exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

defcom.catalyst.txt

defcom.catalyst.txt
Posted Nov 16, 2000
Authored by Defcom Labs | Site defcom.com

Defcom Labs Advisory def-2000-02 - The Cisco Catalyst 2900XL and 3500XL series switches web configuration interface lets any user execute any command on the system without supplying any authentication credentials if no enable password is set.

tags | web
systems | cisco
SHA-256 | fb3eb565b332a1d4716df6739f52f1c56170f54af3e8c1051420af084f828026

defcom.catalyst.txt

Change Mirror Download
======================================================================
Defcom Labs Advisory def-2000-02

Cisco Catalyst remote command execution

Author: Olle Segerdahl <olle@defcom.com>
Release Date: 2000-10-26
======================================================================
------------------------=[Brief Description]=-------------------------
Under certain configurations the Catalyst 2900XL and 3500XL series
switches web configuration interface lets any user execute any command
on the system without supplying any authentication credentials.

------------------------=[Affected Systems]=--------------------------
Cisco Catalyst 2900XL and 3500XL series switches with no "enable" line
in the current configuration.

----------------------=[Detailed Description]=------------------------
Cisco Catalyst 3500 XL series switches have a webserver configuration
interface. This interface lets web users execute any command by
requesting the /exec location from the webserver. An example follows:
http://catalyst/exec/show/config/cr
This URL will show the configuration file, with all user passwords.

Normally a user will be prompted for authentication credentials, but
in certain configurations, no authentication is needed:

Consider this setup. A reasonably security-concious administrator is
assigned responsibility for a number of Catalyst switches. Since this
type of device is relatively low in maintainence, he decides to create
just an "admin" user with full priviledges in the configuration and
doesn't worry about setting an "enable" password. (The enable password
is used by a user with low privs to obtain a higher priviledge level.)

Since he has (in his mind) adequately password protected the device
through all access means other than HTTP (telnet, serial, etc.) he may
think this is true for HTTP as well. His assumption is wrong.

-------------------------------=[Fix]=---------------------------------
Make sure an "enable" password is set for all Catalysts at all times.

Disable the web configuration interface completely with the following
configuration line: "no ip http server".

--------------------------=[Vendor Status]=---------------------------
Vendor was notified on 2000-10-10.

On 2000-11-13 their official response was:

"This situation may be confusing since admins will be prompted for a
password when trying to telnet to the switch but will not be asked for
it when using the Web to access the switch.
All switches from 2900XL and 3500XL families share this behavior."

======================================================================
This release was brought to you by Defcom Labs

labs@defcom.com www.defcom.com
======================================================================
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close