Date: Sun, 3 Jan 1999 00:55:22 +1100
From: Robert Thomas <rob@RPI.NET.AU>
To: BUGTRAQ@netspace.org
Subject: ACC's 'Tigris' Access Terminal server security vunerability..

ACC (link - http://www.acc.com ) have been aware of this flaw for 3 months
now, so I'm not springing this on them unaware. Just so you know 8-)

OS Versions up to (and including) 10.5.8 are vunerable to a 'lame-arsed
coding' bug, which lets you display a (slightly censored) dump of the
configuration, as well as letting you run -any- non-priviledeged command (==
anything but changing the configuration) including the ability to telnet from
the machine, ping other machines (bypassing firewalls, perhaps?), and
basically letting people know what you don't really want them to know.

After having a quick fiddle, I'm (guessing) that the login sequence runs like
this:

Print the string "Login:"
Stick the string 'login ' into the input buffer, and wait for user to type
either 'netman' or 'public', resulting in the command 'login netman' or 'login
public' being sent to the OS, which will then prompt for a password.  This
gives you the ability to do the really difficult thing of pushing backspace
several times, or, hitting ^U (delete to beginning of line) and running any of
the commands (like, for example, 'show' which will dump the running
configuration, with any passwords *'ed out) that can be accessed by the
'public' account.

This includes:
  Dialin Numbers
  RADIUS Authentication/Accounting servers (minus passwords)
  OS Version
  IP Ranges
  BGP/RIP/OSPF filtering information

Another problem that I've found is that the machines have an undocumented
(that I could find) 'public' account, with a default password of 'public',
which gives you the same information as you get with the ^U bug. The first
time I found that out is in the email message sent from XSI (included below)

To give both sides of the story, I hereby present an email message that I
received from XSI (who are the Australian Distributors for the Tigris Access
Server) in responce to a vague message from me on the Australian ISP list
saying that I'd found a bug in the terminal server, and they should contact
XSI for information on how to fix it.


--snip--
Subject: Re: [Oz-ISP] Supposed Security Flaw
  Date:  Thu, 10 Dec 1998 08:47:20 +0000
  From:  "Nathan Chan" <chan@xsi.com.au>
    To:  tigris-list@iig.com.au
    CC:  rob@rpi.net.au


G'Day Guys,

You may have recently seen a article in the Ausie ISP List saying
that the Tigris has a security flaw.  This isn't the case.

Basically you can press Cntl U at the prompt and then type a command.
eg show.   However it is NOT a security flaw since if you can get to
the login prompt of the Tigris  you would get exactly the same thing
if you logged in as username : Public, password : Public, which would
a lot easier to work out than pressing Cntl U and anyone can do
this!!

Simply adding Access entries can easily stop anybody from Telneting
to your box, and should be done on everyone's box anyway !  No-one
other than management staff should be able to access the
Tigris....1st rule of network protection.

If someone can get to you prompt, Cntl U is the LEAST of your
worries, since they can't do anything still  :)

Anyway, they are fixing this.

Any questions let me know.

Regards
Nathan
--snip--

I responded to this pointing out that that would not work if someone dialled
into the terminal server, and sent source routed data to the terminal server,
as (AFAIK, and I can find no docco on it either) you cannot explicitly block
source routed data, and you are going through no firewall to get to the
device.  No responce as yet (sent on 12th October, 1998).

Now, let me point out, I -like- the box.  Whilst it's harder to configure than
the Annex/Versalar Bay series of products (which just work 8-), it reliably
holds 56k connections, seems very stable, and is considerably cheaper than the
comparable 5399/8000 series from Bay. Apart from a few 'lame-arsed coding'
bugs, it's a good box, and I've recommended it more than a few times.

I honestly wouldn't be so worried if it didn't show the RADIUS servers, and
the dialin numbers, as they are usually things you don't want every user to
know. Whilst this is (obviously) security through obscurity, seeing packets
wander around your network whilst x-lam3-haxx0r tries to locate your radius
servers will give you a good tipoff that someone is up to no good, rather than
just having a radius DoS flood sent to your server(s) without any warning
because their location was handed to them on a silver platter.

Anyway guys, hope you all have a good new year, and you've got your hourly
rates set to quadruple for Y2K work!

--Robert Thomas
RP Internet Services
"Will Geek for bandwidth. Don't care about food."

[Note: I'm Australian. It's Arse, not Ass. An ass is a donkey 8-)]

----------------------------------------------------------------------------

Date: Mon, 4 Jan 1999 00:15:07 +0100
From: Patrik Backstrom <pb@TECHNO.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: ACC's 'Tigris' Access Terminal server security vunerability..

On Sun, 3 Jan 1999, Robert Thomas wrote:

I have almost daily contact with ACC's technicians, and i'll make sure
they receive the information, first thing tomorrow morning.

For now, a quick workaround is to restrict telnet access to only the hosts
(or networks) which should be allowed access. Also, it's a good idea to
restrict SNMP and HTTP access to the router.

Issue the following commands:

ADD ACCESS ENTRY <network> <netmask> 23 TELNET
ADD ACCESS ENTRY <network> <netmask> 80 HTTP
ADD ACCESS ENTRY <network> <netmask> 0 PUBLIC

Regarding source routing, it's only enabled if you have a source routing
entry for the physical port, like:

ADD SR PORT ENTRY ETHERNET 1 J7.1
SET SR PORT STATE 1 ENABLED

You can easily disable source routing for the port by typing

SET SR PORT STATE <num> DISABLED

To check if you have source routing configuration in the box, type:

SHOW SR

Hope this helps.

/pb

            [ Boycott Microsoft -- http://www.vcnet.com/bms ]

----------------------------------------------------------------------------

Date: Tue, 2 Feb 1999 09:49:05 +0100
From: Patrik Backstrom <pb@TECHNO.ORG>
To: BUGTRAQ@netspace.org
Subject: ACC Tigris fix: "public" access without logging in

About a month ago, Robert Thomas <rob@RPI.NET.AU> reported a bug in the
ACC Tigris router, where you issue "public access" commands to the Tigris
>from remote, without having to login. I forwarded the mail to some ACC
technicians. I havn't gotten a reply from them, but when i checked a list
of fixes, i found:

#PSR Fixed in 11.1.23.3:
<snip>
# 11010:        Security Hole.. Public access without logging in. (Ptherio)
<snip>

I tried the bug on a box running 11.1.24, and you can no longer issue
commands from the login prompt.

The funny thing is - the 11.1.23.4 software is dated 12/20/98, which means
the bug was fixed before the post to bugtraq.

/pb

            [ Boycott Microsoft -- http://www.vcnet.com/bms ]