Security Incidents mailing list archives
Re: Detecting Cisco IOS probes
From: "Fergie" <fergdawg () netzero net>
Date: Tue, 7 Mar 2006 14:29:54 GMT
If you don't have HTTP enabled on the cisco router, and your version of IOS is less than 4 or 5 years old, you're probably okay. :-) This has been going on (again) for a coupld of weeks, and most of the originating addresses that I have seen thus far have been from China. However, since I have also seen several sources located in EUrope as well, I'm assuming that someone has adapted this 5-year-old vulnerability exploit into a zombie kit. 2001 June 27 http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html The relevant section: [snip] By sending a crafted URL it is possible to bypass authentication and execute any command on the router at level 15 (enable level, the most privileged level). This will happen only if the user is using a local database for authentication (usernames and passwords are defined on the device itself). The same URL will not be effective against every Cisco IOS software release and hardware combination. However, there are only 84 different combinations to try, so it would be easy for an attacker to test them all in a short period of time. The URL in question follows this format: http://<device_addres>/level/xx/exec/.... Where xx is a number between 16 and 99. This vulnerability is documented as Cisco Bug ID CSCdt93862. [snip] And yes, there are probably older versions out there, and unfortunately, there may be some that actually have HTTP enabled -- BAD, BAD, BAD IDEA -- no matter what verision of code. Cheers, - ferg -- "Mark Ryan del Moral Talabis" <talabis () gmail com> wrote: Detecting Cisco IOS probes We have detected activity directed towards Cisco IOS sytems via http. Most likely, the said activity are probes looking for live Cisco machines with vulnerable Cisco IOS software accessible via its HTTP server. Based on the signature of the probes, it seems that the following tool is being used: cisco scanner v0.2. Full analysis: http://www.philippinehoneynet.org/dataarchive.php?date=2006-02-16 Ryan Talabis Philippine Honeynet Project http://www.philippinehoneynet.org -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/
Current thread:
- Detecting Cisco IOS probes Mark Ryan del Moral Talabis (Mar 06)
- <Possible follow-ups>
- Re: Detecting Cisco IOS probes Fergie (Mar 07)