Bugtraq mailing list archives

Re: Cisco 675 Denial of Service Attack

From: Kee Hinckley <nazgul () SOMEWHERE COM>
Date: Fri, 1 Dec 2000 17:38:30 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 12:36 PM -0800 12/1/00, Erik Parker wrote:

Or the ability to change it.. You can't change the Cisco 675 out of Bridge
mode into Route mode without the cooperation of Qwest/Whoever. They have
to make changes on their router as well. I went through this for a week
with Flashcom, to get out of briding mode.

Most never get their password for their Cisco either, however you can dump
the memory in the CBOS on boot, and read the "encrypted" password, which
is an off-by-2 sequence.. Where c is a, and e is c, and so on.


I've been meaning to release a notice on this for some time, but
since we're on the topic already.

Not only does the memory dump display the passwords ROT2, but if you
enable the tftp server (it's not on by default, thank goodness), the
"encrypted" passwords are accessible to anyone on the internet.
Enabling the tftp server is suggested as a way to backup the
parameter settings.  Doing so is definitely a *very* bad idea.  The
tftp server should either be modified to not dump the passwords, or
substantially better encryption should be used.

Just to magnify this problem, at least one ISP in the Northeast is
using the same router password for *all* of their DSL clients.
Therefore, one open tftp server (never mind a disgruntled employee or
customer who looks over the installer's shoulder) could cause a major
routing (and customer support) disaster.

- --

Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects
Now Playing - Folk, Rock, and odd stuff - http://www.somewhere.com/radio.pls

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOigofyZsPfdw+r2CEQKrWwCdHso0zquZoHAq3lC5Wvpn5fPtX/wAoPzt
MFx/tpw5jKZLhL+K2KIAnNXJ
=0+S2
-----END PGP SIGNATURE-----

Current thread:

Re: Cisco 675 Denial of Service Attack Nate Haugo (Dec 01)
- <Possible follow-ups>
- Re: Cisco 675 Denial of Service Attack Nicholas Ianelli (Dec 01)
- Re: Cisco 675 Denial of Service Attack Lisa Napier (Dec 02)
- Re: Cisco 675 Denial of Service Attack poke (Dec 02)
  - Re: Cisco 675 Denial of Service Attack Erik Parker (Dec 02)
    - Re: Cisco 675 Denial of Service Attack Kee Hinckley (Dec 05)
  - Re: Cisco 675 Denial of Service Attack CDI (Dec 02)
- Re: Cisco 675 Denial of Service Attack poke (Dec 02)
- Re: Cisco 675 Denial of Service Attack Shane Youhouse (Dec 02)
  - Re: Cisco 675 Denial of Service Attack CDI (Dec 05)
  - Re: Cisco 675 Denial of Service Attack J Edgar Hoover (Dec 05)
  - Message not available
    - Re: Cisco 675 Denial of Service Attack Damir Rajnovic (Dec 06)
    - Re: Cisco 675 Denial of Service Attack J Edgar Hoover (Dec 07)
    - Message not available
    - Re: Cisco 675 Denial of Service Attack Damir Rajnovic (Dec 07)
- Re: Cisco 675 Denial of Service Attack Popsite (Dec 05)