[11261] in bugtraq
Re: Cisco 675 password nonsense
daemon@ATHENA.MIT.EDU (Francis Bodie)
Thu Aug 5 06:31:26 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <AEEF94298C10D311B5A000A024B359E14601EE@imager9.spaceimaging.com>
Date: Tue, 3 Aug 1999 09:24:39 -0600
Reply-To: Francis Bodie <BFrancis@SPACEIMAGING.COM>
From: Francis Bodie <BFrancis@SPACEIMAGING.COM>
X-To: DeMoNx <demonx@SLACK.NET>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is all true, and shows one of the security
issues with brining broadband access to the uneducated user.
Since this is sort of related. I had to do a password recovery on a
675,
which is an undocumented procedure( or at least not in the manual.)
To recover the password you do the following steps:
1. Reboot the Cisco 675
2. Access the device through the serial Console
(Speed: 34000, 8, N,1)
3. Issue the break command, <CTRL>-C
4. The Cisco 675 should be display a prompt =>
5. Issue the command: ES 6 (Erase Page? 6)
6. Issue the command: M0 (Turn of monitor mode.)
7. Issue the command: go
8. The modem should reboot, with exec and ena passwords removed.
*NOTE: You will also loose your entire config.
Apparently the whole ROM monitor mode on the 675 is
a bit strange, most likely due to it being a former NetSpeed product.
Bodie
<DISCLAIMER>Views expressed here are not those of Space
Imaging.</DISCLAIMER>
> -----Original Message-----
> From: DeMoNx [mailto:demonx@SLACK.NET]
> Sent: Saturday, July 31, 1999 2:58 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Cisco 675 password nonsense
>
>
> (First of all please forgive me if you dis-approve of my use
> of the word
> router. I just think it's a bot more appropriate term than
> 'modem' for the
> hardware being discussed.)
>
> Is your DSL router an open book???
>
> When a certain long distance provider/isp in my area began
forcefully
> switching all non-business/special adsl accounts over to
> using PPP rather
> than bridging mode for 'security reasons', I got a little
> suspicious. With
> bridging mode enabled on a Cisco 675, one used to be able to hook up
> seemingly limitless machines (provided you have the hubs), to one
dsl
> connection using dhcp. Now with PPP, your dhcp server becomes
> 10.10.10.0...your 675, which in turn uses dhcp or ipcp to handle
> traffic between itself and your isp....blah blah blah etc.
>
> My point is, with all this wonderfully confusing hubub, many
> people I'm
> sure are pulling their hair out trying to fathom the first 5
> pages of the
> 'CBOS Users Guide', trying in vain to set up their dsl to
> avoid paying $90
> to the guys that will end up coming to their house and
> setting it up for
> them. The problem is, *most* of these guys don't set passwords on
the
> 675's. It is very simple to compromise an unpassworded 675. simply
hit
> 'enter' at the password prompt after telnetting in, if you get a
cbos>
> promt you are half way there, NOT GOOD. If there is no exec
> mode password
> set, then there most likely won't be an enable(superuser)
> mode password
> either. So, at this prompt you simply type 'enable' and hit
> enter twice.
> If you are in enable mode, your prompt will change to the #
> symbol, and
> you have full access to all the router's settings. ISP's are
> letting this
> happen, people are buying this technology without any
> knowlege that they
> may be at this kind of risk. Below is a log of one such Cisco 675.
The
> ip's and hostnames have been changed to protect the
> irresponsible *and*
> the uninformed.
>
> ---
>
>
> $telnet adslppp93.lame.isp.net Trying 296.161.127.93...
> Connected to adslppp93.lame.isp.net.
> Escape character is '^]'.
>
> User Access Verification
> Password: (Just hit enter, whoa! No password!)
>
> cbos>enable (with just 8 keystrokes full
> access is given)
>
> Password:
>
> cbos#stats ppp (Hmm, who's 675 is this?)
>
> VC VPI/VCI STATE MRU USERNAME RADIUS TX
RX
> wan0-0 01/01 Opened State 2048 poorsap disabled
> 358673 358956
>
> cbos#exit
> Connection closed by foreign host.
>
> now, to change these passwords (the easiest way of securing
> the router)
>
> type 'enable' hit enter to enter administration mode
>
> then type 'set password exec clear NEWPASSWORD exec' to keep em out
>
> and then 'set password enable clear NEWPASSWORD enable' to change
the
> superuser password.
>
> This is what the person who setup the 675 *SHOULD* have done prior
to
> leaving the jobsite.
>
> Bill Watts
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
iQA/AwUBN6cKI2TMguO+vON8EQLN5gCePv90Igjn6r6OFk5fPSwxIGhM160An2gt
FwdHlGjPN2AKYsw3kVN+blIq
=+GE5
-----END PGP SIGNATURE-----
