test this on your own routers (worked against my 1005.. sadly :P)

    Heres a link [chiyocon.com] to the source in b64 format, you can extract it with:

    openssl base64 -d -in cisco.txt -out cisco.tgz

    Happy testing!

    • worked against my 1005.. sadly :P)

      As I first saw this, and figured you'd mis-spelled 10053, because there really SHOULD be an "e" at the end... Then realized that "loose" doesn't fit in the sentence.

      Ah well. Stupid me.

      -Ben
  • by zdzichu (100333) <zdzichu@i r c .pl> on Friday July 18, 2003 @03:19PM (#6473255) Homepage Journal
    Here the exploit: http://www.securitylab.ru/_tools/shadowchode.tar.t ar [securitylab.ru]
    It's .tar.gz file, incorrectly named.
  • The fix... (Score:5, Informative)

    by robpoe (578975) on Friday July 18, 2003 @03:26PM (#6473329)
    The following access list is specifically designed to block attack traffic. Note that the attack traffic can include spoofed source addresses. This access list should be applied to all interfaces of the device, and should include topology-specific filters. This could include filtering routing protocol traffic, management protocols, and traffic destined for the internal network. Protocol 103 is Protocol Independent Multicast (PIM), which is a commonly deployed application in multicast networks.

    Interfaces with PIM enabled have not been found to be vulnerable to exploit traffic with protocol
    103; PIM traffic may be permitted to those select devices.

    access-list 101 deny 53 any any
    access-list 101 deny 55 any any
    access-list 101 deny 77 any any
    access-list 101 deny 103 any any
    !--- insert any other previously applied ACL entries here
    !--- you must permit other protocols through to allow normal
    !--- traffic -- previously defined permit lists will work
    !--- or you may use the permit ip any any shown here
    access-list 101 permit ip any any

  • If you look at the release dates of some of the code that is not vulnerable to this attack, it goes back to early June. To me, it looks like this was identified almost two months ago. The question then is: Was this suddenly announced once a planned mile-marker in IOS revisions had been met....or once they suspected the exploit was in the wild?
  • by rf0 (159958)
    here [slashdot.org]

    " I'm going to say an exploit by tommorow. End of the internet by Sat. All back to normal on Monday"

    Rus

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...