Penetration Testing mailing list archives
RE: SSH CRC-32 Compensation Attack Detector Vulnerability on CISCO routers
From: "Dario Ciccarone" <dciccaro () cisco com>
Date: Mon, 2 Jun 2003 14:23:28 -0300
It's not so easy on IOS . . . http://www.phrack.org/show.php?p=60&a=7
-----Original Message----- From: Jeremy Junginger [mailto:jj () act com] Sent: Monday, June 02, 2003 11:34 AM To: pen-test Subject: SSH CRC-32 Compensation Attack Detector Vulnerability on CISCO routers Good Morning, In conducting a penetration test on a "secured VLAN" implementation that uses 100% OOB management, I have come across an exciting find! There are several terminal servers (25xx and 26xx series) that are running a vulnerable version of code (12.2) per this list: http://www.securityfocus.com/bid/2347 So, naturally, I wanted to take a look at the "proof of concept code" at: http://downloads.securityfocus.com/vulnerabilities/exploits/ss
h-exploit- diffs.txt I'm sure many of you have run into this situation. You find a service or application that is known to be vulnerable, and the client says "show me the 'sploit.'" Normally, that's a great chance to show them what you're capable of. In this case, I told them it is vulnerable (in theory) but I have not seen an exploit for it. My question is, have any of you guys played with this exploit on Cisco devices? I know that the shellcode would have to change (obviously from /bin/sh to some type of router compromising command like 'ip http server' or 'snmp community h4x0r RW' or something that would give you a nice level of access to the device). The really funny thing is that this exploit has been around so long, and I have yet to hear of someone smashing a router with it. If you have gotten this to work on a Cisco device, let me know. If not, I am planning on setting up a target router running only ssh for you guys to bang on if you want. I can set up a 25xx, 26xx, or 71xx router for testing, so shoot me an email if you're interested. -Jeremy ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- SSH CRC-32 Compensation Attack Detector Vulnerability on CISCO routers Jeremy Junginger (Jun 02)
- RE: SSH CRC-32 Compensation Attack Detector Vulnerability on CISCO routers Dario Ciccarone (Jun 02)