Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Fw: Re: Warning: Cisco RW community backdoor. (fwd)

  • From: Simon Lyall
  • Date: Mon Feb 26 21:08:41 2001

Further updates.. It's not TOO bad.

-- 
Simon Lyall.                |  Newsmaster  | Work: simon.lyall@ihug.co.nz
Senior Network/System Admin |              | Home: simon@darkmere.gen.nz
ihug, Auckland, NZ          | Asst Doorman | Web: http://www.darkmere.gen.nz

---------- Forwarded message ----------
Date: Mon, 26 Feb 2001 21:54:50 -0400
From: Joe Abley <jabley@automagic.org>
To: nznog@list.waikato.ac.nz
Subject: Fw: Re: Warning: Cisco RW community backdoor.

More details below.

-----Original Message-----
From: "James A. T. Rice" <jamesr@rd.bbc.co.uk>
Date: Tue, 27 Feb 2001 01:46:37 +0000 (GMT)
Subject: Re: Warning: Cisco RW community backdoor.
To: <members@lonap.net>, , , <ops@linx.net>

Just a couple of things to note,

I've been asked what the backdoor is, if its the community "ILMI" or if
that was just an example, the answer is yes - "ILMI" is the backdoor
which gives read-write access to parts of the SNMP base.

Its looks like parts of my earlier email are somewhat misleading, the ILMI
community appears to only allow RW access to the system object and
possibly some more objects. Its not a 'standard' open RW community. hence
the damage caused by this backdoor is limited. There is still some write
access however, so the fix mentioned below is still highly recommended.

And of course - it allows people to read what IOS/model cisco you have,
which could be used to find exploitable bugs in that particular release.
Oh I wonder what the chances of having a router stolen due to discovery of
system.sysLocation is! :-)

Warm Regards
James

-- 
James A. T. Rice             | Email: jamesr@rd.bbc.co.uk
Internet Operations Engineer | Phone: 01737 839 737
BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK.

On Tue, 27 Feb 2001, it was written:

> If your router responds to `snmpwalk router.isp.net.uk ILMI`, you
> probabally will want to do the following to disable it:
>    conf t
>    snmp-server community ILMI RO 99
>    access-list 99 deny any log
> (pick another spare access-list if 99 isn't available)
>
> If you dont, assuming your ios/hardware combination supports it,
> (most of the bigger routers do) anyone can do things like:
>           `snmpset router.isp.net.uk ILMI system.sysName.0 s \
>           "ALL YOUR ROUTER ARE BELONG TO US."`
> Thats a harmless example. You can do almost anything with RW snmp.
>
> Warm Regards
> James
>
> --
> James A. T. Rice             | Email: jamesr@rd.bbc.co.uk
> Internet Operations Engineer | Phone: 01737 839 737
> BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK.







---------
To unsubscribe from nznog, send email to majordomo@list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.