Cisco NAT DoS (VD#1)

[BlueBoar () THIEVCO COM (Blue Boar)]

-------------------------------------------------------------------
Periodically, the moderator of of the vuln-dev mailing list will post
summaries of issues discussed there to Bugtraq and possibly other relevant
lists.  This will usually happen when an issue has been resolved, or it
appears that there will be no further discussion on vuln-dev.  Each
separate issue will be given it's own posting to facilitate referencing
them separately, for discussion, forwarding, or appearance in vulnerability
databases.

To subscribe to vuln-dev, send an e-mail to listserv () securityfocus com,
with the word SUBSCRIBE in the body of the message.

A FAQ an archive can be found at www.securityfocus.com-->forums-->vuln-dev
(click on these sections, the web pages are forms-based.)
-------------------------------------------------------------------

A Cisco security guy posted a message to the list asking that they be given
advanced warning before posts about Cisco bugs are allowed through.  I
explained that the nature of the list is vulnerabilities that are still in
development, but that I would be happy to make sure they got a copy of any
Cisco-related problems to the e-mail address(es) of their choice.  This was
all started by this message, so clearly Cisco is aware of the issue.  As
far as I know, they haven't done anything about it.

There was no further comment on this particular issue, so I'm posting it
for wider dissemination.

                                                        BB

From:
http://securityfocus.com/templates/archive.pike?list=82&date=1999-09-8&msg=37DA76F7.2B19D7DD () thievco com

> To:           Exploit-Dev
> Subject:      Cute little Cisco NAT DoS
> Date:         Fri Sep 10 1999 17:36:23
> Author:       Blue Boar
>
>
> I was doing some research the other day about Network Address Translation
> (NAT) on a cisco box.  The configuration I was using when I found this
> problem was NAT overload. I had an inside net, 192.168.0, and a Windows PC
> sitting at 192.168.0.2.  The outside interface was another ethernet (the
> were both FastEthernet, actually.. this was a 2621.)
>
> I was playing with an FTP client on the 192.168.0.2 machine, watching the
> translation tables with the sho ip nat trans command.  I was trying to see
> if I could get the Cisco to open arbitrary holes to other hosts by sending
> manual PORT commands.  I didn't get that to work, but I found a cute little
> problem.
>
> At the time, I was telnetted to the router from the outside, which is how I
> was watching the translations table.  From the inside, I issued the command
> PORT 192,168,0,2,0,23 (I was listening on port 23 with netcat).
>
> My telnet session to the outside died.
>
> I was a bit puzzled.  I telnetted back right away, and that worked.  I
> repeated the test a few times to convince myself it was doing what I
> thought it was.  Whenever I issues that PORT command, my telnet connection
> died.
>
> I have to assume that since the NAT config I used uses the router's own
> (outside) IP address that the NAT is interfering with the router's own
> listening ports.  Make me wonder what else could be done with this...
>
>                                                                BB