Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Cisco PIX DoS TTL(n-1)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Cisco PIX DoS TTL(n-1)
Date: 8 Mar 2006 16:10:26 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco PIX DoS TTL(n-1)
------------------------------------------------------------------------


SUMMARY

"The  <http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/> Cisco PIX 
Firewall delivers strong security and, with market-leading performance, 
creates little to no network performance impact."

It is possible to perform a DoS attack on PIX or an IP address behind a 
PIX from the outside interface, utilizing a flaw in the embryonic 
connection mechanism. The flaw utilized in this attack is the same was 
used in Cisco PIX TCP Connection Prevention vulnerability.

DETAILS

It is possible to prevent new communication establishment to a specific 
port on a server located behind the PIX firewall, when a permanent static 
mapping is applied between a local and a global IP address, similar to the 
Network setup diagram below.

Network Setup:
Attacker ------ Internet ------ PIX ------ Router ------ Server

By sending a legitimate packet and specifying TTL equal to n-1 of the 
destination value, it is possible to disable communication between the 
source and destination port pair for the duration of approximately 120 
seconds on PIXOS version 6 and 30 seconds on PIXOS version 7.

In order for the attack to succeed, an additional hop (router) should be 
present between the PIX and the server, that would timeout the packet 
returning the ICMP time exceeded in-transit.

Such setups can be easily identified using the TCPTraceroute to the open 
port and returning repeating destination IP in the last two hops. e.g.

TCPTraceroute:
5  xxx.xxx.xxx.32  18.952 ms  19.396 ms  20.438 ms
6  xxx.xxx.xxx.7  19.667 ms  22.174 ms  20.629 ms
7  xxx.xxx.xxx.68  29.286 ms  21.401 ms  19.935 ms
8  xxx.xxx.xxx.100  108.143 ms  42.783 ms *
9  xxx.xxx.xxx.100 [open]  32.268 ms  26.037 ms  23.569 ms

Although, it would take a lot of packets to disrupt the communication 
between the hosts completely, we assume that the attacker's aim is to 
prevent the communication to a specific service located on the machine 
behind the PIX firewall (e.g. HTTP/S, SMTP) and some other host on the 
Internet, whose source address can be spoofed. Depending on the bandwidth, 
it might take as little as 15 seconds to generate and send out 65535 
packets with a custom source port.

The attack can be performed using the interactive packet constructors such 
as hping, e.g.

if you want to prevent new communication establishment between SOURCE_IP 
source port 31337 and TARGET_IP destination port 80, execute:
arhontus / # hping2 -a $SOURCE_IP -S -c 1 -s 31337 -p 80 -t 8 $TARGET_IP

if you want to prevent new communication establishment between SOURCE_IP 
port ranges 0-63535 and TARGET_IP destination port 80, execute:
arhontus / # hping2 -a $SOURCE_IP -S -s 0 -p 80 --faster -t 8 $TARGET_IP

The attack was tested on two PIX 535 firewalls with 1Gb of RAM each 
performing static permanent mapping and running in failover mode with 
PIXOS ver 6.3(4), and on a single PIX 515E with 64Mb of RAM running PIXOS 
ver 7.0(4)

Workarounds: 
PSIRT response with workarounds to follow this disclosure

Disclosure Timeline:
04/11/2005 - Issue discovered
24/01/2006 - PSIRT notified
07/03/2006 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by  <mailto:mlists@arhont.com> 
Konstantin V. Gavrilenko.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Cisco PIX DoS TTL(n-1), SecuriTeam <=
Previous by Date:  [TOOL] HLBR - Open Source Intrusion Prevention System, SecuriTeam
Next by Date:  [NEWS] Alien Arena's Multiple Vulnerabilities, SecuriTeam
Previous by Thread:  [TOOL] HLBR - Open Source Intrusion Prevention System, SecuriTeam
Next by Thread:  [NEWS] Alien Arena's Multiple Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]