BugTraq
Cisco 6509 switch telnet vulnerability Oct 03 2003 12:03AM
Chris Norton (kicktd hotmail com) (2 replies)
Re: Cisco 6509 switch telnet vulnerability Oct 04 2003 05:55AM
Bob Niederman (btrq bob-n com) (1 replies)
Re: Cisco 6509 switch telnet vulnerability Oct 05 2003 02:25AM
twig les (twigles yahoo com)
Re: Cisco 6509 switch telnet vulnerability Oct 04 2003 01:11AM
Wendy Garvin (wgarvin cisco com)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris,

This is a known bug, and we were able to reproduce the behavior you
reported, however the commands cannot actually be executed. As you
demonstrated, you can get the 'help' text for non-enable commands at the
password prompt, but the command is not completed, all that is returned is
an error message. These commands are publicly available:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_5/cmd_r
efr/cli.htm

This bug cannot be used to gain control of the switch, gather further
information about the device or gather details about the traffic it carries.
It is documented as CSCdr87435, and it is fixed in 5.5(3) and later, and
6.1(1) and later. Details about the problem can be found on our website if
you are a registered user:

http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdr87435

Thank you for your work on this problem. As always, working with the Cisco
PSIRT team is the best way to verify the accuracy of information before
posting it publicly.

- ---Wendy

> Chris Norton <kicktd (at) hotmail (dot) com [email concealed]> [2003-10-03 16:24] wrote:
>
>
> A vulnerability has been found on Cisco 6509 switches. The vulnerability was found to work on 2 different Cisco 6509 switches running CATOS 5.4(2) and 5.5(2). The vulnerability can lead to information and commands being exectued on the remote switch from the login prompt. Commands can be exectued at the Enter password: prompt as long as they are followed by a space and a ?
> Proof of concept below:
> Cisco Systems Console
>
> Enter password:
> <data_size> Size of the packet (0..1420)
> <cr>
> Enter password: traceroute 127.0.0.1
>
> This vulnerability has yet to be confirmed by Cisco but they have been alerted about it.
>
> [ ----- End of Included Message ----- ]

- ---
Wendy Garvin - Cisco PSIRT - 408 525-1888 CCIE# 6526
- -----------------------------------------------------
http://www.cisco.com/go/psirt

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBP34brc/6vhuARK9tEQICAgCgj7ghQcOp0poO7TPsRyHEI+oe50MAoOBo
BHjtXy3ob12Ss7bouy3JpARY
=RIWI
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus