ACC (link - http://www.acc.com ) have been aware of this flaw for 3 months now, so I'm not springing this on them unaware. Just so you know 8-) OS Versions up to (and including) 10.5.8 are vunerable to a 'lame-arsed coding' bug, which lets you display a (slightly censored) dump of the configuration, as well as letting you run -any- non-priviledeged command (== anything but changing the configuration) including the ability to telnet from the machine, ping other machines (bypassing firewalls, perhaps?), and basically letting people know what you don't really want them to know. After having a quick fiddle, I'm (guessing) that the login sequence runs like this: Print the string "Login:" Stick the string 'login ' into the input buffer, and wait for user to type either 'netman' or 'public', resulting in the command 'login netman' or 'login public' being sent to the OS, which will then prompt for a password. This gives you the ability to do the really difficult thing of pushing backspace several times, or, hitting ^U (delete to beginning of line) and running any of the commands (like, for example, 'show' which will dump the running configuration, with any passwords *'ed out) that can be accessed by the 'public' account. This includes: Dialin Numbers RADIUS Authentication/Accounting servers (minus passwords) OS Version IP Ranges BGP/RIP/OSPF filtering information Another problem that I've found is that the machines have an undocumented (that I could find) 'public' account, with a default password of 'public', which gives you the same information as you get with the ^U bug. The first time I found that out is in the email message sent from XSI (included below) To give both sides of the story, I hereby present an email message that I received from XSI (who are the Australian Distributors for the Tigris Access Server) in responce to a vague message from me on the Australian ISP list saying that I'd found a bug in the terminal server, and they should contact XSI for information on how to fix it. --snip-- Subject: Re: [Oz-ISP] Supposed Security Flaw Date: Thu, 10 Dec 1998 08:47:20 +0000 From: "Nathan Chan" <chanat_private> To: tigris-listat_private CC: robat_private G'Day Guys, You may have recently seen a article in the Ausie ISP List saying that the Tigris has a security flaw. This isn't the case. Basically you can press Cntl U at the prompt and then type a command. eg show. However it is NOT a security flaw since if you can get to the login prompt of the Tigris you would get exactly the same thing if you logged in as username : Public, password : Public, which would a lot easier to work out than pressing Cntl U and anyone can do this!! Simply adding Access entries can easily stop anybody from Telneting to your box, and should be done on everyone's box anyway ! No-one other than management staff should be able to access the Tigris....1st rule of network protection. If someone can get to you prompt, Cntl U is the LEAST of your worries, since they can't do anything still :) Anyway, they are fixing this. Any questions let me know. Regards Nathan --snip-- I responded to this pointing out that that would not work if someone dialled into the terminal server, and sent source routed data to the terminal server, as (AFAIK, and I can find no docco on it either) you cannot explicitly block source routed data, and you are going through no firewall to get to the device. No responce as yet (sent on 12th October, 1998). Now, let me point out, I -like- the box. Whilst it's harder to configure than the Annex/Versalar Bay series of products (which just work 8-), it reliably holds 56k connections, seems very stable, and is considerably cheaper than the comparable 5399/8000 series from Bay. Apart from a few 'lame-arsed coding' bugs, it's a good box, and I've recommended it more than a few times. I honestly wouldn't be so worried if it didn't show the RADIUS servers, and the dialin numbers, as they are usually things you don't want every user to know. Whilst this is (obviously) security through obscurity, seeing packets wander around your network whilst x-lam3-haxx0r tries to locate your radius servers will give you a good tipoff that someone is up to no good, rather than just having a radius DoS flood sent to your server(s) without any warning because their location was handed to them on a silver platter. Anyway guys, hope you all have a good new year, and you've got your hourly rates set to quadruple for Y2K work! --Robert Thomas RP Internet Services "Will Geek for bandwidth. Don't care about food." [Note: I'm Australian. It's Arse, not Ass. An ass is a donkey 8-)]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:04 PDT