> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Andy Davis
> Sent: Wednesday, October 10, 2007 7:54 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Cisco IOS LPD Remote Stack Overflow
> Importance: High
>
> ----------------------------------------------------------------------
> IRM Security Advisory 024
>
> Cisco IOS LPD Remote Stack Overflow
>
> Vulnerability Type / Importance: Remote Code Execution / High
>
> Problem Discovered: 30 July 2007
> Vendor Contacted: 30 July 2007
> Advisory Published: 10 October 2007
> ----------------------------------------------------------------------
>
> Abstract:
>
> The LPD daemon included in Cisco IOS is vulnerable to a remote stack
> overflow
>
> Description:
>
> The Line Printer Daemon, which provides print server functionality in
> Cisco IOS is vulnerable to a software flaw whereby the length of the
> hostname of the router is not checked before being copied into a fixed
> size memory buffer. This results in IOS crashing if the
> hostname is too
> long, but could potentially result is arbitrary code
> execution. However,
> the attacker must be able to control the hostname of the router, which
> could be achieved via SNMP.
>
> Technical Details:
>
> When the LPD daemon is configured in Cisco IOS it listens on
> the default
> LPD TCP port, 515. If connected to with a source TCP port of anything
> other than 515 the following error is displayed:
>
> $ telnet 172.30.3.101 515
> Trying 172.30.3.101...
> Connected to 172.30.3.101 (172.30.3.101).
> Escape character is '^]'.
> hostname_of_the_router: /usr/lib/lpd: Malformed from address
>
> If the hostname is 99 characters or longer then the overflow occurs as
> the result of a call to the sprintf() function. Although this is
> technically a stack overflow, because IOS allocates heap memory for
> process stacks, the memory overwritten is actually heap.
> However, as the
> heap memory is acting as a stack, the return address, stored
> before the
> start of the character buffer, can be overwritten by the hostname when
> the overflow occurs, but for some reason the crash doesn't occur until
> the buffer intrudes into the "red zone" at the boundary of the heap
> chunk. Therefore, when the crash happens and the router reboots, the
> memory dump indicates heap corruption.
>
> It must be reiterated that control of the hostname is required to
> exploit this vulnerability. If SNMP is running on the device and the
> "read/write" community string is known (this is often set to
> the default
> value "private") then the hostname can be set as follows:
>
> $ snmpset -Os -c private -v 1 10.0.0.1 system.sysName.0 s
> long_hostname
>
> Vendor & Patch Information:
>
> Cisco has released an update to resolve this issue; this can be
> downloaded from:
>
>
>
> Workaround:
>
> Cisco has provided the following workaround to mitigate this
> vulnerability:
>
>
>
> Tested/Affected Versions:
>
> IRM identified this vulnerability in IOS version 12.3(22)
>
> Credits:
>
> Research & Advisory: Andy Davis
>
> Disclaimer:
>
> All information in this advisory is provided on an 'as is'
> basis in the
> hope that it will be useful. Information Risk Management Plc is not
> responsible for any risks or occurrences caused by the application of
> this information.
>
> www.irmplc.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -
>
