ACC's 'Tigris' Access Terminal server security vunerability..

[rob () RPI NET AU (Robert Thomas)]

ACC (link - http://www.acc.com ) have been aware of this flaw for 3 months
now, so I'm not springing this on them unaware. Just so you know 8-)

OS Versions up to (and including) 10.5.8 are vunerable to a 'lame-arsed
coding' bug, which lets you display a (slightly censored) dump of the
configuration, as well as letting you run -any- non-priviledeged command (==
anything but changing the configuration) including the ability to telnet from
the machine, ping other machines (bypassing firewalls, perhaps?), and
basically letting people know what you don't really want them to know.

After having a quick fiddle, I'm (guessing) that the login sequence runs like
this:

Print the string "Login:"
Stick the string 'login ' into the input buffer, and wait for user to type
either 'netman' or 'public', resulting in the command 'login netman' or 'login
public' being sent to the OS, which will then prompt for a password.  This
gives you the ability to do the really difficult thing of pushing backspace
several times, or, hitting ^U (delete to beginning of line) and running any of
the commands (like, for example, 'show' which will dump the running
configuration, with any passwords *'ed out) that can be accessed by the
'public' account.

This includes:
  Dialin Numbers
  RADIUS Authentication/Accounting servers (minus passwords)
  OS Version
  IP Ranges
  BGP/RIP/OSPF filtering information

Another problem that I've found is that the machines have an undocumented
(that I could find) 'public' account, with a default password of 'public',
which gives you the same information as you get with the ^U bug. The first
time I found that out is in the email message sent from XSI (included below)

To give both sides of the story, I hereby present an email message that I
received from XSI (who are the Australian Distributors for the Tigris Access
Server) in responce to a vague message from me on the Australian ISP list
saying that I'd found a bug in the terminal server, and they should contact
XSI for information on how to fix it.


--snip--
Subject: Re: [Oz-ISP] Supposed Security Flaw
  Date:  Thu, 10 Dec 1998 08:47:20 +0000
  From:  "Nathan Chan" <chan () xsi com au>
    To:  tigris-list () iig com au
    CC:  rob () rpi net au


G'Day Guys,

You may have recently seen a article in the Ausie ISP List saying
that the Tigris has a security flaw.  This isn't the case.

Basically you can press Cntl U at the prompt and then type a command.
eg show.   However it is NOT a security flaw since if you can get to
the login prompt of the Tigris  you would get exactly the same thing
if you logged in as username : Public, password : Public, which would
a lot easier to work out than pressing Cntl U and anyone can do
this!!

Simply adding Access entries can easily stop anybody from Telneting
to your box, and should be done on everyone's box anyway !  No-one
other than management staff should be able to access the
Tigris....1st rule of network protection.

If someone can get to you prompt, Cntl U is the LEAST of your
worries, since they can't do anything still  :)

Anyway, they are fixing this.

Any questions let me know.

Regards
Nathan
--snip--

I responded to this pointing out that that would not work if someone dialled
into the terminal server, and sent source routed data to the terminal server,
as (AFAIK, and I can find no docco on it either) you cannot explicitly block
source routed data, and you are going through no firewall to get to the
device.  No responce as yet (sent on 12th October, 1998).

Now, let me point out, I -like- the box.  Whilst it's harder to configure than
the Annex/Versalar Bay series of products (which just work 8-), it reliably
holds 56k connections, seems very stable, and is considerably cheaper than the
comparable 5399/8000 series from Bay. Apart from a few 'lame-arsed coding'
bugs, it's a good box, and I've recommended it more than a few times.

I honestly wouldn't be so worried if it didn't show the RADIUS servers, and
the dialin numbers, as they are usually things you don't want every user to
know. Whilst this is (obviously) security through obscurity, seeing packets
wander around your network whilst x-lam3-haxx0r tries to locate your radius
servers will give you a good tipoff that someone is up to no good, rather than
just having a radius DoS flood sent to your server(s) without any warning
because their location was handed to them on a silver platter.

Anyway guys, hope you all have a good new year, and you've got your hourly
rates set to quadruple for Y2K work!

--Robert Thomas
RP Internet Services
"Will Geek for bandwidth. Don't care about food."

[Note: I'm Australian. It's Arse, not Ass. An ass is a donkey 8-)]