From:	 Damir Rajnovic 
To:	 BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Bug in Cisco CBOS v2.3.0.053
Date:	 Fri, 20 Apr 2001 20:55:55 +0100

Hello,

At 13:11 20/04/2001 -0600, pedersen@netguide.dk wrote:
>I had doing a "sh nat" with a very long listing in one telnet session.
>
>When I telnetted from another machine, the c677 switched output to 
>that connection before prompting for password.
>
>The listing would continue in whatever telnet window had the last 
>keypress. Also seemd to screw up something on the first terminal.
>
>I see this as a serious security flaw.

We can confirm that this is indeed true. This behavior has been reported
to us, prior this posting, by Knud Erik Højgaard.

We are working on a fix for this. To the best of our knowledge, this
trick can be performed only by using this command, "sh nat". Apparently,
this can not be reproduced by any other command, most notably "sh conf"
can not be exploited this way. Even this current behavior is not 
acceptable but, it seems so, one can not grab the router's configuration
this way.

In addition to this, please note that you can only see the output from 
the first session. The second session is not logged in and you can not 
execute any commands in it (unless you actually log in). Also, only 
output of a single command is displayed and all subsequent commands 
will be displayed in the right session (unless you trigger this 
vulnerability with "sh nat" again). 

Regards,

Gaus

==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
Phone: +44 7715 546 033
4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
==============
There is no insolvable problems. Question remains: can you 
accept the solution?