OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Cisco 678 exploit
From: George (georgerNLS.NET)
Date: Wed Oct 11 2000 - 20:55:31 CDT

Let me start off by saying I'm no network expert but I found something that
I though was rather interesting.

Setup: Cisco 678 DSL router connecting 2 machines to the internet. Machines
are using routable IP addresses (NAT is disabled) and are fully pingable
from the internet side.

By sending the following broadcast packet from Machine1, Machine2 can no
longer talk to the internet. I don't know enough about protocols to know why
but I think the broadcast is changing something in the 678 router judging
from the network sniff I ran.

Anyway, this is the packet:

00000: FF FF FF FF FF FF 00 80 29 61 9B 39 00 2C E0 E0 ........)a.9.,..
00010: 03 FF FF 00 28 00 01 00 00 00 00 FF FF FF FF FF ....(...........
00020: FF 04 53 00 00 00 00 00 80 29 61 9B 39 04 53 00 ..S......)a.9.S.
00030: 02 92 23 33 C3 00 01 00 02 00 ..#3......

It is an IPX RIP broadcast of some kind (RIPX) and within a second or two of
this packet machine2 drops off the internet. Machine2 does not have IPX
installed, only tcp/ip.

Is there anyone on this list who could help me track this down further? It
seems to me that if this is in fact affecting the router and not machine2
that this would be a very simple way for one person inside a company to
knock out the internet connection so I think it could classify as an
exploit.

Geo.