Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
The answer is obviously, of course!!! Don't know what planet your from but the reason God put nmap here was to save from the Blue Pill ska M$. Sent from my iPhone On Jul 10, 2010, at 3:11 AM, Dobbins, Roland rdobb...@arbor.net wrote: On Jul 9, 2010, at 10:49 PM, Dario Ciccarone (dciccaro) wrote: Cisco Security Advisory: Vulnerabilities in SNMP Message Processing - which can be found at http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml . The bug ID on our bug database being CSCed68575. This is a good reminder that it's always a good idea to go through the relevant security advisories of the relevant vendors, ensuring that any vendor-supplied fixes have been applied, before reporting a possible vulnerability - especially in a public forum. The assumption is generally that OPs have taken the opportunity to do so prior to posting; it's also a good reminder that this isn't necessarily the case, and that due diligence is something to which everyone can contribute. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 9, 2010, at 10:49 PM, Dario Ciccarone (dciccaro) wrote: Cisco Security Advisory: Vulnerabilities in SNMP Message Processing - which can be found at http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml . The bug ID on our bug database being CSCed68575. This is a good reminder that it's always a good idea to go through the relevant security advisories of the relevant vendors, ensuring that any vendor-supplied fixes have been applied, before reporting a possible vulnerability - especially in a public forum. The assumption is generally that OPs have taken the opportunity to do so prior to posting; it's also a good reminder that this isn't necessarily the case, and that due diligence is something to which everyone can contribute. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there: Once again, this is Dario Ciccarone with the Cisco PSIRT. This email's purpose is to provide our conclusions on the investigation we performed on this issue. First, we would like to thank Mr. Shang Tsung for his help and cooperation during our investigation - Mr. Tsung did indeed provide the Cisco PSIRT with all the information required to investigate and reproduce the issue. Second, this *is* indeed a vulnerability on Cisco IOS that *can be triggered* by an nmap scan. But before everyone run to the nearest Linux box to run an nmap scan against their neighbor's network and attempts to trigger it: this is a *known* and *previously publicly disclosed* vulnerability, for which the Cisco PSIRT published an advisory back in 2004: Cisco Security Advisory: Vulnerabilities in SNMP Message Processing - which can be found at http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml . The bug ID on our bug database being CSCed68575. The original advisory did make clear that the effect of the vulnerability would be a crash and reload of the device, provided workarounds and as usual on Cisco Security Advisories, a list of fixed software releases. At this time, we consider the case closed. And again, we would like to thank Mr Tsung for his help and cooperation on driving this issue to a satisfactory outcome. bit of advertising follows Cisco provides access to our Security Vulnerability Policy at http://www.cisco.com/en/US/products/products_security_vulnerability_po licy.html - which includes not only information on how to contact the Cisco PSIRT, but details on the process we follow with any reported vulnerability. Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. Any researcher or customer, with or without a support contract, is encouraged to contact us at ps...@cisco.com so we can work together on the investigation of any purported security vulnerability on any Cisco product. /bit of advertising ends Thanks, Dario Dario Ciccarone dcicc...@cisco.com Incident Manager - CCIE #10395 Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. +1 212 714 4218 PGP Key ID: 0xBA1AE0F0 http://www.cisco.com/go/psirt -Original Message- From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On Behalf Of Shang Tsung Sent: Wednesday, June 30, 2010 7:04 AM To: pen-t...@securityfocus.com Subject: Should nmap cause a DoS on cisco routers? Hello, Some days ago, I had the task to discover the SNMP version that our servers and networking devices use. So I run nmap using the following command: nmap -sU -sV -p 161-162 -iL target_file.txt This command was supposed to use UDP to probe ports 161 and 162, which are used for SNMP and SNMP Trap respectively, and return the SNMP version. This innocent command caused most networking devices to crash and reboot, causing a Denial of Service attack and bringing down the network. Now my question is.. Should this had happened? Can nmap bring the whole network down from one single machine? Is this a configuration error of the networking devices? This is scary... Shang Tsung -- -- This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org -- -- -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBTDdE+4yVGB+6GuDwEQJBbgCgxILU27FqQ3mlH49cYL+txC3WCC4An0Zd rGZ0NHYdaCYN4tGKCCeKLx/s =nauF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 9, 2010, at 8:49 AM, Dario Ciccarone (dciccaro) wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there: Once again, this is Dario Ciccarone with the Cisco PSIRT. This email's purpose is to provide our conclusions on the investigation we performed on this issue. snip Second, this *is* indeed a vulnerability on Cisco IOS that *can be triggered* by an nmap scan. But before everyone run to the nearest Linux box to run an nmap scan against their neighbor's network and attempts to trigger it: this is a *known* and *previously publicly disclosed* vulnerability, for which the Cisco PSIRT published an advisory back in 2004: Handy flow chart for handling possible bug discoveries: http://www.smtps.net/images/i-think-i-found-a-bug.jpg (I'm sure this will come back to haunt me at some point) -- chort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
to improve HP run nmap -A --allports printsvr IP on your network daily! nmap -A -p9100-9107 printsvr IP FTFY. On Wed, Jul 7, 2010 at 9:52 AM, coderman coder...@gmail.com wrote: On Thu, Jul 01, 2010 at 08:01:26PM -0400, Dan Kaminsky wrote: ... If we can't get pissed, how is that QA guy supposed to block shipment? On Tue, Jul 6, 2010 at 11:15 PM, Fyodor fyo...@insecure.org wrote: Absolutely! And while people are in a mood to pressure vendors of crappy networking devices, please talk to Hewlett-Packard! to improve HP run nmap -A --allports printsvr IP on your network daily! i support this message. Kaminsky/Fyodor++ (extra credit for a scapy bot :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Thu, Jul 8, 2010 at 3:58 AM, Benji m...@b3nji.com wrote: to improve HP run nmap -A --allports printsvr IP on your network daily! nmap -A -p9100-9107 printsvr IP FTFY. sir, this is Hewlett-Packard. don't be foolish. if you do this they'll release a patch to bind port 9200... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Thu, Jul 01, 2010 at 08:01:26PM -0400, Dan Kaminsky wrote: Permanent DoS's are unacceptable even from intentionally malicious traffic, let alone a few nmap flags. Hi Dan. I Agree, and this wasn't even a very intense Nmap scan (see Brandon Enright's summary at http://seclists.org/pen-test/2010/Jun/68). I will grant you that network isolation is indeed best practice, but broken code is not something to apologize for or mitigate against. It's something to apply real pressure against. If we can't get pissed, how is that QA guy supposed to block shipment? Absolutely! And while people are in a mood to pressure vendors of crappy networking devices, please talk to Hewlett-Packard! Out of all the devices, operating systems, ports, and protocols out there, only one is so fragile and insecure that we had to exclude it from Nmap version detection by default. That is HP JetDirect (TCP ports 9100-9107). No matter what random crap you spew at the port, it will generally either crash the machine or start spewing out paper. When Nmap version detection was first released 7 years ago, we had so much immediate feedback about HP printer problems that we temporarily blocked those ports by default to give HP a chance to fix the problems. We're still waiting for that to happen! The HP printer I bought this year still goes haywire and starts beeping and spewing paper if I enable the HP JD ports by scanning it with nmap -A --allports hostname. We even tried to understand the protocol and wrote a cute little Nmap NSE script to set an HP printer's status message (to things like insert 25 cents, heh). Even that simple program, which didn't require any authentication, crashed HP printers so often that we abandoned development. Pardon my mini-rant, but I agree completely that network device makers such as HP need to start showing some resiliency. If Nmap can crash them by accident, how can they be expected to hold up to real attacks? Cheers, Fyodor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Thu, Jul 01, 2010 at 08:01:26PM -0400, Dan Kaminsky wrote: ... If we can't get pissed, how is that QA guy supposed to block shipment? On Tue, Jul 6, 2010 at 11:15 PM, Fyodor fyo...@insecure.org wrote: Absolutely! And while people are in a mood to pressure vendors of crappy networking devices, please talk to Hewlett-Packard! to improve HP run nmap -A --allports printsvr IP on your network daily! i support this message. Kaminsky/Fyodor++ (extra credit for a scapy bot :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
* Roland Dobbins: On Jul 1, 2010, at 11:12 PM, Florian Weimer wrote: And it's certainly a bug worth fixing. I doubt it's a 'bug' which can be 'fixed', just the same as sending enough legitimate HTTP requests to a Web server to bring it to its knees isn't a 'bug' which can be 'fixed', but rather a DoS which must be mitigated via a variety of mechanisms. I was referring to single-packet (or single-request) crashers. Reputable vendors still ship devices that have those bugs in 2010. Chances are that Shang Tsung's nmap run triggered one of those. As I wrote, it happened before. The nmap command line posted further uptrhead does not actually cause a high pps flood. Such level of SNMP scanning is quite common in enterprise networks because some printer drivers use it to locate printers, so your network devices are better prepared to handle that. And even if you applied control plane protection, you still need to monitor those devices from your management network. The brittleness described in this thread makes this an extremely risky endeavor: one typo in your Perl script, and your network is gone, even if the monitoring station never had the credentials for enable access. Those bugs might not be security-relevant, but they can be very annyoing nevertheless. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 2, 2010, at 4:45 PM, Florian Weimer wrote: Those bugs might not be security-relevant, but they can be very annyoing nevertheless. I agree, if it's bugs we're discussing - my guess is, we aren't dealing with a bug in this instance, given that the original poster seemed to indicate a variety of devices exhibiting this behavior, but simply causing enough packets to be punted to the RP to cause a DoS condition. Time will tell. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Those bugs might not be security-relevant, but they can be very annyoing nevertheless. Three letters, C I A - guess what property can be remotely triggered. There is no discussion whether this is security-relevant ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Slippery Slopes everywhere : DR Again, causing the RP CPU to go to 100% due to punted DR management-plane traffic isn't a new phenomenon 1. Nobody claimed it to be a new phenomenon 2. He is not saturating anything. DR Of course PSIRT will ask for details, as they should; my point is DR that there's likely nothing new to see here, Oh that's the point now? I thought your point was that it is not a security bug. I agree on the nothing new here, new however is not a relevant attribute to decide on whether it is a vulnerability or not. DR Even if there is something new, here - which I doubt - it's DR important that folks understand that there are BCPs they can We heard your BCPs and XZY clearly, doesn't make it less of a vulnerability. DR The original poster asked if this were a configuration issue - DR and the answer is, yes Interesting, how do you know ? 1. you do not know what caused the problem 2. you do obviously do not know what packets caused the problems If it is a default configuration and you can remotely cause a denial of service condition : it is a vulnerability. If it is a non standard configuration and you can remotely cause a denial of service condition : it is a vulnerability. DR vulnerabilities - as opposed to merely saturating the RP of a DR given network device with management-plane traffic. Some of them Last time : He appears to not be saturating anything. nmap -sV does surely not create saturisation... DR And many of them could be mitigated via BCPs until such time as DR fixed code could be deployed, as well. There it is again, BCP. Is this the new IDS ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Fri, Jul 02, 2010 at 09:45:20AM +, Florian Weimer wrote: On Jul 1, 2010, at 11:12 PM, Florian Weimer wrote: And it's certainly a bug worth fixing. I doubt it's a 'bug' which can be 'fixed', just the same as sending enough legitimate HTTP requests to a Web server to bring it to its knees isn't a 'bug' which can be 'fixed', but rather a DoS which must be mitigated via a variety of mechanisms. I was referring to single-packet (or single-request) crashers. Reputable vendors still ship devices that have those bugs in 2010. Chances are that Shang Tsung's nmap run triggered one of those. As I wrote, it happened before. The nmap command line posted further uptrhead does not actually cause a high pps flood. Such level of SNMP scanning is quite common in enterprise networks because some printer drivers use it to locate printers, so your network devices are better prepared to handle that. One environment that I've noticed this is 'acceptable', in the eyes of the network management, is VoIP installations. I've done assessments in several large scale, production level VoIP installations and in many cases, you'll run into the same potential DoS when using tools like nmap. I've noticed that even if the orginazation has a very capable security staff, in many cases, they don't get to touch the VoIP network due to it's 'magical' properties (IMHO). I won't even go into the obvious lack of security practices (no IDS/IPS, very out of date systems, etc) in such networks due to the 'magic' of these networks. It sometimes seems that no matter how lightly you try to tread, you'll find these things. Be it due to the lack of security within the network or a actual vendor problem. I've seen this across the board. Cisco, Avaya (Nortel) installations down to out-of-date Asterisk based installations. In one case, we found a potential DoS condition with a vendors product. Getting the vendor to look into it was no problem. Getting the _client_ to work with the vendor on addressing the issue was a complete pain! The response from the client was, 'just don't run any scanners (nmap included) within the network'. Yes, put that in the /etc/motd so that attackers know not to do that :) Somehow, I don't find that acceptable. Again, it's a environment that's 'magical' and not well understood so once it's 'working', don't touch anything! And even if you applied control plane protection, you still need to monitor those devices from your management network. The brittleness described in this thread makes this an extremely risky endeavor: one typo in your Perl script, and your network is gone, even if the monitoring station never had the credentials for enable access. Those bugs might not be security-relevant, but they can be very annyoing nevertheless. Couldn't agree with you more. _When_ and _if_ they apply control plane protection. I don't know what the rest of the lists experience is with VoIP networks, but in many cases they seem to be stuck in the way-back-machine in reguards to network security. Not always, but a heck of a lot. Accidental 'DoS' conditions seem to pop-up a lot in these environments, IMHO. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgptnHMsSheeR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
