|
|
| |
| An attacker from inside or outside interfaces of a PIX Firewall running aaa authentication against a TACACS+ Server could cause the PIX to crash and reload by overwhelming it with authentication requests. |
| |
Credit:
The information has been provided by Claudiu Calomfirescu.
|
| |
Vulnerable systems:
PIX Firewall 515, 520
PIX Firewall OS 5.1.4
PIX Firewall OS 5.3.1
Reproduction:
To reproduce the vulnerability go through the following steps:
1) Configure the PIX Firewall version 5.1.4 for aaa authentication against a TACACS+ server:
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server grup protocol tacacs+
aaa-server grup (inside) host 10.10.10.20 cheia timeout 5
aaa authentication include http outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 grup
aaa authorization include http outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 grup
aaa accounting include http outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 grup
2) From an inside host generate http request with sweep source port directed to a global address on port 80.
In our case we generate an HTTP request from port 2000, the PIX start an authentication process:
109001: Auth start for user '???' from
10.10.10.1/2000 to 216.46.233.11/80
After that we generate a HTTP request from port 2001,
109001: Auth start for user '???' from
10.10.10.1/2001 to 216.46.233.11/80
And so on. After 426 requests (this number is not always the same) generated in 3 seconds the PIX give the message:
Panic: uauth1 - open: no more channels (tcp/UNPROXY/1/0)!
And crashes in:
Thread Name: uauth1 (Old pc 0x80070b4f ebp 0x810c56dc)
And reloads.
|
|
|
|
|
