Penetration Testing mailing list archives
Re: [PEN-TEST] Cisco access server security bypass
From: Erik Mintz <emintz () STAFF MAIL COM>
Date: Mon, 11 Sep 2000 09:56:18 -0400
It's for access servers using any dial, or async configuration, the async lines have ports associated with the line number. Sorry, no configs. Some notes found on Cisco's site; http://www.cisco.com/warp/public/76/9.html#reverse_telnet http://www.cisco.com/warp/public/779/smbiz/service/troubleshooting/ts_async. htm -Erik ----- Original Message ----- From: "John" <john () RED-LAN NET> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Friday, September 08, 2000 7:10 PM Subject: Re: [PEN-TEST] Cisco access server security bypass | Hi Erik, | | I'm not sure I'm missing the point somewhere. Are you saying that telneting | to the routers loopback:2001 will give you access different than say | ethernet:2001 or IP addresses assigned with the alias command? | | I wonder if you could give a configuration example of an incorrectly | configured cisco? | | Thanks | | John | | | ----- Original Message ----- | From: "Erik Mintz" <emintz () STAFF MAIL COM> | To: <PEN-TEST () SECURITYFOCUS COM> | Sent: Friday, September 08, 2000 5:16 PM | Subject: [PEN-TEST] Cisco access server security bypass | | | > Cisco access server security bypass | > | > Cisco routers configured as terminal servers with async connections to | > system consoles can be configured for local security with any normal | > authentication method available (local password, TACACS, etc.). requiring | > users to login to the router and give a common password before they are | > allowed to connect to the host on the other end of the async cable. After | > login to the router, you can telnet, or 'connect', to the desired hosts. | > | > The router controls connections by a port number/async line/IP address | > association, such as async line 1 connected to your Sun console = | > 10.10.10.1:2001. You can bypass the routers authentication by opening a | > telnet session directly to the routers lo0/assigned port. | > | > Of course, this only gets you to the password prompt for the connected | > device, however, most people do not realize the router will allow you to | > bypass the authentication at the router, and may be in the habit of | leaving | > the console open to skip a seemingly redundant authentication process | (well, | > nobody here of course, but I have found many root prompts on the other end | > of these terminal servers everywhere from the public 'net to "secure" | LANs). | > Because admins know they need to give a password at the router, they may | be | > less concerned about the console. Find them by scanning ports 2000+, and | > searching for the string "open", which is enumerated on successful | > connection. There is also an option to disable the "open" string, so you | > should also look for shell prompts. | > | > | > Cisco has a configuration option to fix this on routers running IOS | versions | > 11.3T and higher, by adding AAA to the lines. Configuration is; | > authorization reverse-access default|list-name | > | > where default and list-name are defined by aaa authorization command. | > | > | > Vulnerable systems: | > | > Any misconfigured Cisco access server with async ports are vulnerable. | Most | > common usage for the application are 2511 models with octal cables. You | will | > find them connected to server farms, backbone routers, etc. | > Routers running IOS versions prior to 11.3 are vulnerable. No | configuration | > options available to fix. | > | > The matter is more of knowledge and laziness than the fault of Cisco, but | I | > think it should be part of security audits. Although a correct config will | > prevent this (with recent IOS), I believe most admins do not realize the | > hole is there. | > | > Erik Mintz | > emintz () staff mail com | > 732-516-2767 | > ~~~ | > | | > | | > | | > | | > | | > | | > repoman () cbgb com | > | |
Current thread:
- [PEN-TEST] Cisco access server security bypass Erik Mintz (Sep 08)
- Re: [PEN-TEST] Cisco access server security bypass John (Sep 08)
- Re: [PEN-TEST] Cisco access server security bypass Erik Mintz (Sep 11)
- Re: [PEN-TEST] Cisco access server security bypass dannen harris (Sep 11)
- Re: [PEN-TEST] Cisco access server security bypass John (Sep 08)