Vulnerability Development: Re: Cisco 677 oddity: Broadcasting to port 1999

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: Cisco 677 oddity: Broadcasting to port 1999

From: Vladimir Kraljevich <vlaad () EMPRESARIUM COM>
Date: Mon, 14 Aug 2000 17:28:11 -0000

Now, the interesting thing of course is: What would have

happened if

there was actually another Cisco router present that would

answer to

this broadcast. Would my ADSL router start sending traffic

to the

other router, or what is the purpose of this broadcast ?


AFAIK, the purpose of this broadcast is just syslog, 
nothing more. 

You can make it (if you have access to CBOS) to point to 
arbitrary address on the net, sending those messages to 
arbitrary port on the listening machine.

Nobody in normal situation should answer to this message, 
since it is dedicated for debugging purposes only, to show 
administrators what is going wrong. Even if you try to 
simulate response from the another "router" nothing should 
happen. However, some reports reveals that in certain 
circumstances you can bring down the Cisco 6xx (perhaps few 
other types, too) by flooding syslog.

/********* IMPORTANT??? ***********

From my experience, it is possible to nail a coffin to

Cisco 677 with ICMP request in which IPOPT_RR is set. 
Someone, please confirm this.

I wrote to CCO, but they wanted my ID, SSN, dog's name, 
mother's maiden name, photographies of my family, my 
footprint, my fingerprints etc. to be able to submit these 
informations. I'm not in the mood to cooperate on that way 
with someone who is responsible to deal with his faults. 
However, public deserves to know :)

(from command line type:)

ping -r 9 216.32.74.55

**********************************/

Your traffic cannot be sent this way to anyone.

The thing you should really be worried about (check your 
router with Nmap) is existance of wide open TFTP, WWW and 
telnet remote adminstration access points.

root>show broadcast
Directed_Broadcast Forwarding is currently enabled

root>show syslog
SYSLOG Configuration
Currently Enabled
Currently sends syslog information to yy.yy.yy.yy
Currently uses port xxxxx

root>show telnet
TELNET Configuration
Currently Enabled
Currently accepts connections only from yy.yy.yy.yy
Currently uses port xxxxx
Timeout is set to 3600

root>show web
WEB Configuration
Is not enabled
Currently accepts connections only from yy.yy.yy.yy
Currently uses port xxxxx

root>show tftp
TFTP Configuration
Is not enabled
Currently accepts connections only from yy.yy.yy.yy
Currently uses port 69

You can also use "debug" (undocumented for 677) command, 
but only in privileged mode; It allows you to look closer 
what is going on.

<example from my CCO>

08/08/2000 02:50:19"734, 82 bytes from yy.yy.yy.yy
<03>000:15:23:15 TCP        Alarm      MTU value returned 
by get_ip_mtu was zero

</example from my CCO>

Hope this helps.

By Date By Thread

Current thread:

Cisco 677 oddity: Broadcasting to port 1999 Chris vuln-dev (Aug 09)
- Re: Cisco 677 oddity: Broadcasting to port 1999 Vladimir Kraljevich (Aug 14)
  - Re: Cisco 677 oddity: Broadcasting to port 1999 Jim Duncan (Aug 15)
    - Re: Cisco 677 oddity: Broadcasting to port 1999 Blue Boar (Aug 15)
- <Possible follow-ups>
- Re: Cisco 677 oddity: Broadcasting to port 1999 Jeffrey Karpenko (Aug 10)