OPS: SECURITY new packet of death

Charley_Kline · November 21, 1997, 3:41pm

land.c is this program

I tried it against a 7505 running 11.2(9)P and a 2511 running 11.2(7a),
with no obvious bad effects. The announcement does not indicate which
IOS versions are vulnerable; I'd love to know.

James_D_Butt1 · November 21, 1997, 3:51pm

> land.c is this program

I tried it against a 7505 running 11.2(9)P and a 2511 running 11.2(7a),
with no obvious bad effects. The announcement does not indicate which
IOS versions are vulnerable; I'd love to know.

Snipit of a message on bugtraq dated today..

Ascend Pipeline 50 rev 5.0Ap13 NOT vulnerable
Cisco IOS 10.3(7) IS vulnerable
Cisco 2511 IOS ??? IS vulnerable
Cisco 753 IOS ??? IS vulnerable
LaserJet Printer NOT vulnerable
Livingston Office Router (ISDN) IS vulnerable
Livingston PM* ComOS 3.5b17 + 3.7.2 NOT vulnerable
NCD X Terminals, NCDWare v3.2.1 IS vulnerable

Off of another message..

I just tested land.c on a cisco 753 router running version 4.0 of the os.
It DID freeze the router when I hit it on port 23. The router wasn't able
to reach the internal lan or the wan and some lights on the front of the
router were frozen also. I couldn't ping or telnet to the router, the
only way to restart it is a hard reboot.

Karl_Denninger1 · November 21, 1997, 4:20pm

Where do we get a copy of that to try out?

I want to "challenge" some of our machines and routers.

Leigh_Porter1 · November 21, 1997, 4:25pm

Charley Kline wrote:

> land.c is this program

I tried it against a 7505 running 11.2(9)P and a 2511 running
11.2(7a),
with no obvious bad effects. The announcement does not indicate which
IOS versions are vulnerable; I'd love to know.

--
Charley Kline kline@uiuc.edu
UIUC Network Architect n stuff

I can confirm this, yet customers on 10.0 have had problems.

I would like to know wether Cisco will be letting all those people with
10.0
have free upgrades to 11.0 in view of the potential seriousnes of this
bug.

Tim_Keanini · November 21, 1997, 6:50pm

Here is the results of my humble IOS testing of the land.c
denial of service 'spoit code.
-blast

IOS 11.2(9) on a 25xx

tcp0: I LISTEN 10.10.51.80:23 10.10.51.80:23 seq 3868
        SYN WIN 2048
tcp0: O LISTEN 10.10.51.80:23 10.10.51.80:23 seq 3988480078
        OPTS 4 ACK 3869 SYN WIN 4288
tcp0: I SYNRCVD 10.10.51.80:23 10.10.51.80:23 seq 3988480078
        OPTS 4 ACK 3869 SYN WIN 4288
tcp0: O SYNRCVD 10.10.51.80:23 10.10.51.80:23 seq 3869
        RST WIN 4288
tcp0: I SYNRCVD 10.10.51.80:23 10.10.51.80:23 seq 3869
        RST WIN 4288

Nathan_Bates · November 21, 1997, 6:52pm

The obvious fix is to block at your firewall, gw, and/or router any
packet with a source address/port that matches the destination
address/port.

Several Cisco IOS filters have have passed through BugTraq mailing
list to solve this problem. All of these filters can be located at:

http://www.geek-girl.com/bugtraq

Regards,
Nathan Bates

Al_Reuben · November 21, 1997, 8:31pm

Where do I get this?