On Tue, Feb 27, 2001 at 02:59:38PM +1300, David Robb wrote: And I guess the other interesting question here is... is this the only backdoor? Are there others? I wondered that myself... if there are people will find them soonish I suspect; IOS source code was leaked some time ago; all 500M compressed of it -- so I heard, I would never posses such a thing myself of course :) --cw -- Chris Wedgwood chris.wedgwood(a)clear.co.nz --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Mon, Feb 26, 2001 at 09:36:39PM -0500, Joe Abley wrote: I think "backdoor" is probably misleading. If I remember correctly, IMLI messages are formatted in some SNMP-like way, and if this rw community does exist on some loads of IOS, it probably has more to do with over-enthusiastic software-reuse within the operating system than the desire to leave an administrative hole open for after-hours access. But, nonetheless, I'm told this 'exploit' is sufficient to disable ATM interfaces and cause LANE to malfunction (as various ATM parts of the MIB are exposed). Doesn't sound all that good to me. What's more, the cisco documented 'fixed' version for the 11.1CC release train doesn't appear to be on the download site. All this just goes to prove that "ATM is evil". --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Whoops - forgot to include the URLs: http://www.cisco.com/warp/public/707/advisory.html http://www.cisco.com/warp/public/707/sec_incident_response.shtml Subscribing to cust-security-announce(a)cisco.com To subscribe to "cust-security-announce(a)cisco.com", send an e-mail message to "majordomo(a)cisco.com", with the single line "subscribe cust-security-announce" as the entire content of the body of the message. You will receive confirmation instructions and a list policy statement.

-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Barry Raveendran Greene Sent: Monday, February 26, 2001 8:16 PM To: Joe Abley; nznog(a)list.waikato.ac.nz Subject: RE: Re: Warning: Cisco RW community backdoor.

Hello Everyone,

There will be a security alert going out today or tomorrow. It goes out the our security alert alias.

Security-related field notices, as well as some other security information which Cisco believes will be of interest to customers, are sent in e-mail to cust-security-announce(a)cisco.com. Any interested person may subscribe to this list using the procedures described under "Subscribing to cust-security-announce(a)cisco.com" in this document. Please do not attempt to subscribe by sending e-mail to the list itself; it will not work.

Barry

...

-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Joe Abley Sent: Monday, February 26, 2001 5:55 PM To: nznog(a)list.waikato.ac.nz Subject: Fw: Re: Warning: Cisco RW community backdoor.

More details below.

-----Original Message----- From: "James A. T. Rice" Date: Tue, 27 Feb 2001 01:46:37 +0000 (GMT) Subject: Re: Warning: Cisco RW community backdoor. To: , , ,

Just a couple of things to note,

I've been asked what the backdoor is, if its the community "ILMI" or if that was just an example, the answer is yes - "ILMI" is the backdoor which gives read-write access to parts of the SNMP base.

Its looks like parts of my earlier email are somewhat misleading, the ILMI community appears to only allow RW access to the system object and possibly some more objects. Its not a 'standard' open RW community. hence the damage caused by this backdoor is limited. There is still some write access however, so the fix mentioned below is still highly recommended.

And of course - it allows people to read what IOS/model cisco you have, which could be used to find exploitable bugs in that particular release. Oh I wonder what the chances of having a router stolen due to discovery of system.sysLocation is! :-)

Warm Regards James

-- James A. T. Rice | Email: jamesr(a)rd.bbc.co.uk Internet Operations Engineer | Phone: 01737 839 737 BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK.

On Tue, 27 Feb 2001, it was written:

...

If your router responds to `snmpwalk router.isp.net.uk ILMI`, you probabally will want to do the following to disable it: conf t snmp-server community ILMI RO 99 access-list 99 deny any log (pick another spare access-list if 99 isn't available)

If you dont, assuming your ios/hardware combination supports it, (most of the bigger routers do) anyone can do things like: `snmpset router.isp.net.uk ILMI system.sysName.0 s \ "ALL YOUR ROUTER ARE BELONG TO US."` Thats a harmless example. You can do almost anything with RW snmp.

Warm Regards James

-- James A. T. Rice | Email: jamesr(a)rd.bbc.co.uk Internet Operations Engineer | Phone: 01737 839 737 BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK.

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog