[20367] in bugtraq
Re: Bug in Cisco CBOS v2.3.0.053
daemon@ATHENA.MIT.EDU (Damir Rajnovic)
Sun Apr 22 14:13:46 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <4.2.0.58.20010420202601.0717f220@amsterdam.cisco.com>
Date: Fri, 20 Apr 2001 20:55:55 +0100
Reply-To: Damir Rajnovic <gaus@CISCO.COM>
From: Damir Rajnovic <gaus@CISCO.COM>
X-To: Elias Levy <aleph1@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010420131107.T26987@securityfocus.com>
Content-Transfer-Encoding: 8bit
Hello,
At 13:11 20/04/2001 -0600, pedersen@netguide.dk wrote:
>I had doing a "sh nat" with a very long listing in one telnet session.
>
>When I telnetted from another machine, the c677 switched output to
>that connection before prompting for password.
>
>The listing would continue in whatever telnet window had the last
>keypress. Also seemd to screw up something on the first terminal.
>
>I see this as a serious security flaw.
We can confirm that this is indeed true. This behavior has been reported
to us, prior this posting, by Knud Erik Højgaard.
We are working on a fix for this. To the best of our knowledge, this
trick can be performed only by using this command, "sh nat". Apparently,
this can not be reproduced by any other command, most notably "sh conf"
can not be exploited this way. Even this current behavior is not
acceptable but, it seems so, one can not grab the router's configuration
this way.
In addition to this, please note that you can only see the output from
the first session. The second session is not logged in and you can not
execute any commands in it (unless you actually log in). Also, only
output of a single command is displayed and all subsequent commands
will be displayed in the right session (unless you trigger this
vulnerability with "sh nat" again).
Regards,
Gaus
==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
Phone: +44 7715 546 033
4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
==============
There is no insolvable problems. Question remains: can you
accept the solution?
