[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] lucent router gives root

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] lucent router gives root
From: nathan aguirre <nabiy@xxxxxxxxxxxxx>
Date: Sun, 21 Sep 2003 13:13:37 +0000

There appears to be a design flaw in an Ascend / Lucent MAX TNT Router that 
allows root access.  I have sent this to lucent, they have forwarded it to the 
'approriate software team'.  This bug does not seem to be a misconfiguration as 
the terminal server often works correctly.  It would be interesting to see if 
this also works agains other version of the IOS.  

Here is an example of this vulnerability that can be found online:
http://www.tek-tips.com/gviewthread.cfm/lev2/8/lev3/58/pid/547/qid/626101

[in TERMINAL-SERVER]
enabled = yes
security-mode = full
modem-configuration = { will-v42 33600-max-baud -13-db-mdm-trn-level no
-18-db-+
**********************************************************************
here a connection is made and the Terminal Server presents a Login Prompt
**********************************************************************
terminal-mode-configuration = { no yes "" "***  Pulaski Networks  ***"
"Login: +
immediate-mode-options = { none no "" 0 }
menu-mode-options = { no no no "" "" telnet 0 "" "" "" telnet 0 "" ""
""
telnet+
ppp-mode-configuration = { yes 5 no session-ppp }
slip-mode-configuration = { no no basic-slip no }
dialout-configuration = { no no 5000 "" none }

And something changed but still no luck.  This time wvdial shows :
***********************************************************************
here a connection made to the same Terminal Server but no Login Prompt is 
presented
***********************************************************************
Aug  7 12:04:22 fw wvdial[4441]: Sending: fmota
Aug  7 12:04:23 fw wvdial[4441]: fmota
Aug  7 12:04:23 fw wvdial[4441]: Password:
Aug  7 12:04:23 fw wvdial[4441]: Looks like a password prompt.
Aug  7 12:04:23 fw wvdial[4441]: Sending: (password)
************************************************************************
instead of a login prompt the root prompt is given - root access is gained.
************************************************************************
Aug  7 12:04:24 fw wvdial[4441]: ascend%
************************************************************************
this problem has been overlooked because wvdial and other programs do not 
report this, instead wvdial continues to try with ppp negotion, but fails:
**************************************************************************
Aug  7 12:04:24 fw wvdial[4441]: Hmm... a prompt.  Sending "ppp".
Aug  7 12:04:25 fw wvdial[4441]: ppp
Aug  7 12:04:25 fw wvdial[4441]: Requested Service Not Authorized 
**************************************************************************
Access to the root prompt can easily be obtained through the use of a terminal 
client, such as minicom or Hyperterminal.  Often, the router will correctly 
present a login prompt.  When this occurs one only needs to disconnect quickly 
and redial to gain root.  This has been tested against an Ascend / Lucent MAX 
TNT router running IOS version 8.0.1.

other online examples that could be related to this vulnerability:
https://lists.csociety.org/pipermail/plug/2000-October/003328.html
http://lists.debian.org/debian-user/2000/debian-user-200010/msg02081.html

nathan aguirre
nabiy@xxxxxxxxxxxxx






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [spam] Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
Next by Date: Re: [Full-Disclosure] RE: Symantec wants to criminalize security info sharing
Previous by thread: [Full-Disclosure] [SECURITY] [DSA-389-1] New ipmasq packages fix insecure packet filtering rules
Next by thread: [Full-Disclosure] Snort and SourceFire Compromised
Index(es):
- Date
- Thread