Penetration Testing mailing list archives
Re: [PEN-TEST] Cisco access server security bypass
From: John <john () RED-LAN NET>
Date: Sat, 9 Sep 2000 00:10:59 +0100
Hi Erik, I'm not sure I'm missing the point somewhere. Are you saying that telneting to the routers loopback:2001 will give you access different than say ethernet:2001 or IP addresses assigned with the alias command? I wonder if you could give a configuration example of an incorrectly configured cisco? Thanks John ----- Original Message ----- From: "Erik Mintz" <emintz () STAFF MAIL COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Friday, September 08, 2000 5:16 PM Subject: [PEN-TEST] Cisco access server security bypass
Cisco access server security bypass Cisco routers configured as terminal servers with async connections to system consoles can be configured for local security with any normal authentication method available (local password, TACACS, etc.). requiring users to login to the router and give a common password before they are allowed to connect to the host on the other end of the async cable. After login to the router, you can telnet, or 'connect', to the desired hosts. The router controls connections by a port number/async line/IP address association, such as async line 1 connected to your Sun console = 10.10.10.1:2001. You can bypass the routers authentication by opening a telnet session directly to the routers lo0/assigned port. Of course, this only gets you to the password prompt for the connected device, however, most people do not realize the router will allow you to bypass the authentication at the router, and may be in the habit of
leaving
the console open to skip a seemingly redundant authentication process
(well,
nobody here of course, but I have found many root prompts on the other end of these terminal servers everywhere from the public 'net to "secure"
LANs).
Because admins know they need to give a password at the router, they may
be
less concerned about the console. Find them by scanning ports 2000+, and searching for the string "open", which is enumerated on successful connection. There is also an option to disable the "open" string, so you should also look for shell prompts. Cisco has a configuration option to fix this on routers running IOS
versions
11.3T and higher, by adding AAA to the lines. Configuration is; authorization reverse-access default|list-name where default and list-name are defined by aaa authorization command. Vulnerable systems: Any misconfigured Cisco access server with async ports are vulnerable.
Most
common usage for the application are 2511 models with octal cables. You
will
find them connected to server farms, backbone routers, etc. Routers running IOS versions prior to 11.3 are vulnerable. No
configuration
options available to fix. The matter is more of knowledge and laziness than the fault of Cisco, but
I
think it should be part of security audits. Although a correct config will prevent this (with recent IOS), I believe most admins do not realize the hole is there. Erik Mintz emintz () staff mail com 732-516-2767 ~~~ | | | | | | repoman () cbgb com
Current thread:
- [PEN-TEST] Cisco access server security bypass Erik Mintz (Sep 08)
- Re: [PEN-TEST] Cisco access server security bypass John (Sep 08)
- Re: [PEN-TEST] Cisco access server security bypass Erik Mintz (Sep 11)
- Re: [PEN-TEST] Cisco access server security bypass dannen harris (Sep 11)
- Re: [PEN-TEST] Cisco access server security bypass John (Sep 08)