[scg-sec] Telnet Vulnerability
Battles, Timothy A (Tim), ALABS
tmbattles at att.com
Thu Aug 26 14:48:34 EDT 2004
Ohh, and clear line vty x
Will not work.
must be a clear tcp
>-----Original Message-----
>From: Jared Mauch [mailto:jared at puck.nether.net]
>Sent: Thursday, August 26, 2004 1:43 PM
>To: Battles, Timothy A (Tim), ALABS
>Cc: scg-sec at puck.nether.net
>Subject: Re: [scg-sec] Telnet Vulnerability
>
>
> so if there is a vty acl, we're safe, or semi-safe (ie:
>hosts in the
>acl only that can do 3-way).
>
> - jared
>
>On Thu, Aug 26, 2004 at 02:39:19PM -0400, Battles, Timothy A
>(Tim), ALABS wrote:
>>
>> Cisco Day1 VTY Vulnerability
>>
>> We have recently by accident discovered the following.
>>
>> After completing a 3-Way handshake with IOS and sending a
>Window size of 0, the VTY handler becomes confused
>> and will not allow other session to become established,
>SYN-ACKS will be received from the router.
>>
>> In order to clear the session a
>>
>> clear tcp tcb xxxxxxxx
>> clear tcp line x
>> clear tcp line vty x
>>
>>
>> needs to be issued.
>>
>>
>> Some clarifiers
>> This effects both telnet and ssh.
>> The packet cannot be spoofed.
>> This is IOS only. Day 1
>>
>>
>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>> Timothy A Battles
>> AT&T IP Network Security Group
>> Work: (314)770-3326
>> Cell: (314)280-4578
>> Fax: (314)770-9568
>> Email: tmbattles at att.com
>> 12976 Hollenberg Drive
>> Bridgeton, MO 63044-2407
>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>>
>>
>>
>>
>>
>> _______________________________________________
>> scg-sec mailing list
>> scg-sec at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/scg-sec
>
>--
>Jared Mauch | pgp key available via finger from jared at puck.nether.net
>clue++; | http://puck.nether.net/~jared/ My statements
>are only mine.
>
More information about the scg-sec
mailing list