I thought I'd share the final results of my testing of the recent Cisco exploit with the list here. I had the concern that the new IOS versions released by Cisco would be immune to the original exploit but may not cover variants or other protocols that are susceptible. I recompiled the exploit code in such a way as to run through all protocol numbers from 1 to 1024 and ran that against my test router; a 2611 running IOS 12.1(16). I realize that the field that contains the protocol number is 8 bits in length so anything above 255 is academic but the results were interesting. I witnessed failures on the following port numbers: 53, 55, 77, 103, 309 and 823. I did NOT get a failure on protocol 46 as someone else here suggested (do you have details on that?). Note that if you only count the right most 8 bits of 309 and 823, they are the same as 53 and 55 respectively so there's probably a couple more numbers that also cause the failure.
I then upgraded my router to IOS 12.1(20)GD and ran my tests again looking for any sign of the vulnerability. The patch appears to work well and I didn't find anything of note afterward except that the router seemed to handle the input queue more efficiently. Cheers, -Bill _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html