Re: news story and router passwords

[Mr Rufus Faloofus <foofus () FOOFUS NET>]

At 04:35 PM 10/12/00 +0200, Vitaly Osipov wrote:
> I've read one article recently
> http://www.denverpost.com/business/biz1012d.htm  ) in which it is clamed
> that some hacker after sniffing router password changed it and made
> *something* after that they were not able to recover that password. Have
> somebody heard of such problems (it looks like they were using cisco,
> because they say  - "If this guy posts how he actually did this, the whole
> Internet's wide open." )? AFAIK ciscos have password recovery procedures, at
> least those which are not low-end.

Well, such things can happen (sort of), but I blame the router
administrators.

Most routers are administered by telnet, which is, of course, plain
text.  Fine and dandy: we can sniff it and see passwords.  Most
routers also have password recovery procedures, and these generally
involve having physical access to the device.

You can avoid having this happen to you by administering your
routers prudently.  For a Cisco, you have many options: use AAA
and a 1-time password scheme (like SecureID and a RADIUS or TACACS+
server), put an access-list on the VTY port so the router can only
be administered from a trusted host (like a UNIX box to which you
can SSH) so even if I know the password I can't use it, or use SSH
on the router itself (not an option under older IOS images).  Also,
try not to administer your core infrastructure devices from networks
where people are running sniffers and trying to hack you, when you
can avoid it.

There's no need for the guy to post how to do this on a Cisco:
there is no secret...

Step 1: sniff, sniff, sniff... eventually you'd see something like:
        telnet stupidly.administered.router
        User Access Verification\n\nPassword:
        supersecretpassword
        router>
        enable
        Password:
        thisistotallysecret
        router#
Step 2: telnet to the router and enter the VTY password
Step 3: type en and enter the enable password
Step 4: config term
Step 5: enable secret Ihax0rU
Step 6: ^Z
Step 7: write mem
Step 8: bwAhAhAhAhAhAhAhaAaAa! 0wn3d.

So don't leave your routers open like this, and you'll be safe.
If the passwords weren't sniffable (either because they are
encrypted or because they are good one time only) or untrusted
hosts could not telnet to the router, we'd have no problem
whatsoever.

See the following fine documents for good sound advice:

http://www.cisco.com/warp/public/707/21.html
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm

Now, as far as the article is concerned, there may be more
to it than this.  I can't understand how one can take control
of a router in such a way that it would have to be replaced.
I also know of no buffer overflows for current IOS revisions.
It sounds like maybe he got control of the box whence the
router was administered (shell access via sniffing: use SSH,
my friends!) and then root access via buffer overflow (keep
your UNIXen patched to current, safe, levels).  From there he
was able to access files containing router passwords (probably
backup configs, so the routers can TFTP them down at boot time).
And then he could access the routers and change the passwords.
Again: this is a case of unwary system administrators.  And
again: there's nothing particularly secret here.

I am sure many Internet-connected routers are vulnerable to
attack, as are the hosts from which they are managed.  But a
statement like "if this guy posts how he actually did this,
the whole Internet's wide open" is way over the top.  Unless
this person really has found a buffer overflow and a way to
defeat password recovery in routers with current IOS images.
But I really doubt that's the case.

Also, look at the ingenious solution to the problem: "he is
moving his hardware to a new location in Lafayette where he
can place the entire system behind a protective digital
firewall."  An Internet web-hosting company that's just now
implementing a firewall?  Uh...

--Foofus.