OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Cisco HTTP possible bug:
From: Elias Levy (aleph1SECURITYFOCUS.COM)
Date: Fri Apr 28 2000 - 15:32:33 CDT

Summary of responses in this thread:

Model IOS version Confirmed
----- ----------- ----------
C2924XL - No
C2900X 11.2(8)SA1 No
7206 12.1(1a)T1 No
7206 12.0(9)S Yes
5300 12.1(1.3)T No
4000 11.0 No
3640 12.0(7)T Yes
2621 12.0(5)T1 Yes
2514 11.2(17) Yes
2501 12.0-4.T Yes
2501 12.0(8) Yes

"DANIEL RAMIREZ VALDEZ" <dramirezcemtec.com>:

Same happens using a 2501 IOS 12.0-4.T

Pakojo Samm <briareosotherlands.net> :

I send this back to the author without including the list. I have confirmed
this on a 2501 running IOS version 12.0(8).

"Chapman, Matt" <chapmam2ocps.k12.fl.us>

confirmed on 2621 12.0(5)T1

"David DesVoigne" <ddesvoignesynertechsystems.com>:

I tested this on a 7206 VXR running IOS image 12.1(1a)T1 (IP/Plus IPSec128)
router was not affected negatively and continued normal operation after test.

tested this router with and without crypto maps enabled on the external
interfaces, also tried removing all standard and extended access lists. also
tried with AAA Xauth enabled and disabled, as well as "ip proxy auth" enabled
and disabled. 12.1(1a)T1 seems to be immune to this possible bug.

"Nick Wilkens" <NWilkensHolnam.com> :

Does not crash for me.

Cisco Internetwork Operating System Software=20
IOS (tm) C2900XL Software (C2900XL-H-M), Version 11.2(8)SA1, RELEASE =
SOFTWARE (fc1)
cisco WS-C2924-XL

Mike Gallagher <mikejgallagheryahoo.com>:

I have confirmed this will crash a router running 11.2.x and 12.0.x (T train
included). I also confirmed that no authentication is necessary to perform the
DOS, but if you have an 'ip http access-class' configured, IP addresses denied
by the access-list will not be able to perform the DOS. Interestingly enough,
Catalyst 2924XL switches (which run a form of IOS) are not vulerable.

"Greg Smythe" <zenecaintellstat.com>:

I have confirmed this on 11.2(17) on a 2514. It locks up the router, then
after about 60 seconds it reloads due to a software crash:

*Feb 28 16:00:11: %SYS-2-MALLOCFAIL: Memory allocation of 1680 bytes failed
from
 0x313E670, pool I/O, alignment 0
-Process= "Init", ipl= 0, pid= 2
-Traceback= 315B6FC 315C42C 313E678 31522DA 31127FC 3122122 31221A0 310112A
30F82FE

System restarted by error - Software forced crash, PC 0x316E7FC at 15:18:57
PDT
Thu Apr 27 2000

Nerijus Krukauskas <nkrukauskaslbank.lt> :

Cisco 4000 series with IOS 11.0 are not vulnerable. Test showed no impact
on these routers.

"Adam Kaufman" <adamsecurify.com>:

I got the same results on a 2621 running IOS 12.0(5)T1

Christopher Rogers <phiberphiber.org>:

I've verified that this occurs on 3640's and 7206's. 3640 running
12.0(7)T and 7206 running 12.0(9)S. Confirmed the power cycle
requirement. 5300's running 12.1(1.3)T are apparently not affected.