mailing list archives
Re: [PEN-TEST] Cisco access server security bypass
From: John <john () RED-LAN NET>
Date: Sat, 9 Sep 2000 00:10:59 +0100
I'm not sure I'm missing the point somewhere. Are you saying that telneting
to the routers loopback:2001 will give you access different than say
ethernet:2001 or IP addresses assigned with the alias command?
I wonder if you could give a configuration example of an incorrectly
----- Original Message -----
From: "Erik Mintz" <emintz () STAFF MAIL COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, September 08, 2000 5:16 PM
Subject: [PEN-TEST] Cisco access server security bypass
Cisco access server security bypass
Cisco routers configured as terminal servers with async connections to
system consoles can be configured for local security with any normal
authentication method available (local password, TACACS, etc.). requiring
users to login to the router and give a common password before they are
allowed to connect to the host on the other end of the async cable. After
login to the router, you can telnet, or 'connect', to the desired hosts.
The router controls connections by a port number/async line/IP address
association, such as async line 1 connected to your Sun console =
10.10.10.1:2001. You can bypass the routers authentication by opening a
telnet session directly to the routers lo0/assigned port.
Of course, this only gets you to the password prompt for the connected
device, however, most people do not realize the router will allow you to
bypass the authentication at the router, and may be in the habit of
the console open to skip a seemingly redundant authentication process
nobody here of course, but I have found many root prompts on the other end
of these terminal servers everywhere from the public 'net to "secure"
Because admins know they need to give a password at the router, they may
less concerned about the console. Find them by scanning ports 2000+, and
searching for the string "open", which is enumerated on successful
connection. There is also an option to disable the "open" string, so you
should also look for shell prompts.
Cisco has a configuration option to fix this on routers running IOS
11.3T and higher, by adding AAA to the lines. Configuration is;
authorization reverse-access default|list-name
where default and list-name are defined by aaa authorization command.
Any misconfigured Cisco access server with async ports are vulnerable.
common usage for the application are 2511 models with octal cables. You
find them connected to server farms, backbone routers, etc.
Routers running IOS versions prior to 11.3 are vulnerable. No
options available to fix.
The matter is more of knowledge and laziness than the fault of Cisco, but
think it should be part of security audits. Although a correct config will
prevent this (with recent IOS), I believe most admins do not realize the
hole is there.
emintz () staff mail com
repoman () cbgb com