Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Phenoelit Advisory, 0815 ++ * - Cisco_tftp

From: kim0 <kim0 () phenoelit de>
Date: Sat, 27 Jul 2002 12:01:29 +0200

--
           kim0   <kim0 () phenoelit de>
       Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0  FBEF 2D72 33C0 77FC CD42

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++-->

[ Authors ]
        FX              <fx () phenoelit de>
        FtR             <ftr () phenoelit de>
        kim0            <kim0 () phenoelit de>

        Phenoelit Group (http://www.phenoelit.de)
        Advisory        http://www.phenoelit.de/stuff/Cisco_tftp.txt

[ Affected Products ]
        Cisco IOS 

        Tested on
                        IOS 11.1 - 11.3

        Cisco Bug ID:   <not assigned>
        CERT Vulnerability ID: 689579

[ Vendor communication ]
        06/29/02        Initial Notification,
                        security-alert () cisco com & psirt () cisco com
                        *Note-Initial notification by phenoelit
                        includes a cc to cert () cert org by default
        06/30/02        Human confirmation from PSIRT @ Cisco
        06/30/02 (2)    Discussion of detail
        07/01/02        Continued discussion for reproducing problem
        07/01/02        Receipt, ack. and clarification by CERT () CERT ORG
        07/03/02        Continued discussions with PSIRT
        07/19/02        Notification of intent to post publically
                        in apx. 7 days.
        07/25/02        Final coordination for release.         

[ Overview ]
        Cisco Systems Routers are the most widely used routers.  
        Cisco Routers are embedded network devices that run a dedicated 
        Operating System, the Cisco IOS.
        
[ Description ]
        The Cisco IOS integrated TFTP server suffers from a buffer overflow 
        condition. 
        When requesting a file name with approximately 700 characters, the device 
        crashes and may reboot. This only happens, if the served file is on a 
        flash device and no alias is assigned to it.

        Vulnerable:
        router# conf t
        router# tftp-server flash:ios_11.3_a-b-c-d.bin
        
        Not vulnerable:
        router# conf t
        router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff
        
[ Example ]
        OpenBSD# tftp cisco53.navy.smil.mil
        tftp> get AAAAAAAAA....(700 times)

[ Solution ]
        None available at this time

[ end of file ]
Previous By Date Next
Previous By Thread Next

Current thread: