Re: Cisco Security Advisory: IOS HTTP authorization vulnerability

["David Hyams" <david.hyams () kmu-security ch>]

----- Original Message -----
From: "Oliver Petruzel" <opetruzel () cox rr com>

> (don't even get me started on the amount of info flying around networks
> now via plaintext SNMP because of enterprise managaement consoles and
> (soon to be nearly pointless) IDS systems.. Uhhg)

SNMP ? Did somebody mention SNMP?? My favorite protocol :-)
Seriously though, Cisco devices support SNMP V3, pity nobody bothers to use
it. I once heard there are add on products for network management systems
that support SNMP V3, but they're expensive. Would somebody like to start
"opensnmp", dedicated to open source implementations of "decent" SNMP agents
and tools? (Home page www.opensnmp.org maybe ?)

> SIDE NOTE: I'd be VERY interested in seeing the process for discovery of
> this latest cisco hole.  I havent been able to track down the logic used
> in discovering the /xx/exec capability...

Well, don't laugh, but I was actually trying to study for the CCNA exam. I
was playing with a router and switch in the lab to get to know IOS better. I
eventually got bored and started playing with HTTP instead. On one of the
devices (can't remember which one), I noticed a URL of the form
http:://level/15/exec/... It seemed that the number 15 had something to do
with access levels, so I decided to try the number 42 just to see what
happens...
(Douglas Adams fans will instantly realise why 42 was a good number to try)

One more point before I forget - when I reported the problem to Cisco I was
amazed that nobody else had noticed it before. Maybe some people are
spending too much time looking for bugs in IIS?

regards

David Hyams
--
david.hyams () kmu-security ch
http://www.kmu-security.ch