Vulnerability

    cisco 76x buffer overflow

Affected

    CISCO  7xx  running  IOS/700  software  version 4.1(1), 4.1(2), or
    4.1 interim releases earlier than 4.1(2.1)

Description

    Laslo Orto  found following.   He found  a buffer  overflow in the
    cisco 76x series router. The bug exists only in the 4 users  limit
    software.  It was not possible to reproduce it with the  unlimited
    version.   According  to  Cisco,  some  Cisco  7xx  routers can be
    crashed by connecting  with TELNET and  typing very long  password
    strings.  There  exists  a  possibility  that  this  bug  could be
    exploited  to  take  complete  control  of the router, rather than
    simply crashing  it.   In order  to exploit  the vulnerability, an
    attacker must have access to the password prompt. This means  that
    the attacker must be  able to TELNET to  the target router, or  to
    gain  access  to  its  console  port.   This  vulnerability allows
    attackers  to  force  7xx  routers  to  reboot, denying service to
    legitimate users  during the  reboot period,  and possibly causing
    excessive "call flapping" as routers shut down and restart.

    It is possible that including the right data at the right place in
    the  too-long  password  string  could  enable an attacker to take
    complete control of the router.  A person who succeeded in such an
    attack  would  be  able  to  reconfigure  the router or modify its
    functionality, theoretically  in any  way at all.  The  exploit is 
    prety simple:

        telnet cisco762.domain.com
        Trying 1.2.3.4...
        Connected to 1.2.3.4.
        Escape character is '^]'.
        Enter Password:Enter a
        veryyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
        yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
        yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
        yyyyyyyyyyyyyyyyyyyyyyyyyyyy long string here

    and watch the prety lights go on as the cisco reboots.

Solution

    All Cisco 7xx routers   Systems running releases earlier than  4.1
    are not affected.  Cisco  is presently testing a software  fix for
    this problem.   Fix is expected  to be ready  for customer use  by
    December 24, 1997.   URL to check is:

        http://www.cisco.com/warp/public/770/pwbuf-pub.shtml

    The  vulnerability  may  be  avoided  by controlling access to the
    system  console  port,  and  by  restricting  access to the TELNET
    facility to trusted hosts.  TELNET access may be restricted either
    by using filters on firewalls or surrounding routers, or by  using
    filters on the 7xx router itself. To restrict access to the TELNET
    service  on  a  7xx  router  running  4.1(x)  software to a single
    trusted management host, use the command:

        set ip filter tcp in source = not trusted-ip-address destination = 7xx-address:23 block

    The command should be applied in every profile that may be  active
    when the router is connected to a potentially hostile network.