ascend / lucent router - unauthorized access

This vulnerability was discovered in October 2003. ( neworder | securitytracker | bugtraq )

This design error allows unauthorized remote cli access on an Ascend / Lucent MAX TNT router. This vulnerability is known to affect routers running TAOS 8.0.1 but could affect other versions of the OS. Users should upgrade the OS (later versions do not seem to be affected).

Here is an example of this vulnerability that can be found online: http://www.tek-tips.com/gviewthread.cfm/lev2/8/lev3/58/pid/547/qid/626101

[in TERMINAL-SERVER]
enabled = yes
security-mode = full
modem-configuration = { will-v42 33600-max-baud -13-db-mdm-trn-level no
-18-db-+
**********************************************************************
here a connection is made and the Terminal Server presents a Login Prompt
**********************************************************************
terminal-mode-configuration = { no yes "" "***  Pulaski Networks  ***"
"Login: +
immediate-mode-options = { none no "" 0 }
menu-mode-options = { no no no "" "" telnet 0 "" "" "" telnet 0 "" ""

""
telnet+
ppp-mode-configuration = { yes 5 no session-ppp }
slip-mode-configuration = { no no basic-slip no }
dialout-configuration = { no no 5000 "" none }

And something changed but still no luck.  This time wvdial shows :
***********************************************************************
here a connection made to the same Terminal Server but no Login Prompt is presented
***********************************************************************
Aug  7 12:04:22 fw wvdial[4441]: Sending: fmota
Aug  7 12:04:23 fw wvdial[4441]: fmota
Aug  7 12:04:23 fw wvdial[4441]: Password:
Aug  7 12:04:23 fw wvdial[4441]: Looks like a password prompt.
Aug  7 12:04:23 fw wvdial[4441]: Sending: (password)
************************************************************************
instead of a login prompt the cli is given.
************************************************************************
Aug  7 12:04:24 fw wvdial[4441]: ascend%
************************************************************************
this problem has been overlooked because wvdial and other programs do not report this,
instead wvdial continues to try with ppp negotion, but fails:
**************************************************************************
Aug  7 12:04:24 fw wvdial[4441]: Hmm... a prompt.  Sending "ppp".
Aug  7 12:04:25 fw wvdial[4441]: ppp
Aug  7 12:04:25 fw wvdial[4441]: Requested Service Not Authorized
**************************************************************************

Access to the cli prompt can easily be obtained trough the use of a terminal client, such as minicom or Hyperterminal. Often, the router will correctly present a login prompt. When this occurs one only needs to disconnect quickly and redial to gain access. This has been tested against an Ascend / Lucent MAX TNT router running IOS version 8.0.1.

other online examples that could be related to this vulnerability:
https://lists.csociety.org/pipermail/plug/2000-October/003328.html
http://lists.debian.org/debian-user/2000/debian-user-200010/msg02081.html

commands for ascend router

ascend%             prompt
?                   Display help information
help                   "     "        "
quit                Closes terminal server session
hangup                 "      "       "       "
test                test  [  ] [  ]
local               Go to local mode
remote              remote 

set                 Set various items. Type 'set ?' for help
show                Show various tables. Type 'show ?' for help
iproute             Manage IP routes.  Type 'iproute ?' for help
dnstab              Manage local DNS table.  Type 'dnstab ?' for help
slip                SLIP command
cslip               Compressed SLIP command
ppp                 PPP command
menu                Host menu interface
pad                 PAD command.
x28                 PAD command.
t3pos               T3POS command.
telnet              telnet [-a|-b|-t] [-r|-l] [-v vrouter] hostname [portNumber]
tcp                 tcp  
ping                ping 
ipxping             ipxping 
traceroute          Trace route to host.  Type 'traceroute ?' for help
rlogin              rlogin [ -l user ] [ -ec ] 
open                open < modem-number | slot:modem-on-slot >

resume              resume virtual connect session
close               close virtual connect session
kill                kill 
pptp                pptp 
l2tp                l2tp 
l2f                 l2f 
ara                 ARA command