Re: Cisco HTTP possible bug:

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

Summary of responses in this thread:

Model           IOS version     Confirmed
-----           -----------     ----------
C2924XL         -               No
C2900X          11.2(8)SA1      No
7206            12.1(1a)T1      No
7206            12.0(9)S        Yes
5300            12.1(1.3)T      No
4000            11.0            No
3640            12.0(7)T        Yes
2621            12.0(5)T1       Yes
2514            11.2(17)        Yes
2501            12.0-4.T        Yes
2501            12.0(8)         Yes

"DANIEL RAMIREZ VALDEZ" <dramirez () cemtec com>:

Same happens using a 2501 IOS  12.0-4.T

Pakojo Samm <briareos () otherlands net> :

I send this back to the author without including the list.  I have confirmed
this on a 2501 running IOS version 12.0(8).

"Chapman, Matt" <chapmam2 () ocps k12 fl us>

confirmed on 2621 12.0(5)T1

"David DesVoigne" <ddesvoigne () synertechsystems com>:

I tested this on a 7206 VXR running IOS image 12.1(1a)T1 (IP/Plus IPSec128)
router was not affected negatively and continued normal operation after test.

tested this router with and without crypto maps enabled on the external
interfaces,  also tried removing all standard and extended access lists.  also
tried with AAA Xauth enabled and disabled, as well as "ip proxy auth" enabled
and disabled.  12.1(1a)T1 seems to be immune to this possible bug.

"Nick Wilkens" <NWilkens () Holnam com> :

Does not crash for me.

Cisco Internetwork Operating System Software=20
IOS (tm) C2900XL Software (C2900XL-H-M), Version 11.2(8)SA1, RELEASE =
SOFTWARE (fc1)
cisco WS-C2924-XL

Mike Gallagher <mikejgallagher () yahoo com>:

I have confirmed this will crash a router running 11.2.x and 12.0.x (T train
included).  I also confirmed that no authentication is necessary to perform the
DOS, but if you have an 'ip http access-class' configured, IP addresses denied
by the access-list will not be able to perform the DOS.  Interestingly enough,
Catalyst 2924XL switches (which run a form of IOS) are not vulerable.

"Greg Smythe" <zeneca () intellstat com>:

I have confirmed this on 11.2(17) on a 2514. It locks up the router, then
after about 60 seconds it reloads due to a software crash:

*Feb 28 16:00:11: %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed
from
 0x313E670, pool I/O, alignment 0
-Process= "Init", ipl= 0, pid= 2
-Traceback= 315B6FC 315C42C 313E678 31522DA 31127FC 3122122 31221A0 310112A
30F82FE

System restarted by error - Software forced crash, PC 0x316E7FC at 15:18:57
PDT
Thu Apr 27 2000

Nerijus Krukauskas <nkrukauskas () lbank lt> :

Cisco 4000 series with IOS 11.0 are not vulnerable. Test showed no impact
on these routers.

"Adam Kaufman" <adam () securify com>:

I got the same results on a 2621 running IOS 12.0(5)T1

Christopher Rogers <phiber () phiber org>:

I've verified that this occurs on 3640's and 7206's.  3640 running
12.0(7)T and 7206 running 12.0(9)S.  Confirmed the power cycle
requirement.  5300's running 12.1(1.3)T are apparently not affected.