ascend / lucent router - unauthorized access
This vulnerability was discovered in October 2003. ( neworder | securitytracker | bugtraq )This design error allows unauthorized remote cli access on an Ascend / Lucent MAX TNT router. This vulnerability is known to affect routers running TAOS 8.0.1 but could affect other versions of the OS. Users should upgrade the OS (later versions do not seem to be affected).
Here is an example of this vulnerability that can be found online: http://www.tek-tips.com/gviewthread.cfm/lev2/8/lev3/58/pid/547/qid/626101
[in TERMINAL-SERVER] enabled = yes security-mode = full modem-configuration = { will-v42 33600-max-baud -13-db-mdm-trn-level no -18-db-+ ********************************************************************** here a connection is made and the Terminal Server presents a Login Prompt ********************************************************************** terminal-mode-configuration = { no yes "" "*** Pulaski Networks ***" "Login: + immediate-mode-options = { none no "" 0 } menu-mode-options = { no no no "" "" telnet 0 "" "" "" telnet 0 "" "" "" telnet+ ppp-mode-configuration = { yes 5 no session-ppp } slip-mode-configuration = { no no basic-slip no } dialout-configuration = { no no 5000 "" none } And something changed but still no luck. This time wvdial shows : *********************************************************************** here a connection made to the same Terminal Server but no Login Prompt is presented *********************************************************************** Aug 7 12:04:22 fw wvdial[4441]: Sending: fmota Aug 7 12:04:23 fw wvdial[4441]: fmota Aug 7 12:04:23 fw wvdial[4441]: Password: Aug 7 12:04:23 fw wvdial[4441]: Looks like a password prompt. Aug 7 12:04:23 fw wvdial[4441]: Sending: (password) ************************************************************************ instead of a login prompt the cli is given. ************************************************************************ Aug 7 12:04:24 fw wvdial[4441]: ascend% ************************************************************************ this problem has been overlooked because wvdial and other programs do not report this, instead wvdial continues to try with ppp negotion, but fails: ************************************************************************** Aug 7 12:04:24 fw wvdial[4441]: Hmm... a prompt. Sending "ppp". Aug 7 12:04:25 fw wvdial[4441]: ppp Aug 7 12:04:25 fw wvdial[4441]: Requested Service Not Authorized **************************************************************************
Access to the cli prompt can easily be obtained trough the use of a terminal client, such as minicom or Hyperterminal. Often, the router will correctly present a login prompt. When this occurs one only needs to disconnect quickly and redial to gain access. This has been tested against an Ascend / Lucent MAX TNT router running IOS version 8.0.1.
other online examples that could be related to this vulnerability:https://lists.csociety.org/pipermail/plug/2000-October/003328.html
http://lists.debian.org/debian-user/2000/debian-user-200010/msg02081.html
commands for ascend router
ascend% prompt ? Display help information help " " " quit Closes terminal server session hangup " " " " test test[ ] [ ] local Go to local mode remote remote set Set various items. Type 'set ?' for help show Show various tables. Type 'show ?' for help iproute Manage IP routes. Type 'iproute ?' for help dnstab Manage local DNS table. Type 'dnstab ?' for help slip SLIP command cslip Compressed SLIP command ppp PPP command menu Host menu interface pad PAD command. x28 PAD command. t3pos T3POS command. telnet telnet [-a|-b|-t] [-r|-l] [-v vrouter] hostname [portNumber] tcp tcp ping ping ipxping ipxping traceroute Trace route to host. Type 'traceroute ?' for help rlogin rlogin [ -l user ] [ -ec ] open open < modem-number | slot:modem-on-slot > resume resume virtual connect session close close virtual connect session kill kill pptp pptp l2tp l2tp l2f l2f ara ARA command