Published: 2003-07-17

Cisco IOS Interface Denial of Service Vulnerability

Cisco announced a critical infrastructure vulnerability concerning the IOS software which is widely deployed as a network operating system on routers and switches.

A working exploit has been posted to public mailing lists. It has been reported
that the exploit code was used in some attacks. However, so far we don't see any
widespread usage. Sporadic network outages over the last two days can be attributed to network operators upgrading routers.

Cisco IOS is deployed on many routers involved in the Internet infrastructure. A specially crafted sequence of IPv4 packets could cause an error on router interfaces where the interface will incorrectly mark the interface as having a full queue and block inbound traffic to that interface. The effected router has to be rebooted to resume operation.


A large number of ISPs and end users is using effected equipment. Large internet service providers already upgraded many routers. As a side effect, internet users may have experienced outages due to the maintenance work. Some of these outages are reflected in the 'global instability index' which is maintained by Dennis McGrath (Univ. Dartmouth): http://people.ists.dartmouth.edu/~dmcgrath/gii/ . The
measured BGB route flapping occurs as ISPs reroute traffic temporarily while some routers are down for upgrades.


More details are available from Cisco on this vulnerability and potential fixes or work arounds.



Contributed by the SANS Incident Handlers (isc at incidents dot org)


Published: 2003-07-16

Microsoft Buffer Overrun in RPC

In July 17th, CERT and Microsoft released an Security Bulletin regarding a
newly discovered buffer overrun in Microsoft Windows Products.
Vulnerable Systems


-Microsoft Windows NT 4.0
-Microsoft Windows NT 4.0 Terminal Services Edition
-Microsoft Windows 2000
-Microsoft Windows XP
-Microsoft Windows Server 2003


A buffer overrun was discovered in Microsoft´s RPC Impelemntation. RPC is one
of the protocols used by Windows Systems. RPC (Remote Procedure Call)
protocol is used to execute code on a remote system. Microsoft RPC
implementation added specific extensions to the original Open Source RPC

According Microsoft "The vulnerability is present in the part of RPC that
deals with message exchange over TCP/IP.The failure results because of
incorrect handling of malformed messages. This particular vulnerability
affects a Distributed Component Object Model (DCOM) interface with RPC, which
listens on TCP/IP port 135. This interface handles DCOM object activation
requests that are sent by client machines (such as Universal Naming
Convention (UNC) paths) to the server."


This vulnerability can be explored by sending specially formed request to the
remote computer on port 135.

A remote attacker could exploit this vulnerability to execute arbitrary code
with Local System privileges or to cause a denial of service


If the machine is connected to the Internet, block the access to port 135.
This will prevent access to this port and any attempt to explore this

Also is highly recommended to apply the patch release by Microsoft, according
the Microsoft Bulleting MS03-026.
Microsoft Patches


* Windows NT 4.0 Server

* Windows NT 4.0 Terminal Server Edition

* Windows 2000

* Windows XP 32 bit Edition

* Windows XP 64 bit Edition

* Windows Server 2003 32 bit Edition

* Windows Server 2003 64 bit Edition


CERT® Advisory CA-2003-16 Buffer Overflow in Microsoft RPC

Microsoft Security Bulletin MS03-026


Pedro Bueno - SANS Incident Handler


Published: 2003-07-10

Passive OS Fingerprinting Update

This tables is an updated summary of Toby Millers paper about Passive OS

*Windows 95, Windows 98 and Windows XP fingerprint were added
after some lab experiments.



Window Size = 5840 (Linux 2.4) or 32120 (Linux 2.2)

Initial TTL = 64

IP ID: Increments randomly at the start of each session

TCP Options: MSS, SackOK, WindowScale, Timestamp, one NOP

Total Packet Length: 60 bytes


Window Size = 16384

Inital TTL = 64

IP ID: Completely random

TCP Options: MSS, SackOK, WindowScale, Timestamp, five NOPs

Total Packet Length: 64 bytes

TOS = 0x10


Window Size = 65535

Initial TTL = 64

IP ID: Increments by 1

TCP Options: MSS, WindowScale, three NOPs, Timestamp (Fisrt
three SYN tries)

Total Packet Length: 60 bytes (First three SYN tries)

*TCP Options:MSS (after first three SYN tries)

*Total Packet Length: 44 bytes (after first three SYN tries)
Solaris 7


Window Size = 8760

Initial TTL = 255

IP ID: Increments by one always

TCP Options: MSS

Total Packet Length: 44 bytes
AIX 4.3


Window Size = 16384

Initial TTL = 64

IP ID: Increments by one always

TCP Options: MSS

Total Packet Length: 44 bytes

TOS = 0x10
Windows 2000


Window Size = 16384

Inital TTL = 128

IP ID: Increments by one all of the time

TCP Options: MSS, SackOK, two NOPs

Total Packet Length: 48 bytes
Windows 98


Windows Size= = 8192

Initial TTL = 128

IP ID: Increments by 256 (?)

TCP Options: MSS, SackOK, two NOPs

Total Packet Lenght: 48 bytes
Windows 95


Windows Size = 8192

Initial TTL = 32

IP ID: increments by 256

TCP Options: MSS

Total Packet Lenght: 44 bytes
Windows XP


Windows Size = 64240

Initial TTL = 128

IP ID: Increments by one

TCP Options: MSS, SackOK, two NOPs

Total Packet Lenght: 48 bytes

Toby Miller Original Paper:


Toby Miller Original Paper - Part 2


Pedro Paulo Ferreira Bueno



Published: 2003-07-09

EP.net DNS Survey

Currently, another round of the EP.net DNS survey is on the way. You may
see zone transfer requests from and as a result of
this activity. http://www.ep.net/in-addr-audit.html">http://www.ep.net/in-addr-audit.html or http://www.ep.net .


Published: 2003-07-07

Paypal scam site using SSL spotted

A member of our 'handler' group spotted a fake Paypal site with uses a valid
SSL certificate. While this certificate is not issued for 'paypal.com', standard
URL masking techniques make it plausible to untrained users that the site is
a valid Paypal site.

We do receive almost daily reports of fake Paypal or e-bay sites. Usually it is
the goal of these sites to extract information from users which will be used
in identity theft or credit card fraud. The page is usually advertised via
spam and looks just like a regular Paypal/ebay page. The e-mail suggests that
the user should visit the page to confirm billing information.

A standard technique to mask the actual url, and make it more look like a
valid Paypal site, is the addition or user name / password prefixes. HTTP urls
can include user name and passwords for http basic authentication. These are
prepended to the url in the following syntax:


For example, in order to make "isc.sans.org" look like a paypal site, the following url could be users:


The user name / password is ignored if no authentication is required.

In most cases, these scam sites are easily spotted as they are not using SSL. Sometimes they attempt to hide this fact by increasing the browser window size to push the lower part of the browser window off the screen, so users will not see the open browser lock.

However, this latest site uses a valid SSL certificate. Unless users inspects the certificate in more detail, they will not know see the problem.

The particular URL of the fake paypal site it:

As shown in the spam used to advertise it, it looks like:

The URL is overly long to hide the actual host name.

After submitting the form, the cgi script redirects the user to the actual Paypal login page, further hiding the fact that the user just used a fake page.

The page uses a wild card certificate for 'worldispnetwork.com'.

more information? Please let us know: isc@sans.org


Published: 2003-07-03

Defacement Contest

Update: Only few defacements have been reported as a result of the challange.
Zone-h.com, which was supposed to track the defacements is down due to high traffic (real and DDOS). No big surprises at this point. Some security sites used
"self defacements" to protest the media hype around this challange.

After changing web hosts a couple of times, the challange site is now
online again. the time of the content is now set to 9am-3pm Estonian Time (Eastern
European Timezone), which makes it 6am-12pm GMT, or 2am-8am EDT.
Current website URL: http://www.defacers-challenge.com/defeng.htm

An unidentified group announced a "defacement contest" supposed to be
held on July 6th 2003. The goal of the contest is to deface as many sites
as possible during a yet to be announced 6 hour period.

Some security companies reported a decrease in defacements this week, which
was seen as an indication of hackers 'saving' sites for defacement during the

The Internet Storm Center is at this point not aware of any particular
unusual activity. Defacements occur in large numbers daily and usually use
standardized tools easily obtained by unskilled hackers. Contests like the
one above are held regularly, even though usually without any formal announcement.

However, based on the publicity this announcement received, it is possible that
the defacer community will be more active on Sunday. The actual contest web site
is no longer available.

At this point, we do recommend to review web site security in accordance with your
security policies.


got details? Please send information to isc@sans.org