Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detecting Cisco IOS probes

From: "Fergie" <fergdawg () netzero net>
Date: Tue, 7 Mar 2006 14:29:54 GMT
If you don't have HTTP enabled on the cisco router, and
your version of IOS is less than 4 or 5 years old, you're
probably okay. :-)

This has been going on (again) for a coupld of weeks, and
most of the originating addresses that I have seen thus far
have been from China. However, since I have also seen several
sources located in EUrope as well, I'm assuming that someone has
adapted this 5-year-old vulnerability exploit into a zombie kit.

 2001 June 27
 http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

The relevant section:

[snip]

By sending a crafted URL it is possible to bypass authentication and execute any command on the router at level 15 
(enable level, the most privileged level). This will happen only if the user is using a local database for 
authentication (usernames and passwords are defined on the device itself). The same URL will not be effective against 
every Cisco IOS software release and hardware combination. However, there are only 84 different combinations to try, so 
it would be easy for an attacker to test them all in a short period of time.

The URL in question follows this format:

 http://<device_addres>/level/xx/exec/....

Where xx is a number between 16 and 99.

This vulnerability is documented as Cisco Bug ID CSCdt93862. 

[snip]

And yes, there are probably older versions out there, and
unfortunately, there may be some that actually have HTTP
enabled -- BAD, BAD, BAD IDEA -- no matter what verision of
code.

Cheers,

- ferg

-- "Mark Ryan del Moral Talabis" <talabis () gmail com> wrote:

Detecting Cisco IOS probes

We have detected activity directed towards Cisco IOS sytems via http.
Most likely, the said activity are probes looking for live Cisco
machines with vulnerable Cisco IOS software accessible via its HTTP
server. Based on the signature of the probes, it seems that the
following tool is being used: cisco scanner v0.2.

Full analysis:
http://www.philippinehoneynet.org/dataarchive.php?date=2006-02-16

Ryan Talabis
Philippine Honeynet Project
http://www.philippinehoneynet.org

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/
Previous By Date Next
Previous By Thread Next

Current thread: