funsec mailing list archives
Renewed exploits attempts on an old bug: IOS HTTP Unauth Command Execu tion
From: "Fergie" <fergdawg () netzero net>
Date: Thu, 2 Mar 2006 16:59:41 GMT
Just an FYI: If anyone is stoopid enough to have HTTP enabled on their cisco routers, then you kind of deserve what you get. ;-) Having said that, I've noticed over the course of the morning a renewed sweep of attempts to exploit a 4-year-old vulnerability: http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html ..from several different countries -- most of them im China. A couple of the source IP addresses were on various hosts in European DSL and CATV networks, so that's why I'm assumimg that they are compromised hosts. I'm assuming these are compromised hosts that are being used to scan address space looking for old IOS code. [snip] The timestamp(s) below are CST -06:00 UTC. IDS reported a high severity alert at 03/02/2006 09:55:21 Signature IOS HTTP Unauth Command Execution (5129:0) from x.x.x.x to x.x.x.x Attempted exploit description: An HTTP attempt to bypass [Cisco] router authentication to execute privileged (level 15) commands is detected. The HTTP request looks like: http:///level/XX/exec/... ...where XX is privilege levels 16 throuigh 99. [snip] - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Renewed exploits attempts on an old bug: IOS HTTP Unauth Command Execu tion Fergie (Mar 02)