[17295] in bugtraq
CISCO IOS 12.1.4 Security Hole
daemon@ATHENA.MIT.EDU (Mike Bressem)
Mon Oct 23 12:29:36 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SGI.4.10.10010221750300.5150-100000@schlumpf.bressem.com>
Date: Sun, 22 Oct 2000 17:54:33 +0200
Reply-To: Mike Bressem <mb@IMSC.NET>
From: Mike Bressem <mb@IMSC.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi there,
today I upgraded my cisco 1003 to IOS 12.1(4). The funny thing is that my
accesslist on the BRI is no longer working. Take a look at the config and
see for yourself :
interface BRI0
ip unnumbered Ethernet0
ip access-group 101 in
no ip redirects
no ip proxy-arp
encapsulation ppp
no logging event link-status
no keepalive
dialer idle-timeout 240
dialer wait-for-carrier-time 300
dialer map ip XXX name XXX XXX
dialer hold-queue 100 timeout 120
dialer-group 1
no snmp trap link-status
isdn switch-type basic-net3
isdn caller XXX
isdn incoming-voice data
compress stac
ppp authentication chap
ppp chap hostname XXX
hold-queue 100 in
hold-queue 100 out
!
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain 213.178.0.0 0.0.0.31
access-list 101 permit tcp any eq ftp-data 213.178.0.0 0.0.0.31
access-list 101 permit tcp host 213.178.0.34 host 213.178.0.1 eq 22
access-list 101 permit tcp host 213.178.0.34 host 213.178.0.30 eq telnet
access-list 101 permit gre host 213.178.0.34 213.178.0.0 0.0.0.31
access-list 101 permit gre host 193.242.95.5 213.178.0.0 0.0.0.31
access-list 101 permit udp any 213.178.0.0 0.0.0.31 gt 1023
access-list 101 deny ip any any log
I can ping my laptop behind the router from the outside. Acl 101 is no
longer working after the upgrade.
regards,
mike
Mike Bressem Internet Management GmbH
============ Hauptstr. 40
35745 Herborn - Germany
"Fate, it seems, is not Telefon +49 2772 4723 - 0
without a sense of irony" Telefax +49 2772 4723 - 29
PGP Fingerprint : 6F 24 75 C4 AE 55 CB E0 F2 E8 D6 DB 35 37 9F EC
