Cisco Security Advisory: Crafted IP Option Vulnerability

Cisco_Systems_Produc · January 24, 2007, 5:00pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory ID: cisco-sa-20070124-crafted-ip-option

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Revision 1.0

For Public Release 2007 January 24 1600 UTC (GMT)

Gadi_Evron1 · January 24, 2007, 7:32pm

How many OPK's are being released today.. anyone?

Andre_Gironda · January 25, 2007, 3:34am

Ovulation Predictor Kits?

OEM Preinstallation Kits?

-dre

Andre_Gironda · January 25, 2007, 7:38am

I would say that this would work:
http://addxorrol.blogspot.com/2007/01/one-of-most-amusing-new-features-of.html

It requires expensive software, BinNavi and IDA Pro Advanced, but
anyone equipped with those tools could do it.

I heard that parts of PaiMei work under BSD/Linux, and certainly GPF
and Autodafé could be used for fault injection during step-mode
debugging. PaiMei also uses IDA. The other tools are open-source
including PaiMei itself.

Using PyDBG in PaiMei could speed up the debugging faster than gdb by
way of scripting, which could allow things like process stalking. If
that's the case, I could invision anyone with a symbol table could get
PoC remote code execution (ala Mike Lynn and Hacking Exposed: Cisco
Networks) within 3 hours and have a reliable exploit within 10 hours.

Worm at 11.

But PaiMei doesn't do that (yet), and nobody has the rest of the
resources to accomplish this task. Right?

But, you don't really even need a symbol table if you have lots of
time to debug and design the exploit. This is more advanced and would
require somebody like Halvar Flake, FX, or Pedram Amini. All three of
which I credit for this vulnerability information feasibility
fact-finding.

So it's too late. Don't bother upgrading now; you're already owned.
Unless they are blocking it at the ISP borders in the same way they
blocked out the Cisco IPv4 Crafted DoS vulnerability in 2003. ISP's
probably got the patch (or at least Cisco's ISP's did) a week ago.
Had rolling reboots lately? Don't know why? Lots of "miscellaneous"
ISP maintenace. I wonder...

Hey Cisco - listen up. Hire some vulnerability assessors before the
future probable Month-of-Cisco-Bugs becomes Year-of-Cisco-Bugs aka
loss of 10B US dollars in revenue. Or whatever John Chambers makes,
whichever is lower.

-dre

Gadi_Evron1 · January 25, 2007, 9:19am

> How many OPK's are being released today.. anyone?
>

Ovulation Predictor Kits?

OEM Preinstallation Kits?

One Packet Killers