Re: [PEN-TEST] Cisco access server security bypass

[John <john () RED-LAN NET>]

Hi Erik,

I'm not sure I'm missing the point somewhere. Are you saying that telneting
to the routers loopback:2001 will give you access different than say
ethernet:2001 or IP addresses assigned with the alias command?

I wonder if you could give a configuration example of an incorrectly
configured cisco?

Thanks

John


----- Original Message -----
From: "Erik Mintz" <emintz () STAFF MAIL COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, September 08, 2000 5:16 PM
Subject: [PEN-TEST] Cisco access server security bypass


> Cisco access server security bypass
>
> Cisco routers configured as terminal servers with async connections to
> system consoles can be configured for local security with any normal
> authentication method available (local password, TACACS, etc.). requiring
> users to login to the router and give a common password before they are
> allowed to connect to the host on the other end of the async cable. After
> login to the router, you can telnet, or 'connect', to the desired hosts.
>
> The router controls connections by a port number/async line/IP address
> association, such as async line 1 connected to your Sun console =
> 10.10.10.1:2001. You can bypass the routers authentication by opening a
> telnet session directly to the routers lo0/assigned port.
>
> Of course, this only gets you to the password prompt for the connected
> device, however, most people do not realize the router will allow you to
> bypass the authentication at the router, and may be in the habit of
leaving
> the console open to skip a seemingly redundant authentication process
(well,
> nobody here of course, but I have found many root prompts on the other end
> of these terminal servers everywhere from the public 'net to "secure"
LANs).
> Because admins know they need to give a password at the router, they may
be
> less concerned about the console. Find them by scanning ports 2000+, and
> searching for the string "open", which is enumerated on successful
> connection. There is also an option to disable the "open" string, so you
> should also look for shell prompts.
>
>
> Cisco has a configuration option to fix this on routers running IOS
versions
> 11.3T and higher, by adding AAA to the lines. Configuration is;
> authorization reverse-access default|list-name
>
> where default and list-name are defined by aaa authorization command.
>
>
> Vulnerable systems:
>
> Any misconfigured Cisco access server with async ports are vulnerable.
Most
> common usage for the application are 2511 models with octal cables. You
will
> find them connected to server farms, backbone routers, etc.
> Routers running IOS versions prior to 11.3 are vulnerable. No
configuration
> options available to fix.
>
> The matter is more of knowledge and laziness than the fault of Cisco, but
I
> think it should be part of security audits. Although a correct config will
> prevent this (with recent IOS), I believe most admins do not realize the
> hole is there.
>
> Erik Mintz
> emintz () staff mail com
> 732-516-2767
> ~~~
> |
> |
> |
> |
> |
> |
> repoman () cbgb com