Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] CAT6500 accessible via 127.0.0.x loopback addresses

from [lee . e . rian] Network Security [Permanent Link]
Subject: [Full-disclosure] CAT6500 accessible via 127.0.0.x loopback addresses
Date: Wed, 26 Sep 2007 14:17:18 -0400 

Lee E Rian/TCO/HQ/BOC wrote on 08/29/2006 01:49:40 PM:


I found something interesting w/ the cat6000s - telnet 127.0.0.11
gets you into the switch & telnet 127.0.0.12 gets you into the router

% snmpget 127.0.0.11 sysDescr.0
RFC1213-MIB::sysDescr.0 = STRING: "Cisco Systems WS-C6509.Cisco
Catalyst Operating System Software, Version 5.5(18).Copyright (c)
1995-2002 by Cisco Systems."


    <.. snip ..>


I'm trying to figure out if that opens us up to something or not.



Yes, the date is correct - it was a bit over a year ago when I wrote a
co-worker about the problem.  And it did open us up to an attacker gaining
access to the router or switch; I sent a msg to Cisco PSIRT the same day.

Cisco has documented the fix in the release notes
  (eg.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm#wp3511819)
but it's buried in the release notes and how many people will a) read the
release notes and b) realize the implications?  So while I agree with Cisco
about this being a low to moderate vulnerability, that's only if one
realizes that the various line cards in a catalyst 6500 are accessible via
127.0.0.xx addresses from the network.  At least in my mind, this is on the
same level as routers accepting snmp sets to 255.255.255.255, {network, 0}
and {network, -1} ... a minor issue as long as you realize that it is
possible to access the router/switch that way.

Mitigating factors:
- an attacker would still need to know/guess the snmp community string or
userid/password
- only the first cat6000 with an MSFC in the path can be accessed this way

As an example of 'only the first MSFC in the path', the path from one of
our remote offices to a data center is
 cat6500 with a supervisor 2 card (no MSFC)
 cisco 2800 router
 cisco 7200 router
 cat6500 with a SUP720 in slot 5
Anyone in that remote office would have been able to access the data center
cat6500 by sending traffic to 127.0.0.51.



I would like to thank Ilker Temir of Cisco for his professionalism and many
courtesies extended to me while working on this issue.

Lee Rian





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  rPSA-2007-0202-1 kernel, rPath Update Announcements
Next by Date:  [Full-disclosure] [ MDKSA-2007:190 ] - Updated kdebase packages fix KDM vulnerability, security
Previous by Thread:  rPSA-2007-0202-1 kernel, rPath Update Announcements
Next by Thread:  Re: [Full-disclosure] CAT6500 accessible via 127.0.0.x loopback addresses, Ilker Temir
Indexes:  [Date] [Thread] [Top] [All Lists]