RE: SSH CRC-32 Compensation Attack Detector Vulnerability on CISCO routers

From: Dario Ciccarone (dciccaro@cisco.com)
Date: Mon Jun 02 2003 - 13:23:28 EDT

• Next message: Rob Shein: "RE: Tools for voicemail testing?"
• Previous message: Cory.Bys@fbol.com: "Re: Tools for voicemail testing?"
• In reply to: Jeremy Junginger: "SSH CRC-32 Compensation Attack Detector Vulnerability on CISCO routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It's not so easy on IOS . . .

http://www.phrack.org/show.php?p=60&a=7

> -----Original Message-----
> From: Jeremy Junginger [mailto:jj@act.com]
> Sent: Monday, June 02, 2003 11:34 AM
> To: pen-test
> Subject: SSH CRC-32 Compensation Attack Detector
> Vulnerability on CISCO routers
>
>
> Good Morning,
>
> In conducting a penetration test on a "secured VLAN"
> implementation that uses 100% OOB management, I have come
> across an exciting find! There are several terminal servers
> (25xx and 26xx series) that are running a vulnerable version
> of code (12.2) per this list: http://www.securityfocus.com/bid/2347
>
> So, naturally, I wanted to take a look at the "proof of concept code"
> at:
> http://downloads.securityfocus.com/vulnerabilities/exploits/ss
h-exploit-
diffs.txt

I'm sure many of you have run into this situation. You find a service
or application that is known to be vulnerable, and the client says "show
me the 'sploit.'" Normally, that's a great chance to show them what
you're capable of. In this case, I told them it is vulnerable (in
theory) but I have not seen an exploit for it.

My question is, have any of you guys played with this exploit on Cisco
devices? I know that the shellcode would have to change (obviously from
/bin/sh to some type of router compromising command like 'ip http
server' or 'snmp community h4x0r RW' or something that would give you a
nice level of access to the device). The really funny thing is that
this exploit has been around so long, and I have yet to hear of someone
smashing a router with it.

If you have gotten this to work on a Cisco device, let me know. If not,
I am planning on setting up a target router running only ssh for you
guys to bang on if you want. I can set up a 25xx, 26xx, or 71xx router
for testing, so shoot me an email if you're interested.

-Jeremy

------------------------------------------------------------------------

---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Rob Shein: "RE: Tools for voicemail testing?"
• Previous message: Cory.Bys@fbol.com: "Re: Tools for voicemail testing?"
• In reply to: Jeremy Junginger: "SSH CRC-32 Compensation Attack Detector Vulnerability on CISCO routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:34 EDT