Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Cisco MARS Default Administrative Password

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Cisco MARS Default Administrative Password
Date: 15 Jan 2006 19:17:14 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco MARS Default Administrative Password
------------------------------------------------------------------------


SUMMARY

Cisco Security Monitoring, Analysis and Response System (CS-MARS) is "a 
security system that receives event logs from various network devices, 
correlates and analyzes the received data for security problems and 
reports the findings. In addition, CS-MARS can perform automated tasks to 
mitigate security problems. All CS-MARS appliances ship with a default 
password set for the undocumented administrative account root".

Successful exploitation of the vulnerability in CS-MARS will result in an 
attacker gaining full administrative privileges on the CS-MARS device.

DETAILS

Vulnerable Systems:
 * CS-MARS version 4.1.2 and prior

Immune Systems:
 * CS-MARS version 4.1.3

The Cisco Security Monitoring, Analysis and Response System (CS-MARS) 
software contains a default password for an undocumented administrative 
account. This password is set, without any user intervention, during 
installation of the software used by CS-MARS appliances, and is the same 
in all installations of the product. Users must be authenticated to the 
CS-MARS command line in order to utilize the default password to access 
the administrative account.

This privileged account is intended to be used only by authorized Cisco 
development engineers for advanced debugging purposes. No direct remote 
access to the root account is permitted. In order to access a privileged 
system shell, users must first successfully login into the CS-MARS system 
administration command line interface with the "pnadmin" account. Once 
authenticated, the root account can be accessed with the undocumented 
command "expert".

Prior to CS-MARS version 4.1.3, users do not have a method to modify the 
root password. CS-MARS versions 4.1.3 and later provide the command 
"passwd expert", which allow users to modify a portion of the root 
password providing additional security. The selected user password is 
combined with a Cisco controlled component to form a new root password.

After performing this step, neither Cisco personnel or the user can access 
the root account without knowledge of both components used to create the 
root password. When authorized Cisco development engineers need access to 
the root account for advanced debugging, both Cisco and the user will need 
to enter their portion of the configured root password to enable access.

Workaround:
To verify the version of CS-MARS software, use a SSH client to login into 
the system administration command line interface with pnadmin account and 
execute the version command.
  prompt$ ssh pnadmin@192.168.1.1
  pnadmin@192.168.1.1's password:
  Last login: Fri Dec 30 15:19:14 2005 from 192.168.1.2

  CS MARS - Mitigation and Response System

    ? for list of commands

  [pnadmin]$ version
  4.1.2 (2042)

The vulnerability described in this advisory can be mitigated by first 
upgrading the software on CS-MARS appliances to version 4.1.3 and then 
using the "passwd expert" command to modify the root password.

CS-MARS appliances can be upgraded via the HTTPS management interface or 
system administration command line. Please refer to the CS-MARS product 
documentation for instructions on how to upgrade the software.

While the documentation refers to CS-MARS 4.x versions, the instructions 
are also applicable to CS-MARS 3.x versions.

 
<http://www.cisco.com/en/US/products/ps6241/products_installation_guide_chapter09186a00804c4db4.html#wp1133308>
 
http://www.cisco.com/en/US/products/ps6241/products_installation_guide_chapter09186a00804c4db4.html#wp1133308

Once a CS-MARS appliance is upgraded to version 4.1.3, the root password 
can be modified using the "passwd expert" command. Using a SSH client, 
login into the CS-MARS system administration interface with the "pnadmin" 
account and use the "passwd expert" command to select a new password. The 
selected password must be at least six characters long.

    prompt$ ssh pnadmin@192.168.1.1
    pnadmin@192.168.1.1's password: Last
    login: Fri Dec 30 19:45:51 2005 from 192.168.1.2

      CS MARS - Mitigation and Response System

        ? for list of commands

    [pnadmin]$ passwd expert
    New password:
    Retype new password:


ADDITIONAL INFORMATION

The information has been provided by  <mailto:psirt@cisco.com> Cisco 
Systems.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20060111-mars.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20060111-mars.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Cisco MARS Default Administrative Password, SecuriTeam <=
Previous by Date:  [NT] Windows Embedded Open Type (EOT) Font Heap Overflow, SecuriTeam
Next by Date:  [TOOL] IRC DCC Connect() Blind Port Scanner, SecuriTeam
Previous by Thread:  [NT] Windows Embedded Open Type (EOT) Font Heap Overflow, SecuriTeam
Next by Thread:  [TOOL] IRC DCC Connect() Blind Port Scanner, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]