Date:     Mon, 17 Aug 1998 17:43:36 +0000
Reply-To: Roger Books <books@mail.state.fl.us>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Roger Books <books@mail.state.fl.us>
Subject: specifics on cisco DOS?
To: BUGTRAQ@netspace.org


Does anyone have specifics on the latest DoS on cisco routers?
http://www.cisco.com/warp/public/770/ioslogin-pub.shtml
I have been assigned the task of determining not only if
we are vulnerable, but how difficult it is to perform
the attack.
Pointers to C source/fragments would work also.  I can
reverse engineer if necessary.
Roger Books

Date:     Mon, 17 Aug 1998 14:40:39 -0400
Reply-To: Jared Mauch <jared@PUCK.NETHER.NET>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Jared Mauch <jared@PUCK.NETHER.NET>
Subject: Re: specifics on cisco DOS?
X-To: Roger Books <books@mail.state.fl.us>
To: BUGTRAQ@netspace.org
In-Reply-To: <ML-2.2.903375816.2392.books@booksr>; from Roger Books on Mon,
Aug 17, 1998 at 05:43:36PM +0000


        Vulnerability should be fairly easy to determine via
"sh ver"
        A "good" way to cause this to no longer be an issue
for you is to assign inbound-vty access-lists on your routers,
such that you can only telnet to them from certain ip addresses,
hosts, etc..
        Here's an example of your config you would need to insert
to your cisco router.
access-list 50 permit 10.20.128.0 0.0.63.255
line vty 0 4
access-class 50 in
login
!

        This will allow 10.20.128.0/18 to telnet into your router ONLY.
This will also help prevent joe-blow user from the internet
to determine your router vendor.  (Unless you do
something silly like use snmp-server community public, or don't
acl your snmp-server community public).
        A "good thing(tm)" IMHO.
        For your reference, here's the various subnet masks
from one of my cisco-acl programs, so you can do this without problems:
        Format: cidr, cidr+slash, mask, cisco inverted-mask
char lookupnfo[][4][16] = { { "32", "/32", "255.255.255.255", "0.0.0.0" },
                        {"31", "/31", "255.255.255.254", "0.0.0.1"},
                        {"30", "/30", "255.255.255.252", "0.0.0.3"},
                        {"29", "/29", "255.255.255.248", "0.0.0.7"},
                        {"28", "/28", "255.255.255.240", "0.0.0.15"},
                        {"27", "/27", "255.255.255.224", "0.0.0.31"},
                        {"26", "/26", "255.255.255.192", "0.0.0.63"},
                        {"25", "/25", "225.255.255.128", "0.0.0.127"},
                        {"24", "/24", "255.255.255.0", "0.0.0.255"},
                        {"23", "/23", "255.255.254.0", "0.0.1.255"},
                        {"22", "/22", "255.255.252.0", "0.0.3.255"},
                        {"21", "/21", "255.255.248.0", "0.0.7.255"},
                        {"20", "/20", "255.255.240.0", "0.0.15.255"},
                        {"19", "/19", "255.255.224.0", "0.0.31.255"},
                        {"18", "/18", "255.255.192.0", "0.0.63.255"},
                        {"17", "/17", "255.255.128.0", "0.0.127.255"},
                        {"16", "/16", "255.255.0.0", "0.0.255.255"},
                        {"15", "/15", "255.254.0.0", "0.1.255.255"},
                        {"14", "/14", "255.252.0.0", "0.3.255.255"},
                        {"13", "/13", "255.248.0.0", "0.7.255.255"},
                        {"12", "/12", "255.240.0.0", "0.15.255.255"},
                        {"11", "/11", "255.224.0.0", "0.31.255.255"},
                        {"10", "/10", "255.192.0.0", "0.63.255.255"},
                        { "9",  "/9", "255.128.0.0", "0.127.255.255"},
                        { "8",  "/8", "255.0.0.0", "0.255.255.255"},
                        { "7",  "/7", "254.0.0.0", "1.255.255.255"},
                        { "6",  "/6", "252.0.0.0", "3.255.255.255"},
                        { "5",  "/5", "248.0.0.0", "7.255.255.255"},
                        { "4",  "/4", "240.0.0.0", "15.255.255.255"},
                        { "3",  "/3", "224.0.0.0", "31.255.255.255"},
                        { "2",  "/2", "192.0.0.0", "63.255.255.255"},
                        { "1",  "/1", "128.0.0.0", "127.255.255.255"},
                        { "0",  "/0", "0.0.0.0", "255.255.255.255" }
                } ;

        - jared
--
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
             | http://puck.nether.net/~jared/

Date:     Tue, 25 Aug 1998 19:57:57 -0400
Reply-To: George Phillips <phillips@SPRINT.NET>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: George Phillips <phillips@SPRINT.NET>
Subject: Re: specifics on cisco DOS?
X-To: Jared Mauch <jared@PUCK.NETHER.NET>
To: BUGTRAQ@netspace.org
In-Reply-To: 19980817144039.E14746@puck.nether.net


Many providers have modems attached to the console port on their routers.
In that situation, access-lists will do you no good.  There are modems out
there that can be setup to demand a password before they will connect you
to the console port.  I would suggest looking into these.  Its always a
bad idea to be able to dialup directly to your console port...
--George
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= George Phillips                                           Sprintlink =
= email: phillips@sprint.net                    Operations Engineering =
= pager: george-pager@sprint.net                          703 689 7781 =
=-                                 -                                   -=
= "Do not meddle in the affairs of troff, for it is subtle and quick  =
=  to anger."                                                          =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=