Renewed exploits attempts on an old bug: IOS HTTP Unauth Command Execu tion

["Fergie" <fergdawg () netzero net>]

Just an FYI:

If anyone is stoopid enough to have HTTP enabled on their
cisco routers, then you kind of deserve what you get. ;-)

Having said that, I've noticed over the course of the morning
a renewed sweep of attempts to exploit a 4-year-old vulnerability:

 http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

..from several different countries -- most of them im China.
A couple of the source IP addresses were on various hosts in
European DSL and CATV networks, so that's why I'm assumimg that
they are compromised hosts.

I'm assuming these are compromised hosts that are being used
to scan address space looking for old IOS code.

[snip]

The timestamp(s) below are CST -06:00 UTC.

IDS reported a high severity alert at 03/02/2006 09:55:21
Signature IOS HTTP Unauth Command Execution (5129:0) from x.x.x.x
to x.x.x.x

Attempted exploit description:
An HTTP attempt to bypass [Cisco] router authentication to execute
privileged (level 15) commands is detected. The HTTP request looks
like:
 
 http:///level/XX/exec/...

...where XX is privilege levels 16 throuigh 99.
 
[snip]

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.