Penetration Testing mailing list archives
[PEN-TEST] Cisco access server security bypass
From: Erik Mintz <emintz () STAFF MAIL COM>
Date: Fri, 8 Sep 2000 12:16:43 -0400
Cisco access server security bypass Cisco routers configured as terminal servers with async connections to system consoles can be configured for local security with any normal authentication method available (local password, TACACS, etc.). requiring users to login to the router and give a common password before they are allowed to connect to the host on the other end of the async cable. After login to the router, you can telnet, or 'connect', to the desired hosts. The router controls connections by a port number/async line/IP address association, such as async line 1 connected to your Sun console = 10.10.10.1:2001. You can bypass the routers authentication by opening a telnet session directly to the routers lo0/assigned port. Of course, this only gets you to the password prompt for the connected device, however, most people do not realize the router will allow you to bypass the authentication at the router, and may be in the habit of leaving the console open to skip a seemingly redundant authentication process (well, nobody here of course, but I have found many root prompts on the other end of these terminal servers everywhere from the public 'net to "secure" LANs). Because admins know they need to give a password at the router, they may be less concerned about the console. Find them by scanning ports 2000+, and searching for the string "open", which is enumerated on successful connection. There is also an option to disable the "open" string, so you should also look for shell prompts. Cisco has a configuration option to fix this on routers running IOS versions 11.3T and higher, by adding AAA to the lines. Configuration is; authorization reverse-access default|list-name where default and list-name are defined by aaa authorization command. Vulnerable systems: Any misconfigured Cisco access server with async ports are vulnerable. Most common usage for the application are 2511 models with octal cables. You will find them connected to server farms, backbone routers, etc. Routers running IOS versions prior to 11.3 are vulnerable. No configuration options available to fix. The matter is more of knowledge and laziness than the fault of Cisco, but I think it should be part of security audits. Although a correct config will prevent this (with recent IOS), I believe most admins do not realize the hole is there. Erik Mintz emintz () staff mail com 732-516-2767 ~~~ | | | | | | repoman () cbgb com
Current thread:
- [PEN-TEST] Cisco access server security bypass Erik Mintz (Sep 08)
- Re: [PEN-TEST] Cisco access server security bypass John (Sep 08)
- Re: [PEN-TEST] Cisco access server security bypass Erik Mintz (Sep 11)
- Re: [PEN-TEST] Cisco access server security bypass dannen harris (Sep 11)
- Re: [PEN-TEST] Cisco access server security bypass John (Sep 08)