RE: Cisco device HTTP exploit...

["Thornton, Simon (Simon)** CTR **" <sthornto () lucent com>]

Another 2 cents worth ...

Test platforms: Cisco 3620, IOS 12.0.7
                Cisco 1603, IOS 12.0.3
                Catalyst 7xxx

> http://169.254.0.15/level/42/exec/show%20conf

This exploit only seems works (for me) if I DON'T setup 'aaa' on the router or switch, using the just the default local 
authentication.  With aaa enabled, you get an authorization failure and are prompted to logon.

A general aside on this type of vulnerability, which is applicable to most network assets; 
As with telnet or SNMP, access to the http management interface should be very stringently controlled, at the very 
least by strong authentication and by the use of ACLs to restrict who has access via which interfaces. Normally only a 
limited number of people require management access to a network device, which makes it easier to control.  In one 
company I worked with, the only devices able to access the http/telnet interface of the router were the HPOV machines 
(all other access blocked by ACL). An authorised user would first logon to the management machine and then use either 
netscape/lynx or telnet to manage the network devices. The logon authentication for the routers/switches was then 
handled using radius.

Before anyone comments, yes, I know, this is far from perfect and it has many security issues of it's own. The aim of 
the approach was to centralise device access control and logging,  not to create a proper out-of-band management system.



Rgds,

Simon