Re: Cisco 677 oddity: Broadcasting to port 1999

[Jeffrey Karpenko <Jeffrey.Karpenko () RHIGROUP COM>]

For all you DSL customers using the 677, check this out !!
http://www.cisco.com/warp/public/471/105.html
Password Recovery for the 600 Series routers

This link may require a site LOGIN

-----Original Message-----
From: Chris vuln-dev [mailto:chris () STORNER DK]
Sent: Wednesday, August 09, 2000 2:50 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Cisco 677 oddity: Broadcasting to port 1999


I don't know if this can be used for anything, but it is a bit
puzzling anyway.

My ADSL connection uses a Cisco 677 router, running the CBOS
(Cisco Broadband OS). During a recent service outage, I noticed
something peculiar: The router broadcasts for other Cisco routers
when the WAN link goes down, using the well-known Cisco identification
port 1999.

(See http://www.geek-girl.com/bugtraq/1999_1/0226.html for the
story about Cisco's use of port 1999).

Here's how it looked on my Linux box, which handles syslog for the
router, and has ipchains firewalling rules setup:

Aug  8 05:14:46 adsl-router 087:20:22:36 PPP        Info       PPP Down
Event on wan0-0
Aug  8 05:21:19 adsl-router 087:20:29:09 ATM        Info       WAN 0
physical layer is down
Aug  8 05:21:20 adsl-router 087:20:29:09 COMMANDER  Info       WAN 0
physical layer is down
Aug  8 05:21:20 osiris kernel: Packet log: input - eth1 PROTO=17
192.168.1.1:1999 255.255.255.255:1999 L=94 S=0x00 I=4136 F=0x4000 T=1 (#23)

192.168.1.1 is the adsl-router. I did not know that Cisco also uses
UDP port 1999, but apparently they do.

Now, the interesting thing of course is: What would have happened if
there was actually another Cisco router present that would answer to
this broadcast. Would my ADSL router start sending traffic to the
other router, or what is the purpose of this broadcast ?


Chris