Vulnerability Development mailing list archives
Re: news story and router passwords
From: Mr Rufus Faloofus <foofus () FOOFUS NET>
Date: Thu, 12 Oct 2000 14:19:59 -0500
At 04:35 PM 10/12/00 +0200, Vitaly Osipov wrote:
I've read one article recently http://www.denverpost.com/business/biz1012d.htm ) in which it is clamed that some hacker after sniffing router password changed it and made *something* after that they were not able to recover that password. Have somebody heard of such problems (it looks like they were using cisco, because they say - "If this guy posts how he actually did this, the whole Internet's wide open." )? AFAIK ciscos have password recovery procedures, at least those which are not low-end.
Well, such things can happen (sort of), but I blame the router administrators. Most routers are administered by telnet, which is, of course, plain text. Fine and dandy: we can sniff it and see passwords. Most routers also have password recovery procedures, and these generally involve having physical access to the device. You can avoid having this happen to you by administering your routers prudently. For a Cisco, you have many options: use AAA and a 1-time password scheme (like SecureID and a RADIUS or TACACS+ server), put an access-list on the VTY port so the router can only be administered from a trusted host (like a UNIX box to which you can SSH) so even if I know the password I can't use it, or use SSH on the router itself (not an option under older IOS images). Also, try not to administer your core infrastructure devices from networks where people are running sniffers and trying to hack you, when you can avoid it. There's no need for the guy to post how to do this on a Cisco: there is no secret... Step 1: sniff, sniff, sniff... eventually you'd see something like: telnet stupidly.administered.router User Access Verification\n\nPassword: supersecretpassword router> enable Password: thisistotallysecret router# Step 2: telnet to the router and enter the VTY password Step 3: type en and enter the enable password Step 4: config term Step 5: enable secret Ihax0rU Step 6: ^Z Step 7: write mem Step 8: bwAhAhAhAhAhAhAhaAaAa! 0wn3d. So don't leave your routers open like this, and you'll be safe. If the passwords weren't sniffable (either because they are encrypted or because they are good one time only) or untrusted hosts could not telnet to the router, we'd have no problem whatsoever. See the following fine documents for good sound advice: http://www.cisco.com/warp/public/707/21.html http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm Now, as far as the article is concerned, there may be more to it than this. I can't understand how one can take control of a router in such a way that it would have to be replaced. I also know of no buffer overflows for current IOS revisions. It sounds like maybe he got control of the box whence the router was administered (shell access via sniffing: use SSH, my friends!) and then root access via buffer overflow (keep your UNIXen patched to current, safe, levels). From there he was able to access files containing router passwords (probably backup configs, so the routers can TFTP them down at boot time). And then he could access the routers and change the passwords. Again: this is a case of unwary system administrators. And again: there's nothing particularly secret here. I am sure many Internet-connected routers are vulnerable to attack, as are the hosts from which they are managed. But a statement like "if this guy posts how he actually did this, the whole Internet's wide open" is way over the top. Unless this person really has found a buffer overflow and a way to defeat password recovery in routers with current IOS images. But I really doubt that's the case. Also, look at the ingenious solution to the problem: "he is moving his hardware to a new location in Lafayette where he can place the entire system behind a protective digital firewall." An Internet web-hosting company that's just now implementing a firewall? Uh... --Foofus.
Current thread:
- Re: news story and router passwords Vachon, Scott (Oct 12)
- Re: news story and router passwords Richard Johnson (Oct 14)
- Re: news story and router passwords Mark Teicher (Oct 15)
- Re: news story and router passwords Talisker (Oct 16)
- Re: news story and router passwords Mark Teicher (Oct 16)
- Re: news story and router passwords Mark Teicher (Oct 15)
- Re: news story and router passwords Richard Johnson (Oct 14)
- <Possible follow-ups>
- Re: news story and router passwords none none (Oct 12)
- Re: news story and router passwords Mr Rufus Faloofus (Oct 12)
- Re: news story and router passwords Vitaly McLain (Oct 13)
- Re: news story and router passwords bugtraq (Oct 13)
- Re: news story and router passwords antirez (Oct 14)
- Re: news story and router passwords Bluefish (P.Magnusson) (Oct 14)
- Re: news story and router passwords bug tracker (Oct 14)
- Re: news story and router passwords Mark Teicher (Oct 14)
- Re: news story and router passwords Lincoln Yeoh (Oct 15)
- Re: news story and router passwords Mark Teicher (Oct 14)