tigris-rat-access.txt

`Date: Sun, 3 Jan 1999 00:55:22 +1100  
From: Robert Thomas <[email protected]>  
To: [email protected]  
Subject: ACC's 'Tigris' Access Terminal server security vunerability..  
  
ACC (link - http://www.acc.com ) have been aware of this flaw for 3 months  
now, so I'm not springing this on them unaware. Just so you know 8-)  
  
OS Versions up to (and including) 10.5.8 are vunerable to a 'lame-arsed  
coding' bug, which lets you display a (slightly censored) dump of the  
configuration, as well as letting you run -any- non-priviledeged command (==  
anything but changing the configuration) including the ability to telnet from  
the machine, ping other machines (bypassing firewalls, perhaps?), and  
basically letting people know what you don't really want them to know.  
  
After having a quick fiddle, I'm (guessing) that the login sequence runs like  
this:  
  
Print the string "Login:"  
Stick the string 'login ' into the input buffer, and wait for user to type  
either 'netman' or 'public', resulting in the command 'login netman' or 'login  
public' being sent to the OS, which will then prompt for a password. This  
gives you the ability to do the really difficult thing of pushing backspace  
several times, or, hitting ^U (delete to beginning of line) and running any of  
the commands (like, for example, 'show' which will dump the running  
configuration, with any passwords *'ed out) that can be accessed by the  
'public' account.  
  
This includes:  
Dialin Numbers  
RADIUS Authentication/Accounting servers (minus passwords)  
OS Version  
IP Ranges  
BGP/RIP/OSPF filtering information  
  
Another problem that I've found is that the machines have an undocumented  
(that I could find) 'public' account, with a default password of 'public',  
which gives you the same information as you get with the ^U bug. The first  
time I found that out is in the email message sent from XSI (included below)  
  
To give both sides of the story, I hereby present an email message that I  
received from XSI (who are the Australian Distributors for the Tigris Access  
Server) in responce to a vague message from me on the Australian ISP list  
saying that I'd found a bug in the terminal server, and they should contact  
XSI for information on how to fix it.  
  
  
--snip--  
Subject: Re: [Oz-ISP] Supposed Security Flaw  
Date: Thu, 10 Dec 1998 08:47:20 +0000  
From: "Nathan Chan" <[email protected]>  
To: [email protected]  
CC: [email protected]  
  
  
G'Day Guys,  
  
You may have recently seen a article in the Ausie ISP List saying  
that the Tigris has a security flaw. This isn't the case.  
  
Basically you can press Cntl U at the prompt and then type a command.  
eg show. However it is NOT a security flaw since if you can get to  
the login prompt of the Tigris you would get exactly the same thing  
if you logged in as username : Public, password : Public, which would  
a lot easier to work out than pressing Cntl U and anyone can do  
this!!  
  
Simply adding Access entries can easily stop anybody from Telneting  
to your box, and should be done on everyone's box anyway ! No-one  
other than management staff should be able to access the  
Tigris....1st rule of network protection.  
  
If someone can get to you prompt, Cntl U is the LEAST of your  
worries, since they can't do anything still :)  
  
Anyway, they are fixing this.  
  
Any questions let me know.  
  
Regards  
Nathan  
--snip--  
  
I responded to this pointing out that that would not work if someone dialled  
into the terminal server, and sent source routed data to the terminal server,  
as (AFAIK, and I can find no docco on it either) you cannot explicitly block  
source routed data, and you are going through no firewall to get to the  
device. No responce as yet (sent on 12th October, 1998).  
  
Now, let me point out, I -like- the box. Whilst it's harder to configure than  
the Annex/Versalar Bay series of products (which just work 8-), it reliably  
holds 56k connections, seems very stable, and is considerably cheaper than the  
comparable 5399/8000 series from Bay. Apart from a few 'lame-arsed coding'  
bugs, it's a good box, and I've recommended it more than a few times.  
  
I honestly wouldn't be so worried if it didn't show the RADIUS servers, and  
the dialin numbers, as they are usually things you don't want every user to  
know. Whilst this is (obviously) security through obscurity, seeing packets  
wander around your network whilst x-lam3-haxx0r tries to locate your radius  
servers will give you a good tipoff that someone is up to no good, rather than  
just having a radius DoS flood sent to your server(s) without any warning  
because their location was handed to them on a silver platter.  
  
Anyway guys, hope you all have a good new year, and you've got your hourly  
rates set to quadruple for Y2K work!  
  
--Robert Thomas  
RP Internet Services  
"Will Geek for bandwidth. Don't care about food."  
  
[Note: I'm Australian. It's Arse, not Ass. An ass is a donkey 8-)]  
  
----------------------------------------------------------------------------  
  
Date: Mon, 4 Jan 1999 00:15:07 +0100  
From: Patrik Backstrom <[email protected]>  
To: [email protected]  
Subject: Re: ACC's 'Tigris' Access Terminal server security vunerability..  
  
On Sun, 3 Jan 1999, Robert Thomas wrote:  
  
I have almost daily contact with ACC's technicians, and i'll make sure  
they receive the information, first thing tomorrow morning.  
  
For now, a quick workaround is to restrict telnet access to only the hosts  
(or networks) which should be allowed access. Also, it's a good idea to  
restrict SNMP and HTTP access to the router.  
  
Issue the following commands:  
  
ADD ACCESS ENTRY <network> <netmask> 23 TELNET  
ADD ACCESS ENTRY <network> <netmask> 80 HTTP  
ADD ACCESS ENTRY <network> <netmask> 0 PUBLIC  
  
Regarding source routing, it's only enabled if you have a source routing  
entry for the physical port, like:  
  
ADD SR PORT ENTRY ETHERNET 1 J7.1  
SET SR PORT STATE 1 ENABLED  
  
You can easily disable source routing for the port by typing  
  
SET SR PORT STATE <num> DISABLED  
  
To check if you have source routing configuration in the box, type:  
  
SHOW SR  
  
Hope this helps.  
  
/pb  
  
[ Boycott Microsoft -- http://www.vcnet.com/bms ]  
  
----------------------------------------------------------------------------  
  
Date: Tue, 2 Feb 1999 09:49:05 +0100  
From: Patrik Backstrom <[email protected]>  
To: [email protected]  
Subject: ACC Tigris fix: "public" access without logging in  
  
About a month ago, Robert Thomas <[email protected]> reported a bug in the  
ACC Tigris router, where you issue "public access" commands to the Tigris  
>from remote, without having to login. I forwarded the mail to some ACC  
technicians. I havn't gotten a reply from them, but when i checked a list  
of fixes, i found:  
  
#PSR Fixed in 11.1.23.3:  
<snip>  
# 11010: Security Hole.. Public access without logging in. (Ptherio)  
<snip>  
  
I tried the bug on a box running 11.1.24, and you can no longer issue  
commands from the login prompt.  
  
The funny thing is - the 11.1.23.4 software is dated 12/20/98, which means  
the bug was fixed before the post to bugtraq.  
  
/pb  
  
[ Boycott Microsoft -- http://www.vcnet.com/bms ]  
`