Another 2 cents worth ...
Test platforms: Cisco 3620, IOS 12.0.7
Cisco 1603, IOS 12.0.3
Catalyst 7xxx
> http://169.254.0.15/level/42/exec/show%20conf
This exploit only seems works (for me) if I DON'T setup 'aaa' on the router or switch, using the just the default local authentication. With aaa enabled, you get an authorization failure and are prompted to logon.
A general aside on this type of vulnerability, which is applicable to most network assets;
As with telnet or SNMP, access to the http management interface should be very stringently controlled, at the very least by strong authentication and by the use of ACLs to restrict who has access via which interfaces. Normally only a limited number of people require management access to a network device, which makes it easier to control. In one company I worked with, the only devices able to access the http/telnet interface of the router were the HPOV machines (all other access blocked by ACL). An authorised user would first logon to the management machine and then use either netscape/lynx or telnet to manage the network devices. The logon authentication for the routers/switches was then handled using radius.
Before anyone comments, yes, I know, this is far from perfect and it has many security issues of it's own. The aim of the approach was to centralise device access control and logging, not to create a proper out-of-band management system.
Rgds,
Simon
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 08:18:21 PDT