Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Damir Rajnovic (gausCISCO.COM)
Date: Fri Apr 20 2001 - 14:55:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    At 13:11 20/04/2001 -0600, pedersennetguide.dk wrote:
    >I had doing a "sh nat" with a very long listing in one telnet session.
    >When I telnetted from another machine, the c677 switched output to
    >that connection before prompting for password.
    >The listing would continue in whatever telnet window had the last
    >keypress. Also seemd to screw up something on the first terminal.
    >I see this as a serious security flaw.

    We can confirm that this is indeed true. This behavior has been reported
    to us, prior this posting, by Knud Erik Højgaard.

    We are working on a fix for this. To the best of our knowledge, this
    trick can be performed only by using this command, "sh nat". Apparently,
    this can not be reproduced by any other command, most notably "sh conf"
    can not be exploited this way. Even this current behavior is not
    acceptable but, it seems so, one can not grab the router's configuration
    this way.

    In addition to this, please note that you can only see the output from
    the first session. The second session is not logged in and you can not
    execute any commands in it (unless you actually log in). Also, only
    output of a single command is displayed and all subsequent commands
    will be displayed in the right session (unless you trigger this
    vulnerability with "sh nat" again).



    Damir Rajnovic <psirtcisco.com>, PSIRT Incident Manager, Cisco Systems
    Phone: +44 7715 546 033
    4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
    There is no insolvable problems. Question remains: can you
    accept the solution?