RE: multiple looking-glasses input vulnerability

[arivanov () sigsegv cx]

Hi list,
        I answered the original post but the submission did not go through.
        In brief: the original David Kern looking glass has a number of
problems. These are inherited in most code derived from it:
        1. The only security measure used in the code is a http-referer check
which is a parameter suppplied by the user and can be changed at will.
        2. The parameters supplied to a rsh executed on the local machine are
not checked. It is executed via fork/exec, not a perl pipe open so shell
expansions cannot be used, but it still leaves possibilities for supplying rsh
with bogus arguments
        3. The parameters suppplied to the router are not checked properly. The
only check in the original looking glass is a check for NULL param so that the
router does not try to do a full BGP dump. This check is bogus as well because
one can supply an argument of a regular expression to the sh ip bgp. This
argument can resolve to the full BGP table and cause arbitrary additional
router load. So any router accessible via non-fixed lg can be effectiviely
DOSed up to full CPU load.

        The solution to this unfortunately is full rewrite from scratch using
CGI.pm, perl's Net::telnet instead of rsh/fork/exec and proper parameter
checking/mangling. 
        I have done this in the past so at least a few LGs I know of are not
vulnerable ;-)


On 18-Oct-2001 barabas () lokmail net wrote:
> Hi,
>
> There is a flaw in many looking-glasses (most of them based on the 
> nitrous-digex one ) which allows attackers to gather information about 
> the network which is not intentionally provided through looking-glass 
> functionality:
>
> It seems that the looking-glass (which is usually written in Perl) 
> doesn't check the input properly for the validity of the input address.
>
>
> example:
>
> when clicking bgp, to check an address in the bgp table, the attacker 
> can enter , instead of an ip address, the word "nei"(or neighbours) 
> and all bgp neighbours will be fully visible. In fact, any valid argument 
> in cisco IOS following sh ip bgp, can be entered.
> Another example: <sh ip bgp> paths gives the full path table. This 
> puts some strain on routers and could be used to DOS the router if 
> no proper access security is provided.
> Various other things can be done
>
> workaround: check for a "." in the input . This shouldn't be too hard 
> to implement in the script :-)
>
> Haven't checked for traversal possibilities yet ;-)
>
>
> Barabas
>
>
>
>
>
>
> ---------------------------------------------------------
> Get Free Private Encrypted Email https://mail.lokmail.net
>         Switch to Name.Space: http://namespace.org/switch

----------------------------------
Anton R. Ivanov
ARI2-RIPE
Today's deliverables will have to be delayed because:

Your parity check is overdrawn and you're out of cache.

----------------------------------

Attachment: _bin
Description: