cisco.help

`Hello!  
  
We came across a curious behavior on a number of Cisco   
routers, tied to the way the on-line help system presents   
options. It seems that, even though a regular   
(non-"enabled") user should not be able to see the access-  
lists or other security-related information in the router,   
one can do just that. The online help systems doesn't list   
the commands as being available, but out of 75 extra "show"   
options that are available in "enable" mode (on a 12.0(5)   
3640), only 13 were actually restricted.  
  
It seems that this has been known, to the point of being   
mentioned in some classes as an "insider trick", but when   
we looked up vulnerabilities for Cisco routers we couldn't   
find any reference to this. I hope that this helps document   
the issue and the workaround (see below).  
  
Issue: Significant security-related information (such as   
access-lists) can be retrieved by an unprivileged user   
logged on to a Cisco router. While the on-line help system   
leads administrators to think that such information is not   
available, it is possible to obtain important information   
from the router.  
  
Impact: Users with local, non-privileged, session access   
(such as junior administration staff telnetting to the   
router) can have access to sensitive information.  
  
Workaround: a security-conscious Cisco router configuration   
should perform the following actions:  
. set the default privilege level for access lines   
to 0 (rather than leave at 1, the default)  
. using "privilege exec", specify which commands a   
user at level 0 can use  
  
This will severely restrict the options a non-enabled user   
will have, thereby implementing a "default deny" stance on   
the router itself. Given the recent interest in Cisco   
routers (check Phrack 55 and 56), it seems to be a sensible   
thing to do.  
  
Cisco's Product Security Incident Response Team has   
confirmed the issue and approved the recommended workaround.  
  
A more verbose description can be found below. Thanks to   
Claudio Silotto ([email protected]) for help on   
discovering this and to Lisa Napier, from Cisco Security,   
for the feedback.  
  
Cheers,  
Fernando Montenegro  
[email protected]  
--  
  
  
Routers tested: 2500, 2600, 3600, 4000, 7200, 7500 series,   
running IOS 9.14, 11.1(21) (Distributed Director), 11.2(x)   
and 12.0(x). Some were tested on the local console, some   
over Telnet. We recently tested PIX 4.x, and found it was   
NOT vulnerable.  
  
A regular user will log-on with privilege level equal to 1.   
This can be shown by running "show privilege" after logging   
on the router. For example:  
  
User Access Verification  
  
Username: joeuser  
Password: <password>  
Router2>sh priv  
Current privilege level is 1  
Router2>  
  
Now, if we try to get a list of all possible "show"   
commands, by doing "show ?", we get:  
  
Router2>show privilege  
Current privilege level is 1  
Router2>show ?  
backup Backup status  
cef Cisco Express Forwarding  
clock Display the system clock  
dialer Dialer parameters and statistics  
flash: display information about flash: file   
system  
history Display the session command history  
...  
  
Notice that we did not see an "access-lists" option, so the   
help system thinks we should not be able to run it...  
  
However,  
  
Router2>show privilege  
Current privilege level is 1  
Router2>show access-lists  
Standard IP access list 10  
permit 172.16.0.1  
deny any  
Extended IP access list eth0-IN  
permit udp host 172.16.0.1 10.11.12.0 0.0.0.255 eq   
snmp (14982 matches)  
permit udp host 172.16.0.1 10.11.13.128 0.0.0.127 eq   
snmp (4026 matches)  
  
So, we can see the configuration, even though we shouldn't.   
We can't alter it, but even seeing the access-list is   
beneficial to an attacker.  
  
Upon further testing on a 3640 running IOS 12.0(5), we got   
the following results:  
- We found 75 "show" commands that are supposed to be   
available only in enable mode. Meaning: the difference   
between "show ?" in enabled and disabled mode was this 75   
commands  
- Out of 75, only 13 were truly restricted. The other 62   
were available to be viewed by a session in a disabled mode.  
- Out of the 62 that were viewable, we counted 7 as being   
potentially very dangerous. "show ip" is one of them, as   
well as "show cdp", "show logging", "show cdp", "show   
vlans". There are others, but I don't have my list with me   
right now.  
- By combining "show ip" and "show access-lists" we had a   
very clear picture of how access-lists were distributed in   
the router.  
  
One way to solve the issue is to require more privilege to   
run the show command. This can be accomplished by the   
following configuration command:  
  
privilege exec level 15 show  
  
Another, more efficient way, is to have users log in at   
level 0, as opposed to "1". Then, one needs to specify   
which commands will be "downgraded" to level 0. By doing   
this, we're "jailing" the user at level 0, leaving him/her   
only the commands we specifically downgraded.  
`