Bugtraq mailing list archives
RE: multiple looking-glasses input vulnerability
From: arivanov () sigsegv cx
Date: Fri, 19 Oct 2001 07:53:32 +0100 (BST)
Hi list, I answered the original post but the submission did not go through. In brief: the original David Kern looking glass has a number of problems. These are inherited in most code derived from it: 1. The only security measure used in the code is a http-referer check which is a parameter suppplied by the user and can be changed at will. 2. The parameters supplied to a rsh executed on the local machine are not checked. It is executed via fork/exec, not a perl pipe open so shell expansions cannot be used, but it still leaves possibilities for supplying rsh with bogus arguments 3. The parameters suppplied to the router are not checked properly. The only check in the original looking glass is a check for NULL param so that the router does not try to do a full BGP dump. This check is bogus as well because one can supply an argument of a regular expression to the sh ip bgp. This argument can resolve to the full BGP table and cause arbitrary additional router load. So any router accessible via non-fixed lg can be effectiviely DOSed up to full CPU load. The solution to this unfortunately is full rewrite from scratch using CGI.pm, perl's Net::telnet instead of rsh/fork/exec and proper parameter checking/mangling. I have done this in the past so at least a few LGs I know of are not vulnerable ;-) On 18-Oct-2001 barabas () lokmail net wrote:
Hi, There is a flaw in many looking-glasses (most of them based on the nitrous-digex one ) which allows attackers to gather information about the network which is not intentionally provided through looking-glass functionality: It seems that the looking-glass (which is usually written in Perl) doesn't check the input properly for the validity of the input address. example: when clicking bgp, to check an address in the bgp table, the attacker can enter , instead of an ip address, the word "nei"(or neighbours) and all bgp neighbours will be fully visible. In fact, any valid argument in cisco IOS following sh ip bgp, can be entered. Another example: <sh ip bgp> paths gives the full path table. This puts some strain on routers and could be used to DOS the router if no proper access security is provided. Various other things can be done workaround: check for a "." in the input . This shouldn't be too hard to implement in the script :-) Haven't checked for traversal possibilities yet ;-) Barabas --------------------------------------------------------- Get Free Private Encrypted Email https://mail.lokmail.net Switch to Name.Space: http://namespace.org/switch
---------------------------------- Anton R. Ivanov ARI2-RIPE Today's deliverables will have to be delayed because: Your parity check is overdrawn and you're out of cache. ----------------------------------
Attachment:
_bin
Description:
Current thread:
- multiple looking-glasses input vulnerability barabas (Oct 18)
- RE: multiple looking-glasses input vulnerability arivanov (Oct 19)
- <Possible follow-ups>
- RE: multiple looking-glasses input vulnerability Zvezdelin Vladov (Oct 23)