Re: Cisco Bug 44020 - Final Thoughts

[<bill.noren () paetec com>]

I thought I'd share the final results of my testing of the recent Cisco
exploit with the list here.  I had the concern that the new IOS versions
released by Cisco would be immune to the original exploit but may not cover
variants or other protocols that are susceptible.  I recompiled the exploit
code in such a way as to run through all protocol numbers from 1 to 1024 and
ran that against my test router; a 2611 running IOS 12.1(16).  I realize
that the field that contains the protocol number is 8 bits in length so
anything above 255 is academic but the results were interesting.  I
witnessed failures on the following port numbers: 53, 55, 77, 103, 309 and
823.  I did NOT get a failure on protocol 46 as someone else here suggested
(do you have details on that?).  Note that if you only count the right most
8 bits of 309 and 823, they are the same as 53 and 55 respectively so
there's probably a couple more numbers that also cause the failure.

I then upgraded my router to IOS 12.1(20)GD and ran my tests again looking
for any sign of the vulnerability.  The patch appears to work well and I
didn't find anything of note afterward except that the router seemed to
handle the input queue more efficiently.

Cheers,
-Bill

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html