Home page logo
/

pen-test logo Penetration Testing mailing list archives

SSH CRC-32 Compensation Attack Detector Vulnerability on CISCO routers
From: "Jeremy Junginger" <jj () act com>
Date: Mon, 2 Jun 2003 07:33:53 -0700

Good Morning, 

In conducting a penetration test on a "secured VLAN" implementation that
uses 100% OOB management, I have come across an exciting find!  There
are several terminal servers (25xx and 26xx series) that are running a
vulnerable version of code (12.2) per this list:
http://www.securityfocus.com/bid/2347

So, naturally, I wanted to take a look at the "proof of concept code"
at:
http://downloads.securityfocus.com/vulnerabilities/exploits/ssh-exploit-
diffs.txt

I'm sure many of you have run into this situation.  You find a service
or application that is known to be vulnerable, and the client says "show
me the 'sploit.'"  Normally, that's a great chance to show them what
you're capable of.  In this case, I told them it is vulnerable (in
theory) but I have not seen an exploit for it.

My question is, have any of you guys played with this exploit on Cisco
devices?  I know that the shellcode would have to change (obviously from
/bin/sh to some type of router compromising command like 'ip http
server' or 'snmp community h4x0r RW' or something that would give you a
nice level of access to the device).  The really funny thing is that
this exploit has been around so long, and I have yet to hear of someone
smashing a router with it.  

If you have gotten this to work on a Cisco device, let me know.  If not,
I am planning on setting up a target router running only ssh for you
guys to bang on if you want.  I can set up a 25xx, 26xx, or 71xx router
for testing, so shoot me an email if you're interested.

-Jeremy

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]