[LWN Logo]
[Timeline]
Date:         Thu, 26 Oct 2000 17:21:57 -0300
From: =?iso-8859-1?Q?Iv=E1n_Arce?= <core.lists.bugtraq@CORE-SDI.COM>
Subject:      [CORE SDI ADVISORY] Cisco IOS HTTP server DoS
To: BUGTRAQ@SECURITYFOCUS.COM

                                    CORE SDI
                             http://www.core-sdi.com

              Vulnerability Report For Cisco IOS Web Administration DoS


Date Published: 2000-10-25

Advisory ID: CORE-20002510

Bugtraq ID: 1838

CVE CAN: None currently assigned.

Title: Cisco IOS Web Administration Denial of Service

Class: Denial of Service

Remotely Exploitable: Yes

Locally Exploitable: Yes

Vulnerability Description:

 The HTTP service facility in the Cisco IOS provides remote
 management capabilities using any web browser as client.
 It is commonly used to manage remote routers and switches
 with a simple and user-friendly Web interface.
 A flaw in the HTTP server permits an attacker with access to
 the HTTP service port to crash the device and force a software
 re-load.
 The service is enabled by default ONLY in Cisco 1003, 1004
 and 1005 routers.

Vulnerable Packages/Systems:

 Virtually all Cisco routers and switches running IOS versions 12.0
 through 12.1 inclusive are vulnerable.

 The following list of products are affected if they are running
 a release of Cisco IOS software that has the defect. To determine
 if a Cisco product is running IOS, log in to the device and issue
 the command show version. Classic Cisco IOS software will identify
 itself simply as "Internetwork Operating System Software" or "IOS (tm)"
 software and will display a version number. Other Cisco devices either
 will not have the show version command, or will give different output.
 Cisco devices that may be running affected releases include:

  Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500,
   2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400,
   7000, 7200, ubr7200, 7500, and 12000 series.
  Most recent versions of the LS1010 ATM switch.
  The Catalyst 6000 if it is running IOS.
  Catalyst 2900XL LAN switch if it is running IOS.
  The Cisco DistributedDirector.

 For some products, the affected software releases are relatively new and
may
 not be available on every device listed above.

 If you are not running classic Cisco IOS software then you are not affected
by
 this vulnerability. Cisco products that do not run classic Cisco IOS
software
 and thus are not affected by this defect include:

  700 series dialup routers (750, 760, and 770 series) are not affected.
  Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are not
affected
   except for some versions of the Catalyst 2900XL. However, optional router
modules
   running Cisco IOS software in switch backplanes, such as the RSM module
for the
  Catalyst 5000 and 5500, are affected (see the Affected Products section
above).
  The Catalyst 6000 is not affected if it is not running IOS.
  WAN switching products in the IGX and BPX lines are not affected.
  The MGX (formerly known as the AXIS shelf) is not affected.
  No host-based software is affected.
  The Cisco PIX Firewall is not affected.
  The Cisco LocalDirector is not affected.
  The Cisco Cache Engine is not affected.


Solution/Vendor Information/Workaround:

 For a software fix refer to the vendor field notice at:
   http://www.cisco.com/warp/public/707/httpserverquery-pub.shtml

 Or as a workaround, the following actions can be taken to prevent
 explotation of the problem:

 - Disable the HTTP service using the global configuration command:
    no ip http server

 or

 - Restrict access to the HTTP service port (80/tcp or as set by the
   ip http port command) using a standard access list on the device.
   For example, if only a browser on host 10.10.10.1 needs to remotely
   manage the Cisco device use the following global configuration
   command:
    access-list 1 permit 10.10.10.1
    ip http access-class 1
  If access list 1 is in use choose another number in the range 0-99.

 - Restrict access to the HTTP service on border routers or
   devices in the network path to the service port.

Vendor notified on: July 18th, 2000

Credits:

 This vulnerability was discovered by Alberto Solino of CORE SDI,S.A.
 Buenos Aires, Argentina.

 Information regarding the extent of the problem, fixes and workarounds
 was provided by the Cisco PSIRT Team.

 This advisory was drafted with the help of the SecurityFocus.com
Vulnerability
 Help Team. For more information or assistance drafting advisories please
mail
 vulnhelp@securityfocus.com.


Technical Description - Exploit/Concept Code:

 By sending an HTTP request with the following URI:

  http://switch-server/cgi-bin/view-source?/

 The switch crashes and performs a software re-load,
 network connectivity is disrupted while this is done.
 By repeatly sending such HTTP requests, a denial of
 service attack can be performed against the switch and
 the entire network connected to it.

 Tests were performed on the following switch model and
 software version:

 Cisco Internetwork Operating System Software IOS (tm)
  C2900XL Software (C2900XL-H2S-M), Version 12.0(5.1)XP, MAINTENANCE
  INTERIM SOFTWARE
  Copyright (c) 1986-1999 by cisco Systems, Inc.
  Compiled Fri 10-Dec-99 10:57 by cchang
  Image text-base: 0x00003000, data-base: 0x002BA814

 ROM: Bootstrap program is C2900XL boot loader

 Switch uptime is 21 minutes
 System returned to ROM by power-on
 System image file is "flash:c2900XL-h2s-mz-120.5.1-XP.bin"


 cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with
 8192K/1024K bytes of memory.
 Processor board ID 0x0E, with hardware revision 0x01
 Last reset from power-on

 Processor is running Enterprise Edition Software
 Cluster member switch capable
 24 FastEthernet/IEEE 802.3 interface(s)


Copyright notice

 The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may
be
 distributed freely provided that no fee is charged for this distribution
and
 proper credit is given.

$Id: CataDOS-advisory.txt,v 1.8 2000/10/25 23:46:13 iarce Exp $
---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce@core-sdi.com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================





--- For a personal reply use iarce@core-sdi.com