Vulnerability Development mailing list archives
Re: Cisco 677 oddity: Broadcasting to port 1999
From: Vladimir Kraljevich <vlaad () EMPRESARIUM COM>
Date: Mon, 14 Aug 2000 17:28:11 -0000
Now, the interesting thing of course is: What would have
happened if
there was actually another Cisco router present that would
answer to
this broadcast. Would my ADSL router start sending traffic
to the
other router, or what is the purpose of this broadcast ?
AFAIK, the purpose of this broadcast is just syslog, nothing more. You can make it (if you have access to CBOS) to point to arbitrary address on the net, sending those messages to arbitrary port on the listening machine. Nobody in normal situation should answer to this message, since it is dedicated for debugging purposes only, to show administrators what is going wrong. Even if you try to simulate response from the another "router" nothing should happen. However, some reports reveals that in certain circumstances you can bring down the Cisco 6xx (perhaps few other types, too) by flooding syslog. /********* IMPORTANT??? ***********
From my experience, it is possible to nail a coffin to
Cisco 677 with ICMP request in which IPOPT_RR is set. Someone, please confirm this. I wrote to CCO, but they wanted my ID, SSN, dog's name, mother's maiden name, photographies of my family, my footprint, my fingerprints etc. to be able to submit these informations. I'm not in the mood to cooperate on that way with someone who is responsible to deal with his faults. However, public deserves to know :) (from command line type:) ping -r 9 216.32.74.55 **********************************/ Your traffic cannot be sent this way to anyone. The thing you should really be worried about (check your router with Nmap) is existance of wide open TFTP, WWW and telnet remote adminstration access points. root>show broadcast Directed_Broadcast Forwarding is currently enabled root>show syslog SYSLOG Configuration Currently Enabled Currently sends syslog information to yy.yy.yy.yy Currently uses port xxxxx root>show telnet TELNET Configuration Currently Enabled Currently accepts connections only from yy.yy.yy.yy Currently uses port xxxxx Timeout is set to 3600 root>show web WEB Configuration Is not enabled Currently accepts connections only from yy.yy.yy.yy Currently uses port xxxxx root>show tftp TFTP Configuration Is not enabled Currently accepts connections only from yy.yy.yy.yy Currently uses port 69 You can also use "debug" (undocumented for 677) command, but only in privileged mode; It allows you to look closer what is going on. <example from my CCO> 08/08/2000 02:50:19"734, 82 bytes from yy.yy.yy.yy <03>000:15:23:15 TCP Alarm MTU value returned by get_ip_mtu was zero </example from my CCO> Hope this helps.
Current thread:
- Cisco 677 oddity: Broadcasting to port 1999 Chris vuln-dev (Aug 09)
- Re: Cisco 677 oddity: Broadcasting to port 1999 Vladimir Kraljevich (Aug 14)
- Re: Cisco 677 oddity: Broadcasting to port 1999 Jim Duncan (Aug 15)
- Re: Cisco 677 oddity: Broadcasting to port 1999 Blue Boar (Aug 15)
- Re: Cisco 677 oddity: Broadcasting to port 1999 Jim Duncan (Aug 15)
- <Possible follow-ups>
- Re: Cisco 677 oddity: Broadcasting to port 1999 Jeffrey Karpenko (Aug 10)
- Re: Cisco 677 oddity: Broadcasting to port 1999 Vladimir Kraljevich (Aug 14)