[14864] in bugtraq
Re: Possible issue with Cisco on-line help?
daemon@ATHENA.MIT.EDU (Lisa Napier)
Wed May 10 21:14:42 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <4.2.0.58.20000508173724.08f34e70@twoguys>
Date: Tue, 9 May 2000 13:30:13 -0700
Reply-To: Lisa Napier <lnapier@CISCO.COM>
From: Lisa Napier <lnapier@CISCO.COM>
X-To: Fernando Montenegro <fsmontenegro@INAME.COM>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000504120430.17546.qmail@securityfocus.com>
Hi Fernando,
I confirmed this behavior, and found some history on why we did things this way.
The original intent of showing a limited subset of commands at the "show ?" help command was to simplify the command line help subsystem. When user typed the command "show ?", we intended to provide them a list of only the most used and useful commands at that level.
To allow customers to see all the commands available at that level, the command "terminal full-help" was implemented in October of 1993.
The intent was not security related at all, but simply an attempt to provide only the 'useful' commands to the users who were supposed to be at that prompt and at that level, rather than having them scroll through several screens of available but not very useful commands.
So, rather than being an inadvertent mistake in the parser, this is actually how the product was designed.
I will be updating our white papers on securing routers to include the recommendation of setting the default user privilege level to 0, and ensuring that only commands that are explicitly permitted to be run by un-enabled users are set to priv level 0.
Thanks much for your work on this Fernando,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
At 12:04 PM 05/04/2000 +0000, Fernando Montenegro wrote:
>Hi!
>
>I have received information from Matti Saarinen
><mjs@cc.tut.fi> explaining how the on-line help can be
>configured to show all the commands available (see below).
>
>This explains the apparent lack of authorization control
>over the "show" options.
>
>It seems that the only issue left is that there is so much
>information available from the non-enabled account.I would
>think that, on account of that, the recommendation for
>"jailing" the user still applies, though.
>
>Cheers,
>Fernando
>
>
>Extracts from the message received from Matti Saarinen
><mjs@cc.tut.fi> :
>
> > Router2>show ?> backup Backup status
> > cef Cisco Express Forwarding
> > clock Display the system clock
> > dialer Dialer parameters and statistics
> > flash: display information about flash: file>
>system
> > history Display the session command history>
>...>
> > Notice that we did not see an "access-lists" option, so
>the
> > help system thinks we should not be able to run it...
> Yes, you cannot normally see access-lists option in
> the output of the help system.
>router>sh ?
> alps Alps information
> atm ATM information
> backup Backup status[cut]
>
> But when you enable full help the access-lists
>option is there
> with many others:
>router>terminal full-help
>router>sh ?
> access-expression List access expression
> access-lists List access lists
> adjacency Adjacent nodes
> aliases Display alias commands
> alps Alps information
> arp ARP table
> async Information on terminal lines used as
>router interfaces
> atm ATM information
> backup Backup status
> And the privilege level was 1 the whole time:
>router>sh priv
>Current privilege level is 1
