From: Damir RajnovicTo: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: Bug in Cisco CBOS v2.3.0.053 Date: Fri, 20 Apr 2001 20:55:55 +0100 Hello, At 13:11 20/04/2001 -0600, pedersen@netguide.dk wrote: >I had doing a "sh nat" with a very long listing in one telnet session. > >When I telnetted from another machine, the c677 switched output to >that connection before prompting for password. > >The listing would continue in whatever telnet window had the last >keypress. Also seemd to screw up something on the first terminal. > >I see this as a serious security flaw. We can confirm that this is indeed true. This behavior has been reported to us, prior this posting, by Knud Erik Højgaard. We are working on a fix for this. To the best of our knowledge, this trick can be performed only by using this command, "sh nat". Apparently, this can not be reproduced by any other command, most notably "sh conf" can not be exploited this way. Even this current behavior is not acceptable but, it seems so, one can not grab the router's configuration this way. In addition to this, please note that you can only see the output from the first session. The second session is not logged in and you can not execute any commands in it (unless you actually log in). Also, only output of a single command is displayed and all subsequent commands will be displayed in the right session (unless you trigger this vulnerability with "sh nat" again). Regards, Gaus ============== Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems <http://www.cisco.com/warp/public/707/sec_incident_response.shtml> Phone: +44 7715 546 033 4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB ============== There is no insolvable problems. Question remains: can you accept the solution?