Re: [PEN-TEST] Cisco access server security bypass

[Erik Mintz <emintz () STAFF MAIL COM>]

It's for access servers using any dial, or async configuration, the async
lines have ports associated with the line number.
Sorry, no configs. Some notes found on Cisco's site;
http://www.cisco.com/warp/public/76/9.html#reverse_telnet
http://www.cisco.com/warp/public/779/smbiz/service/troubleshooting/ts_async.
htm

-Erik

----- Original Message -----
From: "John" <john () RED-LAN NET>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, September 08, 2000 7:10 PM
Subject: Re: [PEN-TEST] Cisco access server security bypass


| Hi Erik,
|
| I'm not sure I'm missing the point somewhere. Are you saying that
telneting
| to the routers loopback:2001 will give you access different than say
| ethernet:2001 or IP addresses assigned with the alias command?
|
| I wonder if you could give a configuration example of an incorrectly
| configured cisco?
|
| Thanks
|
| John
|
|
| ----- Original Message -----
| From: "Erik Mintz" <emintz () STAFF MAIL COM>
| To: <PEN-TEST () SECURITYFOCUS COM>
| Sent: Friday, September 08, 2000 5:16 PM
| Subject: [PEN-TEST] Cisco access server security bypass
|
|
| > Cisco access server security bypass
| >
| > Cisco routers configured as terminal servers with async connections to
| > system consoles can be configured for local security with any normal
| > authentication method available (local password, TACACS, etc.).
requiring
| > users to login to the router and give a common password before they are
| > allowed to connect to the host on the other end of the async cable.
After
| > login to the router, you can telnet, or 'connect', to the desired hosts.
| >
| > The router controls connections by a port number/async line/IP address
| > association, such as async line 1 connected to your Sun console =
| > 10.10.10.1:2001. You can bypass the routers authentication by opening a
| > telnet session directly to the routers lo0/assigned port.
| >
| > Of course, this only gets you to the password prompt for the connected
| > device, however, most people do not realize the router will allow you to
| > bypass the authentication at the router, and may be in the habit of
| leaving
| > the console open to skip a seemingly redundant authentication process
| (well,
| > nobody here of course, but I have found many root prompts on the other
end
| > of these terminal servers everywhere from the public 'net to "secure"
| LANs).
| > Because admins know they need to give a password at the router, they may
| be
| > less concerned about the console. Find them by scanning ports 2000+, and
| > searching for the string "open", which is enumerated on successful
| > connection. There is also an option to disable the "open" string, so you
| > should also look for shell prompts.
| >
| >
| > Cisco has a configuration option to fix this on routers running IOS
| versions
| > 11.3T and higher, by adding AAA to the lines. Configuration is;
| > authorization reverse-access default|list-name
| >
| > where default and list-name are defined by aaa authorization command.
| >
| >
| > Vulnerable systems:
| >
| > Any misconfigured Cisco access server with async ports are vulnerable.
| Most
| > common usage for the application are 2511 models with octal cables. You
| will
| > find them connected to server farms, backbone routers, etc.
| > Routers running IOS versions prior to 11.3 are vulnerable. No
| configuration
| > options available to fix.
| >
| > The matter is more of knowledge and laziness than the fault of Cisco,
but
| I
| > think it should be part of security audits. Although a correct config
will
| > prevent this (with recent IOS), I believe most admins do not realize the
| > hole is there.
| >
| > Erik Mintz
| > emintz () staff mail com
| > 732-516-2767
| > ~~~
| > |
| > |
| > |
| > |
| > |
| > |
| > repoman () cbgb com
| >
|
|