Date: Sun, 3 Jan 1999 00:55:22 +1100 From: Robert Thomas To: BUGTRAQ@netspace.org Subject: ACC's 'Tigris' Access Terminal server security vunerability.. ACC (link - http://www.acc.com ) have been aware of this flaw for 3 months now, so I'm not springing this on them unaware. Just so you know 8-) OS Versions up to (and including) 10.5.8 are vunerable to a 'lame-arsed coding' bug, which lets you display a (slightly censored) dump of the configuration, as well as letting you run -any- non-priviledeged command (== anything but changing the configuration) including the ability to telnet from the machine, ping other machines (bypassing firewalls, perhaps?), and basically letting people know what you don't really want them to know. After having a quick fiddle, I'm (guessing) that the login sequence runs like this: Print the string "Login:" Stick the string 'login ' into the input buffer, and wait for user to type either 'netman' or 'public', resulting in the command 'login netman' or 'login public' being sent to the OS, which will then prompt for a password. This gives you the ability to do the really difficult thing of pushing backspace several times, or, hitting ^U (delete to beginning of line) and running any of the commands (like, for example, 'show' which will dump the running configuration, with any passwords *'ed out) that can be accessed by the 'public' account. This includes: Dialin Numbers RADIUS Authentication/Accounting servers (minus passwords) OS Version IP Ranges BGP/RIP/OSPF filtering information Another problem that I've found is that the machines have an undocumented (that I could find) 'public' account, with a default password of 'public', which gives you the same information as you get with the ^U bug. The first time I found that out is in the email message sent from XSI (included below) To give both sides of the story, I hereby present an email message that I received from XSI (who are the Australian Distributors for the Tigris Access Server) in responce to a vague message from me on the Australian ISP list saying that I'd found a bug in the terminal server, and they should contact XSI for information on how to fix it. --snip-- Subject: Re: [Oz-ISP] Supposed Security Flaw Date: Thu, 10 Dec 1998 08:47:20 +0000 From: "Nathan Chan" To: tigris-list@iig.com.au CC: rob@rpi.net.au G'Day Guys, You may have recently seen a article in the Ausie ISP List saying that the Tigris has a security flaw. This isn't the case. Basically you can press Cntl U at the prompt and then type a command. eg show. However it is NOT a security flaw since if you can get to the login prompt of the Tigris you would get exactly the same thing if you logged in as username : Public, password : Public, which would a lot easier to work out than pressing Cntl U and anyone can do this!! Simply adding Access entries can easily stop anybody from Telneting to your box, and should be done on everyone's box anyway ! No-one other than management staff should be able to access the Tigris....1st rule of network protection. If someone can get to you prompt, Cntl U is the LEAST of your worries, since they can't do anything still :) Anyway, they are fixing this. Any questions let me know. Regards Nathan --snip-- I responded to this pointing out that that would not work if someone dialled into the terminal server, and sent source routed data to the terminal server, as (AFAIK, and I can find no docco on it either) you cannot explicitly block source routed data, and you are going through no firewall to get to the device. No responce as yet (sent on 12th October, 1998). Now, let me point out, I -like- the box. Whilst it's harder to configure than the Annex/Versalar Bay series of products (which just work 8-), it reliably holds 56k connections, seems very stable, and is considerably cheaper than the comparable 5399/8000 series from Bay. Apart from a few 'lame-arsed coding' bugs, it's a good box, and I've recommended it more than a few times. I honestly wouldn't be so worried if it didn't show the RADIUS servers, and the dialin numbers, as they are usually things you don't want every user to know. Whilst this is (obviously) security through obscurity, seeing packets wander around your network whilst x-lam3-haxx0r tries to locate your radius servers will give you a good tipoff that someone is up to no good, rather than just having a radius DoS flood sent to your server(s) without any warning because their location was handed to them on a silver platter. Anyway guys, hope you all have a good new year, and you've got your hourly rates set to quadruple for Y2K work! --Robert Thomas RP Internet Services "Will Geek for bandwidth. Don't care about food." [Note: I'm Australian. It's Arse, not Ass. An ass is a donkey 8-)] ---------------------------------------------------------------------------- Date: Mon, 4 Jan 1999 00:15:07 +0100 From: Patrik Backstrom To: BUGTRAQ@netspace.org Subject: Re: ACC's 'Tigris' Access Terminal server security vunerability.. On Sun, 3 Jan 1999, Robert Thomas wrote: I have almost daily contact with ACC's technicians, and i'll make sure they receive the information, first thing tomorrow morning. For now, a quick workaround is to restrict telnet access to only the hosts (or networks) which should be allowed access. Also, it's a good idea to restrict SNMP and HTTP access to the router. Issue the following commands: ADD ACCESS ENTRY 23 TELNET ADD ACCESS ENTRY 80 HTTP ADD ACCESS ENTRY 0 PUBLIC Regarding source routing, it's only enabled if you have a source routing entry for the physical port, like: ADD SR PORT ENTRY ETHERNET 1 J7.1 SET SR PORT STATE 1 ENABLED You can easily disable source routing for the port by typing SET SR PORT STATE DISABLED To check if you have source routing configuration in the box, type: SHOW SR Hope this helps. /pb [ Boycott Microsoft -- http://www.vcnet.com/bms ] ---------------------------------------------------------------------------- Date: Tue, 2 Feb 1999 09:49:05 +0100 From: Patrik Backstrom To: BUGTRAQ@netspace.org Subject: ACC Tigris fix: "public" access without logging in About a month ago, Robert Thomas reported a bug in the ACC Tigris router, where you issue "public access" commands to the Tigris >from remote, without having to login. I forwarded the mail to some ACC technicians. I havn't gotten a reply from them, but when i checked a list of fixes, i found: #PSR Fixed in 11.1.23.3: # 11010: Security Hole.. Public access without logging in. (Ptherio) I tried the bug on a box running 11.1.24, and you can no longer issue commands from the login prompt. The funny thing is - the 11.1.23.4 software is dated 12/20/98, which means the bug was fixed before the post to bugtraq. /pb [ Boycott Microsoft -- http://www.vcnet.com/bms ]