Phenoelit Advisory [ Authors ] FX FtR kim0 Phenoelit Group (http://www.phenoelit.de) Advisory http://www.phenoelit.de/stuff/Cisco_tftp.txt [ Affected Products ] Cisco IOS Tested on IOS 11.1 - 11.3 Cisco Bug ID: CERT Vulnerability ID: 689579 [ Vendor communication ] 06/29/02 Initial Notification, security-alert@cisco.com & psirt@cisco.com *Note-Initial notification by phenoelit includes a cc to cert@cert.org by default 06/30/02 Human confirmation from PSIRT @ Cisco 06/30/02 (2) Discussion of detail 07/01/02 Continued discussion for reproducing problem 07/01/02 Receipt, ack. and clarification by CERT@CERT.ORG 07/03/02 Continued discussions with PSIRT 07/19/02 Notification of intent to post publically in apx. 7 days. 07/25/02 Final coordination for release. [ Overview ] Cisco Systems Routers are the most widely used routers. Cisco Routers are embedded network devices that run a dedicated Operating System, the Cisco IOS. [ Description ] The Cisco IOS integrated TFTP server suffers from a buffer overflow condition. When requesting a file name with approximately 700 characters, the device crashes and may reboot. This only happens, if the served file is on a flash device and no alias is assigned to it. Vulnerable: router# conf t router# tftp-server flash:ios_11.3_a-b-c-d.bin Not vulnerable: router# conf t router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff [ Example ] OpenBSD# tftp cisco53.navy.smil.mil tftp> get AAAAAAAAA....(700 times) [ Solution ] None available at this time [ end of file ]