I've noticed that even if the orginazation has a very capable security staff Again, it's a environment that's 'magical' and not well understood so once it's 'working', don't touch anything! If you call that capable security staff I'd expect you to call Windows a unix-like os... typo in your Perl script, and your network is gone, even if the Simple, Perl is quite difficult to maintain. If you can't maintain it and understand it very little, *then DON'T use it*. On Fri, Jul 2, 2010 at 12:54 PM, Champ Clark III [Softwink] ch...@softwink.com wrote: On Fri, Jul 02, 2010 at 09:45:20AM +, Florian Weimer wrote: On Jul 1, 2010, at 11:12 PM, Florian Weimer wrote: And it's certainly a bug worth fixing. I doubt it's a 'bug' which can be 'fixed', just the same as sending enough legitimate HTTP requests to a Web server to bring it to its knees isn't a 'bug' which can be 'fixed', but rather a DoS which must be mitigated via a variety of mechanisms. I was referring to single-packet (or single-request) crashers. Reputable vendors still ship devices that have those bugs in 2010. Chances are that Shang Tsung's nmap run triggered one of those. As I wrote, it happened before. The nmap command line posted further uptrhead does not actually cause a high pps flood. Such level of SNMP scanning is quite common in enterprise networks because some printer drivers use it to locate printers, so your network devices are better prepared to handle that. One environment that I've noticed this is 'acceptable', in the eyes of the network management, is VoIP installations. I've done assessments in several large scale, production level VoIP installations and in many cases, you'll run into the same potential DoS when using tools like nmap. I've noticed that even if the orginazation has a very capable security staff, in many cases, they don't get to touch the VoIP network due to it's 'magical' properties (IMHO). I won't even go into the obvious lack of security practices (no IDS/IPS, very out of date systems, etc) in such networks due to the 'magic' of these networks. It sometimes seems that no matter how lightly you try to tread, you'll find these things. Be it due to the lack of security within the network or a actual vendor problem. I've seen this across the board. Cisco, Avaya (Nortel) installations down to out-of-date Asterisk based installations. In one case, we found a potential DoS condition with a vendors product. Getting the vendor to look into it was no problem. Getting the _client_ to work with the vendor on addressing the issue was a complete pain! The response from the client was, 'just don't run any scanners (nmap included) within the network'. Yes, put that in the /etc/motd so that attackers know not to do that :) Somehow, I don't find that acceptable. Again, it's a environment that's 'magical' and not well understood so once it's 'working', don't touch anything! And even if you applied control plane protection, you still need to monitor those devices from your management network. The brittleness described in this thread makes this an extremely risky endeavor: one typo in your Perl script, and your network is gone, even if the monitoring station never had the credentials for enable access. Those bugs might not be security-relevant, but they can be very annyoing nevertheless. Couldn't agree with you more. _When_ and _if_ they apply control plane protection. I don't know what the rest of the lists experience is with VoIP networks, but in many cases they seem to be stuck in the way-back-machine in reguards to network security. Not always, but a heck of a lot. Accidental 'DoS' conditions seem to pop-up a lot in these environments, IMHO. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Fri, Jul 02, 2010 at 01:31:07PM +0200, Christian Sciberras wrote: I've noticed that even if the orginazation has a very capable security staff Again, it's a environment that's 'magical' and not well understood so once it's 'working', don't touch anything! If you call that capable security staff I'd expect you to call Windows a unix-like os... Hah. I probably didn't make my point properly. They _have_ a capable security staff that was instructed by upper management _not_ to touch the VoIP network. They _wanted_ to, but where instructed to 'stay away!'. Sad state. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgpSlHsP9oFTO.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 2, 2010, at 5:59 PM, Thierry Zoller wrote: There it is again, BCP. Is this the new IDS ? BCP = Best Current Practice = iACLs, CoPP, et. al. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On 02/07/2010 12:34, Champ Clark III [Softwink] wrote: On Fri, Jul 02, 2010 at 01:31:07PM +0200, Christian Sciberras wrote: I've noticed that even if the orginazation has a very capable security staff Again, it's a environment that's 'magical' and not well understood so once it's 'working', don't touch anything! If you call that capable security staff I'd expect you to call Windows a unix-like os... Hah. I probably didn't make my point properly. They _have_ a capable security staff that was instructed by upper management _not_ to touch the VoIP network. They _wanted_ to, but where instructed to 'stay away!'. Sad state. The worst thing is companies will let you rent equipment so you could easily rent the essentials and work through your changes until you know how to do it with little disruption. The cost of hiring some equipment would e little compared to what you ultimately are causing by ignoring the problem and saying don't touch it ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 2, 2010, at 5:59 PM, Thierry Zoller wrote: If it is a default configuration and you can remotely cause a denial of service condition : it is a vulnerability. If it is a non standard configuration and you can remotely cause a denial of service condition : it is a vulnerability. If the DoS is volumetric in nature - i.e., causing lots of packets to be punted to the RP, thus overwhelming the processing of the device and causing it to drop control-plane traffic - that's not a vulnerability, in the classic sense (i.e., a code-based exploit of some kind), especially given that it can be mitigated via BCPs. Otherwise, you'd classify any and all DDoS as vulnerabilities, too - and while many of them are in fact *architectural* or *design* flaws, they're still not vulnerabilities in the sense that most of the people on this list use the term. Having spent a great deal of time concentrating on the 'A' part of the C-I-A triad, I agree with you 100% that A is as important (more important, in my estimation) than the other legs of the triad; but running around claiming that there's some 'vulnerability' which must be patched, when a) we don't know that for a fact, b) it seems rather unlikely, given past experience and the symptoms reported, and c) exhibiting some bizarre antipathy towards implementing industry BCPs doesn't really help, very much. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 2, 2010, at 5:54 PM, Champ Clark III [Softwink] wrote: Accidental 'DoS' conditions seem to pop-up a lot in these environments, IMHO. Availability is the most important, yet least-understood element of the C-I-A triad, IMHO. And not just on public-facing networks, but in private networks which often support mission-critical applications, as you describe. I've found that talking about DoS strictly in terms of loss of availability, along with the business impact of a given system or systems suffering a total loss of availability, is sometimes effective in explaining the risks to non-technical decisionmakers and convincing them to allocate resources to improve their security postures. In other words, 'phones not working', 'orders can't be processed', 'supply-chain requests can't be fulfilled', 'sales staff can't record sales', and so forth. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Hi Roland, Was not aware of the acronym - BCP is generally used for Business continuity plan in the industry. DR On Jul 2, 2010, at 5:59 PM, Thierry Zoller wrote: There it is again, BCP. Is this the new IDS ? DR BCP = Best Current Practice = iACLs, CoPP, et. al. DR --- DR Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com DR Injustice is relatively easy to bear; what stings is justice. DR -- H.L. Mencken DR ___ DR Full-Disclosure - We believe in it. DR Charter: http://lists.grok.org.uk/full-disclosure-charter.html DR Hosted and sponsored by Secunia - http://secunia.com/ -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 2, 2010, at 7:43 PM, Thierry Zoller wrote: Was not aware of the acronym - BCP is generally used for Business continuity plan in the industry. I remember an interview with RMS many years ago; he was asked what he thought was the most pressing problem in computer science. After thinking for a moment, he replied, The fact that there are only about 19,000 three-letter acronyms. ; Networking folks, especially in the SP arena, often refer to 'best current practices', or BCPs, meaning the features/techniques/architectural principles one ought to implement as a matter of course when designing/deploying/operating/maintaining networks and their supporting ancillary infrastructure. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Fri, Jul 2, 2010 at 3:54 AM, Champ Clark III [Softwink] ch...@softwink.com wrote: .. I've noticed that even if the orginazation has a very capable security staff, in many cases, they don't get to touch the VoIP network due to it's 'magical' properties c.f. Dunning–Kruger effect. [1] it is well represented in this thread, if not this entire list... 1. The Dunning–Kruger effect http://en.wikipedia.org/wiki/Dunning-Kruger_effect ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
DR And many of them could be mitigated via BCPs until such time as DR fixed code could be deployed, as well. There it is again, BCP. Is this the new IDS ? Best Practices are what forms when Ops guys are given broken systems and told to make them work. This isn't meant in a derogatory way. Do you like things working? I sure do. If it takes rules like don't run trivial networking scanners on the VoIP network to keep the phones running, well, guess what. There is a problem that this masks issues. Attacker's aren't exactly known for saying, I'd own your network, but that would violate best practices, so I won't. VoIP code (speaking from fairly direct experience) is aggressively fragile, partially since it comes from a background where the presumption was that all traffic was trusted, and partially because the specs are so hideously turgid. In the short run, best practices are the only way to keep this stuff stable. In the long run...what's that? Just gotta get to the next quarter... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Hello Mr. Dobbins. Normally, I'd not reply to this post but something about it prompted me to do it. Dobbins, Roland wrote: On Jul 2, 2010, at 7:01 AM, Dan Kaminsky wrote: Permanent DoS's are unacceptable even from intentionally malicious traffic, let alone a few nmap flags. They're unacceptable to us, they're unacceptable to Microsoft (see: MSRC bug bar), and even Cisco PSIRT has shown up on thread desiring to clean things up. Again, causing the RP CPU to go to 100% due to punted management-plane traffic isn't a new phenomenon - it's well-understood amongst network operators, as are BCPs which mitigate the risk of such an occurrence. This is an obvious fallacy. Here's why: You've unilaterally decided that your interpretation of the original message from Shang Tsung is the correct one. Namely that what caused the devices to *crash and reboot* was the amount of traffic they were receiving on the SNMP ports. His email did not state such thing. Then on the basis of taking your own assumption as truth and not based on factual data you then proceed to dismiss the problem as nothing new or worthy of discussion but simply a matter of improper configuration or network architecture. You may or may not be wrong but at this point in the thread and without actual evidence (packet dumps, repro steps, someth...@!#) it's simply anybody's guess what actually happened to Mr. Shang's networking devices of unknown brands and models, running unknown firmware. You and others then proceeded to implicitly assume that Mr. Shang's devices are in fact Cisco gear by speculating about what PSIRT should or should not do (Juniper's team is called SIRT, 3Com's is SRT and HUawei's is NSIRT...) Now, further down the email thread somebody from Cisco's PSIRT actually chimed in (hola Dario!) asking for technical details. Perhaps we should too ask and wait for actual data from Mr. Shang and defer for later the construction of hypothetical explanations that are as robust as a brazilian soccer team with a 1 goal lead. -ivan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 3, 2010, at 2:05 AM, Mailing lists at Core Security Technologies wrote: Perhaps we should too ask and wait for actual data from Mr. Shang I acknowledged this deeper in the thread - and also noted that since I've seen the same kind of reported behavior not above two or three hundred times in the past, that it sure looks like a classic RP DoS due to punted management-plane traffic. I used to work for Cisco, and have the highest respect for the PSIRT team; I'm sure if there's an issue beyond simple BCPs, they'll resolve it. In the meantime, everyone should ensure that their networks disallow control- and management-plane traffic from unauthorized nodes via iACLs, CoPP, et. al.; and also investigate rate-limiting management- and control-plane traffic in a situationally-appropriate manner via CoPP, HWRL, et. al. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Look at my old report from 03 on how an IOS bug can be exploited from just one packet. It may provide some ideas for those wanting to test this Nmap issue. http://amilabs.com/ami-ciscoexploit.pdf -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Dobbins, Roland Sent: Thursday, July 01, 2010 9:31 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Should nmap cause a DoS on cisco routers? On Jul 2, 2010, at 8:13 AM, Lee wrote: so presumably the scan came from a network that had full access to the routers. One question is whether or not the network in question *should* have full access to the management plane of the routers. ; That's a bit harder to defend against. Sure, but also note that CoPP, HWRL, and the like can help, depending upon the platform. Don't get me wrong; this should be investigated further, and PSIRT are on it. My point is that folks don't need to go into panic mode, but should educate themselves as to how to defend their network infrastructure against attack and then deploy the relevant BCPs. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Hi Shang, If this is possible you have found a vulnerability. Any way to remotely cause DoS with special or harmless code is per se a vulnerability. Instead of telling somebody to not scan with -sV you are better of reporting the vulnerability (ies) Regards, Thierry coc During my training classes I always tell the -sV switch is coc dangerous and known to (sometimes) crash the target. coc Usually a better tool to test open udp ports is unicornscan, but coc that doesn't have a switch like -iL. Since you are testing your coc own devices and you know the community string, you could insider coc to loop through the list of IP's and snmpget a value from the MIB. coc Cor coc sent from a mobile device coc Origineel bericht coc Van: Shang Tsung coc Verzonden: 30-06-2010 13:03:32 coc Onderw.: Should nmap cause a DoS on cisco routers? coc Hello, coc Some days ago, I had the task to discover the SNMP version that our coc servers and networking devices use. So I run nmap using the following coc command: coc nmap -sU -sV -p 161-162 -iL target_file.txt coc This command was supposed to use UDP to probe ports 161 and 162, which coc are used for SNMP and SNMP Trap respectively, and return the SNMP coc version. coc This innocent command caused most networking devices to crash and coc reboot, causing a Denial of Service attack and bringing down the coc network. coc Now my question is.. Should this had happened? Can nmap bring the whole coc network down from one single machine? coc Is this a configuration error of the networking devices? coc This is scary... coc Shang Tsung coc coc coc This list is sponsored by: Information Assurance Certification Review Board coc Prove to peers and potential employers without a doubt that you coc can actually do a proper penetration test. IACRB CPT and CEPT coc certs require a full practical examination in order to become certified. coc http://www.iacertification.org coc coc ___ coc Full-Disclosure - We believe in it. coc Charter: http://lists.grok.org.uk/full-disclosure-charter.html coc Hosted and sponsored by Secunia - http://secunia.com/ -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 1, 2010, at 4:28 PM, Thierry Zoller wrote: If this is possible you have found a vulnerability. No - what he's found is a network in which common infrastructure self-protection BCPs haven't been deployed, that's all. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Hi Roland, o - what he's found is a network in which common infrastructure self-protection BCPs haven't been deployed, that's all. Please pass those standing inline at the Bullshit Bingo counter and get in first place. How much does your remote viewing capability costs per day ? If a device crashes when being scanned - it's a vulnerability. Bye -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 1, 2010, at 5:23 PM, Thierry Zoller wrote: If a device crashes when being scanned - it's a vulnerability. It sounds to me as if what happened was that he ended up driving the CPUs of the devices in question to 100%, and they stopped handling control-plane traffic and fell over. There are infrastructure self-protection best current practices (BCPs) which can be deployed to defend against infrastructure-targeted DoS. I've only seen this happen a few hundred times or so, so I could be wrong, of course. ; As the original poster posited: Is this a configuration error of the networking devices? The answer is, almost assuredly, Yes. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
* Roland Dobbins: On Jul 1, 2010, at 5:23 PM, Thierry Zoller wrote: If a device crashes when being scanned - it's a vulnerability. It sounds to me as if what happened was that he ended up driving the CPUs of the devices in question to 100%, and they stopped handling control-plane traffic and fell over. There are infrastructure self-protection best current practices (BCPs) which can be deployed to defend against infrastructure-targeted DoS. Not necessarily. Fingerprinting is known to crash tons of devices. And it's certainly a bug worth fixing. Many shops write their own scripts to gather statistics from networking devices, and it's really annoying when those scripts bring down devices (be it due to brittle protocol parsers, or memory leaks in the server code). -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
And this is why BreakingPoint matters: Because, oh man, network people let manufacturers get away with shipping some really fragile code. If a Windows desktop fell over because you looked at it funny -- and lets be honest, nmap -sV is quite literally, looking at something funny -- it'd be an unambiguous remote DoS and we'd laugh at Microsoft if they said we should deploy best practices to deal with it. Now, if the networking equipment in question was a $75 Linksys router, sure. There's a million ways to knock those things over, and you get what you pay for. But genuinely expensive gear? Some of that budget needs to start going into resiliency. On Thu, Jul 1, 2010 at 1:07 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Jul 1, 2010, at 5:23 PM, Thierry Zoller wrote: If a device crashes when being scanned - it's a vulnerability. It sounds to me as if what happened was that he ended up driving the CPUs of the devices in question to 100%, and they stopped handling control-plane traffic and fell over. There are infrastructure self-protection best current practices (BCPs) which can be deployed to defend against infrastructure-targeted DoS. I've only seen this happen a few hundred times or so, so I could be wrong, of course. ; As the original poster posited: Is this a configuration error of the networking devices? The answer is, almost assuredly, Yes. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shang: (x-posting to full-disclosure as it looks like those guys over there are having a bit of a philosophical discussion over this ;)) Hi there. My name is Dario Ciccarone and I work as an Incident Manager on the Cisco PSIRT - Product Security Incident Response Team. Your post has certainly caught our attention - indeed, if running an nmap scan (no matter which specific command-line options were in use) against a Cisco device makes it crash, we're certainly interested in knowing more. In order to follow-up on this, we would greatly appreciate if you could send us: * a show tech from one or more of the affected devices - specially if those are different kind of devices (switches, routers, firewalls, etc) * if you've been able to collect any crashinfo files - those would also come handy * if you have any console output/syslog messages/traceback information coming from any of the affected devices * the specific nmap version you're using If you could send all of that to ps...@cisco.com (if possible, encrypted with the PSIRT GPG public key - http://www.cisco.com/en/US/products/products_security_vulnerability_po licy.html#roosfassv) we would look right into it. Much appreciated, Dario Dario Ciccarone dcicc...@cisco.com Incident Manager - CCIE #10395 Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. PGP Key ID: 0xBA1AE0F0 http://www.cisco.com/go/psirt This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html -Original Message- From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On Behalf Of Shang Tsung Sent: Wednesday, June 30, 2010 7:04 AM To: pen-t...@securityfocus.com Subject: Should nmap cause a DoS on cisco routers? Hello, Some days ago, I had the task to discover the SNMP version that our servers and networking devices use. So I run nmap using the following command: nmap -sU -sV -p 161-162 -iL target_file.txt This command was supposed to use UDP to probe ports 161 and 162, which are used for SNMP and SNMP Trap respectively, and return the SNMP version. This innocent command caused most networking devices to crash and reboot, causing a Denial of Service attack and bringing down the network. Now my question is.. Should this had happened? Can nmap bring the whole network down from one single machine? Is this a configuration error of the networking devices? This is scary... Shang Tsung -- -- This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org -- -- -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBTCzeYYyVGB+6GuDwEQJDLwCfZnGVaFoSfPFaWDm7D3m8PQsmXxQAnjNO Te6wTi7vHSzhsLMQLSq0uwql =V0CQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Hi Thierry, I agree this is a vulnerability. I also want to clear up an apparent misunderstanding: I don't tell not to scan with -sV, but to be careful because it is a dangerous switch that is known to sometimes crash devices. When you are testing a target, you have to know your tools and this is one of the characteristics of nmap. When testing, there are often some alternatives to choose from. And if the objective is to find out if there are any vulnerabilities in a host, then nmap -sV is one of the tools in the toolbox you can use. But if you just want to know the version of SNMP running, like Shang did, you just might want to choose another tool. (I would have used something like: for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string $HOST sysDescr.0; done to find out if SNMP v1 was supported). Regards, Cor On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote: Hi Shang, If this is possible you have found a vulnerability. Any way to remotely cause DoS with special or harmless code is per se a vulnerability. Instead of telling somebody to not scan with -sV you are better of reporting the vulnerability (ies) Regards, Thierry coc During my training classes I always tell the -sV switch is coc dangerous and known to (sometimes) crash the target. coc Usually a better tool to test open udp ports is unicornscan, but coc that doesn't have a switch like -iL. Since you are testing your coc own devices and you know the community string, you could insider coc to loop through the list of IP's and snmpget a value from the MIB. coc Cor coc sent from a mobile device coc Origineel bericht coc Van: Shang Tsung coc Verzonden: 30-06-2010 13:03:32 coc Onderw.: Should nmap cause a DoS on cisco routers? coc Hello, coc Some days ago, I had the task to discover the SNMP version that our coc servers and networking devices use. So I run nmap using the following coc command: coc nmap -sU -sV -p 161-162 -iL target_file.txt coc This command was supposed to use UDP to probe ports 161 and 162, which coc are used for SNMP and SNMP Trap respectively, and return the SNMP coc version. coc This innocent command caused most networking devices to crash and coc reboot, causing a Denial of Service attack and bringing down the coc network. coc Now my question is.. Should this had happened? Can nmap bring the whole coc network down from one single machine? coc Is this a configuration error of the networking devices? coc This is scary... coc Shang Tsung coc coc coc This list is sponsored by: Information Assurance Certification Review Board coc Prove to peers and potential employers without a doubt that you coc can actually do a proper penetration test. IACRB CPT and CEPT coc certs require a full practical examination in order to become certified. coc http://www.iacertification.org coc coc ___ coc Full-Disclosure - We believe in it. coc Charter: http://lists.grok.org.uk/full-disclosure-charter.html coc Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
All, Robert lee (A good friend of late Jack Louis, the author of unicornscan) explained to me that unicornscan does support a function like -iL does in nmap. Just supply the name of the file with hosts as an argument: unicornscan filename It is as easy as that. Thanks again for explaining, Robert. Cor On Thu, 2010-07-01 at 05:41 +, c...@outpost24.com wrote: During my training classes I always tell the -sV switch is dangerous and known to (sometimes) crash the target. Usually a better tool to test open udp ports is unicornscan, but that doesn't have a switch like -iL. Since you are testing your own devices and you know the community string, you could insider to loop through the list of IP's and snmpget a value from the MIB. Cor sent from a mobile device ...snip... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
I would not object to posts on Full-Disclosure along the lines of nmap -sV crashes x device. Unauthenticated remote permanent DoS's from standard network scanning tools are certainly legitimate findings, and if this gives more power to the QA guy in $NETWORKVENDOR, all the better. On Thu, Jul 1, 2010 at 10:27 PM, Cor Rosielle c...@outpost24.com wrote: Hi Thierry, I agree this is a vulnerability. I also want to clear up an apparent misunderstanding: I don't tell not to scan with -sV, but to be careful because it is a dangerous switch that is known to sometimes crash devices. When you are testing a target, you have to know your tools and this is one of the characteristics of nmap. When testing, there are often some alternatives to choose from. And if the objective is to find out if there are any vulnerabilities in a host, then nmap -sV is one of the tools in the toolbox you can use. But if you just want to know the version of SNMP running, like Shang did, you just might want to choose another tool. (I would have used something like: for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string $HOST sysDescr.0; done to find out if SNMP v1 was supported). Regards, Cor On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote: Hi Shang, If this is possible you have found a vulnerability. Any way to remotely cause DoS with special or harmless code is per se a vulnerability. Instead of telling somebody to not scan with -sV you are better of reporting the vulnerability (ies) Regards, Thierry coc During my training classes I always tell the -sV switch is coc dangerous and known to (sometimes) crash the target. coc Usually a better tool to test open udp ports is unicornscan, but coc that doesn't have a switch like -iL. Since you are testing your coc own devices and you know the community string, you could insider coc to loop through the list of IP's and snmpget a value from the MIB. coc Cor coc sent from a mobile device coc Origineel bericht coc Van: Shang Tsung coc Verzonden: 30-06-2010 13:03:32 coc Onderw.: Should nmap cause a DoS on cisco routers? coc Hello, coc Some days ago, I had the task to discover the SNMP version that our coc servers and networking devices use. So I run nmap using the following coc command: coc nmap -sU -sV -p 161-162 -iL target_file.txt coc This command was supposed to use UDP to probe ports 161 and 162, which coc are used for SNMP and SNMP Trap respectively, and return the SNMP coc version. coc This innocent command caused most networking devices to crash and coc reboot, causing a Denial of Service attack and bringing down the coc network. coc Now my question is.. Should this had happened? Can nmap bring the whole coc network down from one single machine? coc Is this a configuration error of the networking devices? coc This is scary... coc Shang Tsung coc coc coc This list is sponsored by: Information Assurance Certification Review Board coc Prove to peers and potential employers without a doubt that you coc can actually do a proper penetration test. IACRB CPT and CEPT coc certs require a full practical examination in order to become certified. coc http://www.iacertification.org coc coc ___ coc Full-Disclosure - We believe in it. coc Charter: http://lists.grok.org.uk/full-disclosure-charter.html coc Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
That was certainly a useful email. On Thu, Jul 1, 2010 at 9:42 PM, Dan Kaminsky d...@doxpara.com wrote: I would not object to posts on Full-Disclosure along the lines of nmap -sV crashes x device. Unauthenticated remote permanent DoS's from standard network scanning tools are certainly legitimate findings, and if this gives more power to the QA guy in $NETWORKVENDOR, all the better. On Thu, Jul 1, 2010 at 10:27 PM, Cor Rosielle c...@outpost24.com wrote: Hi Thierry, I agree this is a vulnerability. I also want to clear up an apparent misunderstanding: I don't tell not to scan with -sV, but to be careful because it is a dangerous switch that is known to sometimes crash devices. When you are testing a target, you have to know your tools and this is one of the characteristics of nmap. When testing, there are often some alternatives to choose from. And if the objective is to find out if there are any vulnerabilities in a host, then nmap -sV is one of the tools in the toolbox you can use. But if you just want to know the version of SNMP running, like Shang did, you just might want to choose another tool. (I would have used something like: for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string $HOST sysDescr.0; done to find out if SNMP v1 was supported). Regards, Cor On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote: Hi Shang, If this is possible you have found a vulnerability. Any way to remotely cause DoS with special or harmless code is per se a vulnerability. Instead of telling somebody to not scan with -sV you are better of reporting the vulnerability (ies) Regards, Thierry coc During my training classes I always tell the -sV switch is coc dangerous and known to (sometimes) crash the target. coc Usually a better tool to test open udp ports is unicornscan, but coc that doesn't have a switch like -iL. Since you are testing your coc own devices and you know the community string, you could insider coc to loop through the list of IP's and snmpget a value from the MIB. coc Cor coc sent from a mobile device coc Origineel bericht coc Van: Shang Tsung coc Verzonden: 30-06-2010 13:03:32 coc Onderw.: Should nmap cause a DoS on cisco routers? coc Hello, coc Some days ago, I had the task to discover the SNMP version that our coc servers and networking devices use. So I run nmap using the following coc command: coc nmap -sU -sV -p 161-162 -iL target_file.txt coc This command was supposed to use UDP to probe ports 161 and 162, which coc are used for SNMP and SNMP Trap respectively, and return the SNMP coc version. coc This innocent command caused most networking devices to crash and coc reboot, causing a Denial of Service attack and bringing down the coc network. coc Now my question is.. Should this had happened? Can nmap bring the whole coc network down from one single machine? coc Is this a configuration error of the networking devices? coc This is scary... coc Shang Tsung coc coc coc This list is sponsored by: Information Assurance Certification Review Board coc Prove to peers and potential employers without a doubt that you coc can actually do a proper penetration test. IACRB CPT and CEPT coc certs require a full practical examination in order to become certified. coc http://www.iacertification.org coc coc ___ coc Full-Disclosure - We believe in it. coc Charter: http://lists.grok.org.uk/full-disclosure-charter.html coc Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Sounds like a typical FSM type bug that can be exploited. I worked on one back in 03. http://amilabs.com/Cisco%20Vulnerability%20in%20Check.htm -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Florian Weimer Sent: Thursday, July 01, 2010 12:13 PM To: Dobbins, Roland Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Should nmap cause a DoS on cisco routers? * Roland Dobbins: On Jul 1, 2010, at 5:23 PM, Thierry Zoller wrote: If a device crashes when being scanned - it's a vulnerability. It sounds to me as if what happened was that he ended up driving the CPUs of the devices in question to 100%, and they stopped handling control-plane traffic and fell over. There are infrastructure self-protection best current practices (BCPs) which can be deployed to defend against infrastructure-targeted DoS. Not necessarily. Fingerprinting is known to crash tons of devices. And it's certainly a bug worth fixing. Many shops write their own scripts to gather statistics from networking devices, and it's really annoying when those scripts bring down devices (be it due to brittle protocol parsers, or memory leaks in the server code). -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 1, 2010, at 11:12 PM, Florian Weimer wrote: And it's certainly a bug worth fixing. I doubt it's a 'bug' which can be 'fixed', just the same as sending enough legitimate HTTP requests to a Web server to bring it to its knees isn't a 'bug' which can be 'fixed', but rather a DoS which must be mitigated via a variety of mechanisms. It would be quite helpful if the original poster would detail the models/types/versions of the network devices in question, and possibly provide a sample query packet. Part of the general issue here is the large disconnect between the traditional security research community and the networking community; with a few notable exceptions, there isn't a lot of mutual discussion and understanding, and certainly no understanding of network infrastructure device architectures, best current practices (BCPs), and so forth. One of the most fundamental BCPs is that one must make use of various network infrastructure self-protection mechanisms to keep undesirable traffic away from the control and management planes of said network infrastructure. Here's a .pdf presentation which discusses network infrastructure self-protection: http://files.me.com/roland.dobbins/prguob Firing a bunch of SNMP queries at network infrastructure devices and causing network disruption as a result isn't anything new, it's a well-understood phenomenon with a well-understood - in the network operational community, at least - remedy via making use of the appropriate self-protection mechanisms built into most modern network infrastructure devices. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Permanent DoS's are unacceptable even from intentionally malicious traffic, let alone a few nmap flags. They're unacceptable to us, they're unacceptable to Microsoft (see: MSRC bug bar), and even Cisco PSIRT has shown up on thread desiring to clean things up. It's funny you bring up SNMP. Do you remember what happened when that protocol got fuzzed by the PROTOS guys in 2002? Every network device on the planet pretty much exploded. I will grant you that network isolation is indeed best practice, but broken code is not something to apologize for or mitigate against. It's something to apply real pressure against. If we can't get pissed, how is that QA guy supposed to block shipment? (That being said, you'll note 'it's code you just shouldn't run' is wrong. First thing's first, the network has to function. We route packets with the infrastructure we have, etc. But products that can't survive nmap are likely going to have real problems with actual exploit tools, and RCE in routers is not something to risk, 'best practice mitigations' or no.) On Jul 1, 2010, at 7:16 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Jul 1, 2010, at 11:12 PM, Florian Weimer wrote: And it's certainly a bug worth fixing. I doubt it's a 'bug' which can be 'fixed', just the same as sending enough legitimate HTTP requests to a Web server to bring it to its knees isn't a 'bug' which can be 'fixed', but rather a DoS which must be mitigated via a variety of mechanisms. It would be quite helpful if the original poster would detail the models/types/ versions of the network devices in question, and possibly provide a sample query packet. Part of the general issue here is the large disconnect between the traditional security research community and the networking community; with a few notable exceptions, there isn't a lot of mutual discussion and understanding, and certainly no understanding of network infrastructure device architectures, best current practices (BCPs), and so forth. One of the most fundamental BCPs is that one must make use of various network infrastructure self-protection mechanisms to keep undesirable traffic away from the control and management planes of said network infrastructure. Here's a .pdf presentation which discusses network infrastructure self-protection: http://files.me.com/roland.dobbins/prguob Firing a bunch of SNMP queries at network infrastructure devices and causing network disruption as a result isn't anything new, it's a well-understood phenomenon with a well-understood - in the network operational community, at least - remedy via making use of the appropriate self-protection mechanisms built into most modern network infrastructure devices. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 2, 2010, at 7:01 AM, Dan Kaminsky wrote: Permanent DoS's are unacceptable even from intentionally malicious traffic, let alone a few nmap flags. They're unacceptable to us, they're unacceptable to Microsoft (see: MSRC bug bar), and even Cisco PSIRT has shown up on thread desiring to clean things up. Again, causing the RP CPU to go to 100% due to punted management-plane traffic isn't a new phenomenon - it's well-understood amongst network operators, as are BCPs which mitigate the risk of such an occurrence. Of course PSIRT will ask for details, as they should; my point is that there's likely nothing new to see here, and that there are mechanisms available to ameliorate either deliberate or inadvertent attacks of this nature. Even if there is something new, here - which I doubt - it's important that folks understand that there are BCPs they can implement to protect their network infrastructure devices *right now*, rather than sitting about waiting for code to drop from the sky, or whatever. The original poster asked if this were a configuration issue - and the answer is, yes, there are things you can do with your configuration to harden your network infrastructure against such things. It's funny you bring up SNMP. Do you remember what happened when that protocol got fuzzed by the PROTOS guys in 2002? Yes, and the PROTOS vulnerabilities were by and large real vulnerabilities - as opposed to merely saturating the RP of a given network device with management-plane traffic. Some of them even had the potential for remote code execution. And many of them could be mitigated via BCPs until such time as fixed code could be deployed, as well. I will grant you that network isolation is indeed best practice, but broken code is not something to apologize for The issue as described doesn't sound like broken code, although that's certainly possible (again, would be helpful if the OP would provide more details, at least to PSIRT). And I'm not 'apologizing' for anything - rather, I'm pointing out that there are ways to defend one's network infrastructure against this sort of thing, right now, today, utilizing existing features and functionality built into most modern network infrastructure equipment. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Has anyone been able to duplicate the OP's results? I've been running nmap on lab routers nothin's fallen over yet... The issue as described doesn't sound like broken code, A while back, we had a few routers that weren't on current software. They had a tendency to reboot when the security office did their inventory scan... No more problems after upgrading the code. although that's certainly possible (again, would be helpful if the OP would provide more details, at least to PSIRT). +1 ... I'm pointing out that there are ways to defend one's network infrastructure against this sort of thing, right now, today, utilizing existing features and functionality built into most modern network infrastructure equipment. Right. But the OP's task was to discover the SNMP version that our servers and networking devices use. so presumably the scan came from a network that had full access to the routers. That's a bit harder to defend against. Regards, Lee On 7/1/10, Dobbins, Roland rdobb...@arbor.net wrote: On Jul 2, 2010, at 7:01 AM, Dan Kaminsky wrote: Permanent DoS's are unacceptable even from intentionally malicious traffic, let alone a few nmap flags. They're unacceptable to us, they're unacceptable to Microsoft (see: MSRC bug bar), and even Cisco PSIRT has shown up on thread desiring to clean things up. Again, causing the RP CPU to go to 100% due to punted management-plane traffic isn't a new phenomenon - it's well-understood amongst network operators, as are BCPs which mitigate the risk of such an occurrence. Of course PSIRT will ask for details, as they should; my point is that there's likely nothing new to see here, and that there are mechanisms available to ameliorate either deliberate or inadvertent attacks of this nature. Even if there is something new, here - which I doubt - it's important that folks understand that there are BCPs they can implement to protect their network infrastructure devices *right now*, rather than sitting about waiting for code to drop from the sky, or whatever. The original poster asked if this were a configuration issue - and the answer is, yes, there are things you can do with your configuration to harden your network infrastructure against such things. It's funny you bring up SNMP. Do you remember what happened when that protocol got fuzzed by the PROTOS guys in 2002? Yes, and the PROTOS vulnerabilities were by and large real vulnerabilities - as opposed to merely saturating the RP of a given network device with management-plane traffic. Some of them even had the potential for remote code execution. And many of them could be mitigated via BCPs until such time as fixed code could be deployed, as well. I will grant you that network isolation is indeed best practice, but broken code is not something to apologize for The issue as described doesn't sound like broken code, although that's certainly possible (again, would be helpful if the OP would provide more details, at least to PSIRT). And I'm not 'apologizing' for anything - rather, I'm pointing out that there are ways to defend one's network infrastructure against this sort of thing, right now, today, utilizing existing features and functionality built into most modern network infrastructure equipment. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Jul 2, 2010, at 8:13 AM, Lee wrote: so presumably the scan came from a network that had full access to the routers. One question is whether or not the network in question *should* have full access to the management plane of the routers. ; That's a bit harder to defend against. Sure, but also note that CoPP, HWRL, and the like can help, depending upon the platform. Don't get me wrong; this should be investigated further, and PSIRT are on it. My point is that folks don't need to go into panic mode, but should educate themselves as to how to defend their network infrastructure against attack and then deploy the relevant BCPs. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
Agreed completely on don't panic. On Jul 1, 2010, at 9:30 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Jul 2, 2010, at 8:13 AM, Lee wrote: so presumably the scan came from a network that had full access to the routers. One question is whether or not the network in question *should* have full access to the management plane of the routers. ; That's a bit harder to defend against. Sure, but also note that CoPP, HWRL, and the like can help, depending upon the platform. Don't get me wrong; this should be investigated further, and PSIRT are on it. My point is that folks don't need to go into panic mode, but should educate themselves as to how to defend their network infrastructure against attack and then deploy the relevant BCPs. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
During my training classes I always tell the -sV switch is dangerous and known to (sometimes) crash the target. Usually a better tool to test open udp ports is unicornscan, but that doesn't have a switch like -iL. Since you are testing your own devices and you know the community string, you could insider to loop through the list of IP's and snmpget a value from the MIB. Cor sent from a mobile device Origineel bericht Van: Shang Tsung Verzonden: 30-06-2010 13:03:32 Onderw.: Should nmap cause a DoS on cisco routers? Hello, Some days ago, I had the task to discover the SNMP version that our servers and networking devices use. So I run nmap using the following command: nmap -sU -sV -p 161-162 -iL target_file.txt This command was supposed to use UDP to probe ports 161 and 162, which are used for SNMP and SNMP Trap respectively, and return the SNMP version. This innocent command caused most networking devices to crash and reboot, causing a Denial of Service attack and bringing down the network. Now my question is.. Should this had happened? Can nmap bring the whole network down from one single machine? Is this a configuration error of the networking devices? This is scary... Shang Tsung This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
