[nsp] telnet exploit on 3550 ?

Everett Dowd edowd at cox.net
Thu Dec 4 10:47:26 EST 2003 

If you are running an older version of IOS on the 3500 you may have this
vulnerability.  Howeve, we also turn of the web interface to the switch
because of the problems associated with http and IOS...

http://www.cisco.com/en/US/customer/products/products_security_advisory09186
a00800b1393.shtml

Everett



-----Original Message-----
From: Jim Devane [mailto:jim at powerpulse.cc] 
Sent: Wednesday, December 03, 2003 8:54 PM
To: 'Everett Dowd'
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] telnet exploit on 3550 ?

Agreed.

However, I am wondering if anyone else has seen this duplicated that send an
HHTP Get that is excessively long or mal-formed will allow access to the
switch and subsequently stop the telnet daemon.

My TACACS server DENIED the request but the user still showed logged in.
Precisely at the time the user got in the telnet service died ( What's up
GOLD was monitoring it) 

I doubt the user was ever actually in the switch, but there is no doubt that
his logins/attempts crashed the telnetd.

I was just wondering if anyone else had seen this type of behavior?

(and I mean BESIDES the poor operational behavior of not having the ACL
applied with the access-class command)

Thanks,
Jim


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everett Dowd
Sent: Wednesday, December 03, 2003 5:39 PM
To: cisco-nsp at puck.nether.net
Subject: RE: [nsp] telnet exploit on 3550 ?

You need to restrict who can connect via telnet using ACL's. TACACS
restrictions don't do the same thing as the vty acl's. I would restrict
where you can telnet to your 3550's to a very select groups of IP's...


YMMV

Everett


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jim Devane
Sent: Wednesday, December 03, 2003 6:24 PM
To: 'Dmitri Kalintsev'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] telnet exploit on 3550 ?

D- 

I doubt it. 

They would have had to beat TACACS and we restrict TACACS responses from IP.

As reboot did clear it but I cam concerned about the future.

Thanks,
Jim


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dmitri Kalintsev
Sent: Wednesday, December 03, 2003 2:25 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] telnet exploit on 3550 ?

Jim,

Somebody just guessed your password and got in. Also by the look of things
they have done what you should have done in the first place - created a vty
ACL to keep you out of it. Simple reboot won't help you much, I'm afraid.
You'll have to go through the password recovery procedure, via console
cable.

SY,

-- D.K.

On Mon, Dec 01, 2003 at 12:51:03PM -0800, Jim Devane wrote:
> All,
...

> However, is there a knows exploit against telnet that is known? Below are
> the RSH attempts and the TACACS log of what happened and the "sh use" I
> cannot clear this line in my switch
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list