Cisco IOS GRE报文路由选项解析溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193584 漏洞类型 缓冲区溢出
发布时间 2006-09-08 更新时间 2006-09-08
CVE编号 CVE-2006-4650 CNNVD-ID CNNVD-200609-100
漏洞平台 N/A CVSS评分 2.6
|漏洞来源
https://www.securityfocus.com/bid/83865
https://cxsecurity.com/issue/WLB-2006090054
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-100
|漏洞详情
Cisco互联网操作系统(IOS)是Cisco设备所使用的操作系统。CiscoSystemsIOS在解析包含有GRE源路由信息的GRE报文时存在漏洞,远程攻击者可能导致设备处理报文出错。如果收到了特制的GRE报文的话,IOS设备没有验证偏移字段是否指向报文内,如果偏移值被设置为负值,IOS直接从包含有IP报文全长的整数中减去了偏移,导致缓冲区访问越界溢出。这可能导致将报文环缓冲区(ringbuffer)的其他内存内容解释为负载IP报文并以很大的长度信息重新注入到路由队列中:GREdecapsulatedIP0.3.74.0->0.0.1.30(len=65407,ttl=39)GREdecapsulatedIP176.94.8.0->0.0.0.0(len=64904,ttl=0)GREdecapsulatedIP0.15.31.193->176.94.8.0(len=64894,ttl=237)GREdecapsulatedIP128.42.131.220->128.0.3.74(len=64884,ttl=128)如果能够使用在适当的偏移处包含有IP头的合法通讯精心填充环缓冲区的话,攻击者就可以在IOS中创建有很大长度值的IP报文。
|漏洞EXP
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +---->

[ Title ]
        Cisco Systems IOS GRE decapsulation fault

[ Authors ]
        FX              <fx (at) phenoelit (dot) de [email concealed]>

Phenoelit Group (http://www.phenoelit.de)
        Advisory        http://www.phenoelit.de/stuff/CiscoGRE.txt

[ Affected Products ]
        Cisco IOS

Tested on:      C3550 IOS 12.1(19)

Cisco Bug ID:   CSCuk27655, CSCea22552, CSCei62762
        CERT Vu ID:     <not assinged>

[ Vendor communication ]
        07.07.05        Initial Notification, gaus (at) cisco (dot) com [email concealed]
        27.07.05        PSIRT realized that nobody took this bug, Paul Oxman
                        took over
        28.07.05        Paul successfully reproduces the issue
        04.08.05        Paul notifies FX about availabe fixes
        05.08.05        Paul notifies FX about new side effects discovered
                        by Cisco
        06.09.06        Final advisory going public as coordinated release
                        *Note-Initial notification by phenoelit
                        includes a cc to cert (at) cert (dot) org [email concealed] by default

[ Overview ]
        Cisco Systems IOS contains a bug when parsing GRE packets
        with GRE source routing information. A specially crafter GRE packet
        can cause the router to reuse packet packet data from unrelated 
        ring buffer memory. The resulting packet is reinjected in the routing
        queues.

[ Description ]
        The GRE protocol according to RFC1701 supports source routing
        different from the one known in IPv4. An optional header is added to
        the GRE header containing Source Route Entries for further routing.
        
        GRE header:
         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |C|R|K|S|s|Recur|  Flags  | Ver |         Protocol Type         |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |      Checksum (optional)      |       Offset (optional)       |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                         Key (optional)                        |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                    Sequence Number (optional)                 |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                         Routing (optional)                    |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

When a specially crafted GRE packet with routing information is 
        received by a Cisco IOS device, the offset field is not verified
        to point inside the packet but is subtracted from what appears 
        to be a short integer holding the overall length of the IP packet,
        causing an overflow of the same.

This causes other memory contents of the packet ring buffers to
        be interpreted as the payload IP packet and reinjected into the
        routing queue with fairly large length information:

GRE decapsulated IP 0.3.74.0->0.0.1.30 (len=65407, ttl=39)
        GRE decapsulated IP 176.94.8.0->0.0.0.0 (len=64904, ttl=0)
        GRE decapsulated IP 0.15.31.193->176.94.8.0 (len=64894, ttl=237)
        GRE decapsulated IP 128.42.131.220->128.0.3.74 (len=64884, ttl=128)

The outer IP packet must come from the configured tunnel source
        and be sent to the configured tunnel destination IP address.

By carefully filling the ring buffers with legitimate traffic like
        ICMP, containing an IP header at the right offset, an attacker can
        create IP packets with large length values inside IOS. PSIRT 
        believes this cannot be done, Phenoelit differs on that.

[ Example ]
        Internet Protocol, 
                Src Addr: 85.158.1.110 (85.158.1.110), 
                Dst Addr: 198.133.219.25 (198.133.219.25)
            Version: 4
            Header length: 20 bytes
            Differentiated Services Field: 0x00
            Total Length: 28
            Identification: 0xaffe (45054)
            Flags: 0x00
            Fragment offset: 0
            Time to live: 30
            Protocol: GRE (0x2f)
            Header checksum: 0xf409 (correct)
            Source: 85.158.1.110 (85.158.1.110)
            Destination: 198.133.219.25 (198.133.219.25)
        Generic Routing Encapsulation (IP)
            Flags and version: 0x4000
                0... .... .... .... = No checksum
                .1.. .... .... .... = Routing
                ..0. .... .... .... = No key
                ...0 .... .... .... = No sequence number
                .... 0... .... .... = No strict source route
                .... .000 .... .... = Recursion control: 0
                .... .... 0000 0... = Flags: 0
                .... .... .... .000 = Version: 0
            Protocol Type: IP (0x0800)
            Checksum: 0x0000
            Offset: 99

[ Notes ]
        IOS implements GRE source routing as forwarding of the inner IP
        packet. Thus, a Source Route Entry of 255.255.255.255 will cause
        IOS to resend the GRE packet to the specified address according
        to the routing table (all in this case) on the appropriate 
        interface (all in this case).
        The source address of the new packet will be the router's IP 
        address, the destination address according to the received packet.
        This can be used to circumvent Access Control Lists with GRE.

[ Solution ]
        Stop using GRE. There is no way in IOS to turn off source routing
        for GRE tunnels.

To correct the parsing issue, try to install an IOS version
        containing the fixes CSCuk27655 or CSCea22552 or CSCei62762.

[ end of file ($Revision: 1.3 $) ]

-- 
         FX           <fx (at) phenoelit (dot) de [email concealed]>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
|受影响的产品
Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0
|参考资料

来源:BUGTRAQ
名称:20060906CiscoIOSGREissue
链接:http://www.securityfocus.com/archive/1/archive/1/445322/100/0/threaded
来源:MISC
链接:http://www.phenoelit.de/stuff/CiscoGRE.txt
来源:CISCO
名称:20060906CiscoIOSGREDecapsulationVulnerability
链接:http://www.cisco.com/en/US/tech/tk827/tk369/tsd_technology_security_response09186a008072cd7b.html
来源:SECTRACK
名称:1016799
链接:http://securitytracker.com/id?1016799
来源:OVAL
名称:oval:org.mitre.oval:def:5713
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5713
来源:XF
名称:cisco-ios-gre-acl-bypass(28786)
链接:http://xforce.iss.net/xforce/xfdb/28786
来源:BID
名称:19878
链接:http://www.securityfocus.com/bid/19878
来源:OSVDB
名称:28590
链接:http://www.osvdb.org/28590
来源:VUPEN
名称:ADV-2006-3502
链接:http://www.frsirt.com/english/advisories/2006/3502
来源:SREASON
名称:1526
链接:http://securityreason.com/securityalert/1526
来源:SECUNIA
名称:21783
链接:http://secunia.com/advisories/21783