Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

[PEN-TEST] Cisco access server security bypass

From: Erik Mintz <emintz () STAFF MAIL COM>
Date: Fri, 8 Sep 2000 12:16:43 -0400
Cisco access server security bypass

Cisco routers configured as terminal servers with async connections to
system consoles can be configured for local security with any normal
authentication method available (local password, TACACS, etc.). requiring
users to login to the router and give a common password before they are
allowed to connect to the host on the other end of the async cable. After
login to the router, you can telnet, or 'connect', to the desired hosts.

The router controls connections by a port number/async line/IP address
association, such as async line 1 connected to your Sun console =
10.10.10.1:2001. You can bypass the routers authentication by opening a
telnet session directly to the routers lo0/assigned port.

Of course, this only gets you to the password prompt for the connected
device, however, most people do not realize the router will allow you to
bypass the authentication at the router, and may be in the habit of leaving
the console open to skip a seemingly redundant authentication process (well,
nobody here of course, but I have found many root prompts on the other end
of these terminal servers everywhere from the public 'net to "secure" LANs).
Because admins know they need to give a password at the router, they may be
less concerned about the console. Find them by scanning ports 2000+, and
searching for the string "open", which is enumerated on successful
connection. There is also an option to disable the "open" string, so you
should also look for shell prompts.


Cisco has a configuration option to fix this on routers running IOS versions
11.3T and higher, by adding AAA to the lines. Configuration is;
authorization reverse-access default|list-name

where default and list-name are defined by aaa authorization command.


Vulnerable systems:

Any misconfigured Cisco access server with async ports are vulnerable. Most
common usage for the application are 2511 models with octal cables. You will
find them connected to server farms, backbone routers, etc.
Routers running IOS versions prior to 11.3 are vulnerable. No configuration
options available to fix.

The matter is more of knowledge and laziness than the fault of Cisco, but I
think it should be part of security audits. Although a correct config will
prevent this (with recent IOS), I believe most admins do not realize the
hole is there.

Erik Mintz
emintz () staff mail com
732-516-2767
~~~
|
|
|
|
|
|
repoman () cbgb com
Previous By Date Next
Previous By Thread Next

Current thread: