Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Damir Rajnovic (gausCISCO.COM)
Date: Fri Apr 20 2001 - 14:55:55 CDT
At 13:11 20/04/2001 -0600, pedersennetguide.dk wrote:
>I had doing a "sh nat" with a very long listing in one telnet session.
>When I telnetted from another machine, the c677 switched output to
>that connection before prompting for password.
>The listing would continue in whatever telnet window had the last
>keypress. Also seemd to screw up something on the first terminal.
>I see this as a serious security flaw.
We can confirm that this is indeed true. This behavior has been reported
to us, prior this posting, by Knud Erik Højgaard.
We are working on a fix for this. To the best of our knowledge, this
trick can be performed only by using this command, "sh nat". Apparently,
this can not be reproduced by any other command, most notably "sh conf"
can not be exploited this way. Even this current behavior is not
acceptable but, it seems so, one can not grab the router's configuration
In addition to this, please note that you can only see the output from
the first session. The second session is not logged in and you can not
execute any commands in it (unless you actually log in). Also, only
output of a single command is displayed and all subsequent commands
will be displayed in the right session (unless you trigger this
vulnerability with "sh nat" again).
Damir Rajnovic <psirtcisco.com>, PSIRT Incident Manager, Cisco Systems
Phone: +44 7715 546 033
4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
There is no insolvable problems. Question remains: can you
accept the solution?