TUCoPS :: Cisco :: cisco3.htm

Crashing PIX Firewall 5.1 
Vulnerability

    Cisco

Affected

    PIX Firewall 5.1

Description

    Claudiu Calomfirescu found following.  An attacker from inside  or
    outside interfaces  of a  PIX Firewall  515 or  520, 5.1.4 version
    running aaa  authentication against  a TACACS+  Server could cause
    the PIX to crash and reload by overwhelming it with authentication
    requests.

    Tested:

        Vulnerable Product: PIX Firewall 515, 520
        Vulnerable OS:      5.1.4 - General Deployment Release
        Non Vulnerable OS:  5.3.1 - General Deployment Release

    1. A user  from inside without  aaa permission to  go out, play  a
       game (Jewels)  from zapspot.com.  - he  does not  know a  thing
       about what is happening in the background.
    2. At  a certain  time, the  game try  to connects  to the address
       api.zapspot.com on port 80 from port 2000.
    3. The pix start an authentication process, but the game is not  a
       browser and the user dont see a thing, after that, the game try
       to connects to the address api.zapspot.com on port 80 from port
       2001, 2002,  2003 and  so on  very very  quickly (hundreds  per
       seconds)
    4. The pix has too many authentication in progress and crash.

    To reproduce the problem do the following:
    1. Configure the PIX Firewall version 5.1.4 for aaa authentication
       against a TACACS+ server:

        aaa-server TACACS+ protocol tacacs+
        aaa-server RADIUS protocol radius
        aaa-server grup protocol tacacs+
        aaa-server grup (inside) host 10.10.10.20 cheia
        timeout 5
        aaa authentication include http outbound 0.0.0.0
        0.0.0.0 0.0.0.0 0.0.0.0 grup
        aaa authorization include http outbound 0.0.0.0
        0.0.0.0 0.0.0.0 0.0.0.0 grup
        aaa accounting include http outbound 0.0.0.0
        0.0.0.0 0.0.0.0 0.0.0.0 grup

    2. From  an inside  host generate  http request  with sweep source
       port directed to a global address on port 80.

       In case above, authors generated a http request from port 2000,
       the pix start an authentication process:

        109001: Auth start for user '???' from
        10.10.10.1/2000 to 216.46.233.11/80

       after that they generated a http request from port 2001,

        109001: Auth start for user '???' from
        10.10.10.1/2001 to 216.46.233.11/80

       and so on.  After 426  requests (this number is not always  the
       same) generated in 3 seconds the PIX give the message:

        Panic: uauth1 - open: no more channels
        (tcp/UNPROXY/1/0)!

       and crashed in:

        Thread Name: uauth1 (Old pc 0x80070b4f ebp 0x810c56dc)

       and reloads.

    Very simple and nice.

Solution

    The  vendor  (Cisco  Systems)  was  noticed  on 14 March (TAC case
    number B215177) and till now they only asked about the environment
    in  which  was  found.   They  received  the  exploit program, PIX
    configuration, detailed  description about  whats happened,  stack
    trace from the crash, logs.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH