...

land.c is this program

I tried it against a 7505 running 11.2(9)P and a 2511 running 11.2(7a), with no obvious bad effects. The announcement does not indicate which IOS versions are vulnerable; I'd love to know.

Snipit of a message on bugtraq dated today.. Ascend Pipeline 50 rev 5.0Ap13 NOT vulnerable Cisco IOS 10.3(7) IS vulnerable Cisco 2511 IOS ??? IS vulnerable Cisco 753 IOS ??? IS vulnerable LaserJet Printer NOT vulnerable Livingston Office Router (ISDN) IS vulnerable Livingston PM* ComOS 3.5b17 + 3.7.2 NOT vulnerable NCD X Terminals, NCDWare v3.2.1 IS vulnerable Off of another message.. I just tested land.c on a cisco 753 router running version 4.0 of the os. It DID freeze the router when I hit it on port 23. The router wasn't able to reach the internal lan or the wan and some lights on the front of the router were frozen also. I couldn't ping or telnet to the router, the only way to restart it is a hard reboot. -------------------------------------------------------------------------- James D. Butt 'J.D.' Network Engineer Voice 319-557-8463 Network Operations Center Fax 319-557-9771 MidWest Communications, Inc. Pager 319-557-6347 241 Main St. noc@mwci.net Dubuque, IA 52001 jbutt@mwci.net --------------------------------------------------------------------------

On Fri, 21 Nov 1997, Karl Denninger wrote:

On Fri, Nov 21, 1997 at 09:41:33AM -0600, Charley Kline wrote:

...

...

land.c is this program I tried it against a 7505 running 11.2(9)P and a 2511 running 11.2(7a), with no obvious bad effects. The announcement does not indicate which IOS versions are vulnerable; I'd love to know.

Charley Kline kline@uiuc.edu UIUC Network Architect n stuff Where do we get a copy of that to try out?

I want to "challenge" some of our machines and routers.

Here is the results of my humble IOS testing of the land.c denial of service 'spoit code. -blast IOS 11.2(9) on a 25xx tcp0: I LISTEN 10.10.51.80:23 10.10.51.80:23 seq 3868 SYN WIN 2048 tcp0: O LISTEN 10.10.51.80:23 10.10.51.80:23 seq 3988480078 OPTS 4 ACK 3869 SYN WIN 4288 tcp0: I SYNRCVD 10.10.51.80:23 10.10.51.80:23 seq 3988480078 OPTS 4 ACK 3869 SYN WIN 4288 tcp0: O SYNRCVD 10.10.51.80:23 10.10.51.80:23 seq 3869 RST WIN 4288 tcp0: I SYNRCVD 10.10.51.80:23 10.10.51.80:23 seq 3869 RST WIN 4288 ---------------------- IOS 11.1(12) on a 25xx IOS 11.0(17) on 1005 The interesting thing about this test was that it would freeze for a little while (until socket timed-out) then I was able to telnet to the vty again. The router had to RST me close before it did another TCP handshake for the vty. It seem to have no problems forwarding L3 traffic but my testing was not very complete. I was only looking for KABOOM's. tcp0: I LISTEN 10.10.51.16:23 10.10.51.16:23 seq 3868 SYN WIN 2048 tcp0: O LISTEN 10.10.51.16:23 10.10.51.16:23 seq 3655988093 OPTS 4 ACK 3869 SYN WIN 2144 tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093 OPTS 4 ACK 3869 SYN WIN 2144 tcp0: O SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869 RST WIN 2144 tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869 RST WIN 2144 tcp0: W SYNRCVD 10.10.51.16:23 10.10.51.16:23 estabBLOCK tcp0: R SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093 OPTS 4 ACK 3869 SYN WIN 2144 tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093 OPTS 4 ACK 3869 SYN WIN 2144 tcp0: O SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869 RST WIN 2144 tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869 RST WIN 2144 tcp0: R SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093 OPTS 4 ACK 3869 SYN WIN 2144 tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093 OPTS 4 ACK 3869 SYN WIN 2144 tcp0: O SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869 RST WIN 2144 tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869 RST WIN 2144 tcp0: R SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093 OPTS 4 ACK 3869 SYN WIN 2144 tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093 OPTS 4 ACK 3869 SYN WIN 2144 tcp0: O SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869 RST WIN 2144 tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869 RST WIN 2144 tcp0: T CLOSED 10.10.51.16:23 10.10.51.16:23 early close ---------------------------------------------------------- IOS 10.3(10) on a 25xx goes KABOOM IOS 10.2(latest) on 4000 goes KABOOM It appears that 11.2 is your best bet and if you are pre-11 you got big problems. -blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / | are the limits of my world." \ \ blast@broder.com | --Ludwig Wittgenstein / \ +================================================/ |Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 | / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

The obvious fix is to block at your firewall, gw, and/or router any packet with a source address/port that matches the destination address/port. Several Cisco IOS filters have have passed through BugTraq mailing list to solve this problem. All of these filters can be located at: http://www.geek-girl.com/bugtraq Regards, Nathan Bates On 21-Nov-97 Leigh Porter wrote:

Charley Kline wrote:

...

...

land.c is this program

I tried it against a 7505 running 11.2(9)P and a 2511 running 11.2(7a), with no obvious bad effects. The announcement does not indicate which IOS versions are vulnerable; I'd love to know.

-- Charley Kline kline@uiuc.edu UIUC Network Architect n stuff

I can confirm this, yet customers on 10.0 have had problems.

I would like to know wether Cisco will be letting all those people with 10.0 have free upgrades to 11.0 in view of the potential seriousnes of this bug.

--

Leigh Porter - Wisper Bandwidth Plc - http://www.wisper.net GeekCode - http://saratoga.wisper.net:9999/~leigh/ Set UR PC 3 - http://www.linux.org

Nathan Brock Bates <nbates@mci.net> internetMCI iNOC <hostmaster@mci.net> ------------------------------------------------------------------------- The opinions expressed herein do not express those of internetMCI or MCI.

Where do I get this? On Fri, 21 Nov 1997, Charley Kline wrote:

...

land.c is this program

I tried it against a 7505 running 11.2(9)P and a 2511 running 11.2(7a), with no obvious bad effects. The announcement does not indicate which IOS versions are vulnerable; I'd love to know.

-- Charley Kline kline@uiuc.edu UIUC Network Architect n stuff