[lug] Possible DOS on CIsco 675

B. O'Fallon bof at americanisp.net
Fri Jul 20 07:00:14 MDT 2001 

Hello,

There are reports (from Slashdot, however reliable that makes them <g>)
that even if the web interface is disabled, the router can still be
killed:

	"There is common belief that disabling the web interface will prevent
this. It's not true; mine's been disabled 		every since this was first
reported a year ago and I still got hit. The problem is that "set web
disable" 			prevents the web server from fiddling the router config, but
doesn't actually stop the server from parsing input 		from port 80,
which is what locks up the box. An improved workaround is to disable the
web-admin interface and 			change its port number with "set web port
53496" (replace with some random port number). At least that'll stop
it 		for the near term." 

I know that I had to reboot my Cisco 675 several times yesterday, and I
suspect that this is the reason why because I have never had trouble
with it before. 

Apparently the only real solution is to upgrade to the 2.4.1 CBOS. Here
is a link to the upgrade:

	http://www.qwest.com/dsl/customerservice/win675ups.html

Since qwest does not believe in Linux, the upgrade instructions are for
Windows. And if web and telnet access are disable, then the only way to
get to the system is via serial cable. What fun!

B. O'Fallon

Chip Atkinson wrote:
> 
> Yes, it sure looks like it was the same thing.  The 675 is still up I
> might add.  I suspect that there are one or two people who found out how
> to do this DOS and are going through all sorts of addresses now.
> 
> Scott A. Herod wrote:
> 
> > That's the one mentioned in the mailing list article that Michael
> > sent out.
> >
> > http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26start%3D2001-07-15%26mid%3D197992%26threads%3D0%26end%3D2001-07-21%26fromthread%3D0%26
> >
> > Chip Atkinson wrote:
> >
> >> Greetings,
> >>
> >> This morning my 675 kept going down and would require a power cycle to
> >> restore it.  A little web search indicated that it's possible to kill
> >> the 675 through the web interface.  I disabled the web interface and the
> >> 675 hasn't gone down since.  I suspect that the 675 was being DOSed.
> >> Here's a link to the page I found:
> >> http://security-archive.merton.ox.ac.uk/bugtraq-200011/0393.html
> >>
> >> Chip

More information about the LUG mailing list