Another 2 cents worth ...
Test platforms: Cisco 3620, IOS 12.0.7
Cisco 1603, IOS 12.0.3
Catalyst 7xxx
> http://169.254.0.15/level/42/exec/show%20conf
This exploit only seems works (for me) if I DON'T setup 'aaa' on the router or switch,
using the just the default local authentication. With aaa enabled, you get an
authorization failure and are prompted to logon.
A general aside on this type of vulnerability, which is applicable to most network
assets;
As with telnet or SNMP, access to the http management interface should be very
stringently controlled, at the very least by strong authentication and by the use of
ACLs to restrict who has access via which interfaces. Normally only a limited number
of people require management access to a network device, which makes it easier to
control. In one company I worked with, the only devices able to access the
http/telnet interface of the router were the HPOV machines (all other access blocked
by ACL). An authorised user would first logon to the management machine and then use
either netscape/lynx or telnet to manage the network devices. The logon authentication
for the routers/switches was then handled using radius.
Before anyone comments, yes, I know, this is far from perfect and it has many security
issues of it's own. The aim of the approach was to centralise device access control
and logging, not to create a proper out-of-band management system.
Rgds,
Simon
