Bugtraq mailing list archives

Re: Cisco 675 password nonsense

From: BFrancis () SPACEIMAGING COM (Francis Bodie)
Date: Tue, 3 Aug 1999 09:24:39 -0600


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is all true, and shows one of the security
issues with brining broadband access to the uneducated user.

Since this is sort of related. I had to do a password recovery on a
675,
which is an undocumented procedure( or at least not in the manual.)

To recover the password you do the following steps:

1.  Reboot the Cisco 675

2.  Access the device through the serial Console
(Speed: 34000, 8, N,1)

3.  Issue the break command, <CTRL>-C

4.  The Cisco 675 should be display a prompt =>

5.  Issue the command: ES 6   (Erase Page? 6)

6.  Issue the command: M0     (Turn of monitor mode.)

7.  Issue the command: go

8.  The modem should reboot, with exec and ena passwords removed.

*NOTE:  You will also loose your entire config.

Apparently the whole ROM monitor mode on the 675 is
a bit strange, most likely due to it being a former NetSpeed product.

Bodie

<DISCLAIMER>Views expressed here are not those of Space
Imaging.</DISCLAIMER>

-----Original Message-----
From: DeMoNx [mailto:demonx () SLACK NET]
Sent: Saturday, July 31, 1999 2:58 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Cisco 675 password nonsense

(First of all please forgive me if you dis-approve of my use
of the word
router. I just think it's a bot more appropriate term than
'modem' for the
hardware being discussed.)

Is your DSL router an open book???

When a certain long distance provider/isp in my area began

forcefully

switching all non-business/special adsl accounts over to
using PPP rather
than bridging mode for 'security reasons', I got a little
suspicious. With
bridging mode enabled on a Cisco 675, one used to be able to hook up
seemingly limitless machines (provided you have the hubs), to one

dsl

connection using dhcp. Now with PPP, your dhcp server becomes
10.10.10.0...your 675, which in turn uses dhcp or ipcp to handle
traffic between itself and your isp....blah blah blah etc.

My point is, with all this wonderfully confusing hubub, many
people I'm
sure are pulling their hair out trying to fathom the first 5
pages of the
'CBOS Users Guide', trying in vain to set up their dsl to
avoid paying $90
to the guys that will end up coming to their house and
setting it up for
them. The problem is, *most* of these guys don't set passwords on

the

675's. It is very simple to compromise an unpassworded 675. simply

hit

'enter' at the password prompt after telnetting in, if you get a

cbos>

promt you are half way there, NOT GOOD. If there is no exec
mode password
set, then there most likely won't be an enable(superuser)
mode password
either. So, at this prompt you simply type 'enable' and hit
enter twice.
If you are in enable mode, your prompt will change to the #
symbol, and
you have full access to all the router's settings. ISP's are
letting this
happen, people are buying this technology without any
knowlege that they
may be at this kind of risk. Below is a log of one such Cisco 675.

The

ip's and hostnames have been changed to protect the
irresponsible *and*
the uninformed.

---


$telnet adslppp93.lame.isp.net Trying 296.161.127.93...
Connected to adslppp93.lame.isp.net.
Escape character is '^]'.

User Access Verification
Password:                  (Just hit enter, whoa! No password!)

cbos>enable                (with just 8 keystrokes full
access is given)

Password:

cbos#stats ppp             (Hmm, who's 675 is this?)

VC       VPI/VCI  STATE          MRU    USERNAME  RADIUS   TX

RX

wan0-0   01/01   Opened State    2048   poorsap   disabled
358673   358956

cbos#exit
Connection closed by foreign host.

now, to change these passwords (the easiest way of securing
the router)

type 'enable' hit enter to enter administration mode

then type 'set password exec clear NEWPASSWORD exec' to keep em out

and then 'set password enable clear NEWPASSWORD enable' to change

the

superuser password.

This is what the person who setup the 675 *SHOULD* have done prior

to

leaving the jobsite.

Bill Watts

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBN6cKI2TMguO+vON8EQLN5gCePv90Igjn6r6OFk5fPSwxIGhM160An2gt
FwdHlGjPN2AKYsw3kVN+blIq
=+GE5
-----END PGP SIGNATURE-----

Current thread:

Re: Cisco 675 password nonsense, (continued)
- - - Re: Cisco 675 password nonsense Signal 11 (Aug 07)
    - Remote DoS of WebTrends Enterprise Reporting Server rpc (Aug 08)
    - sdtcm_convert Joel Eriksson (Aug 08)
    - NetBSD Security Advisory 1999-011 Ross Harvey (Aug 08)
    - MS IE FTP Folder Shell Extension Buffer Overflow s.hird () STUDENT QUT EDU AU (Aug 09)
    - [jen () ettnet se: sdtcm_convert] Joel Eriksson (Aug 09)
    - Bay Annex-Pri Privacy Issues lumpy (Aug 09)
    - Re: Bay Annex-Pri Privacy Issues Eric Vyncke (Aug 10)
    - Re: Bay Annex-Pri Privacy Issues Dick St.Peters (Aug 11)
- Re: Cisco 675 password nonsense The Tech-Admin Dude (Aug 03)
- Re: Cisco 675 password nonsense Francis Bodie (Aug 03)
- Cisco 675 password nonsense jobe smithe (Aug 09)