TUCoPS :: Cisco :: cisco20.htm

Cisco 675 - compromising an unpassworded one 
Vulnerability

    Cisco

Affected

    Cisco 675

Description

    Bill Watts found following.  When a certain long distance provider
    in his  area began  forcefully switching  all non-business/special
    adsl accounts  over to  using PPP  rather than  bridging mode  for
    'security reasons', DeMoNx got a little suspicious.  With bridging
    mode  enabled  on  a  Cisco  675,  one  used to be able to hook up
    seemingly limitless machines (provided you have the hubs), to  one
    dsl connection using dhcp.  Now with PPP, your dhcp server becomes
    10.10.10.0...your 675, which in turn  uses dhcp or ipcp to  handle
    traffic between itself and your isp....blah blah blah etc.

    Point is, with all  this wonderfully confusing hubub,  many people
    are pulling their hair out trying  to fathom the first 5 pages  of
    the 'CBOS  Users Guide',  trying in  vain to  set up  their dsl to
    avoid paying  $90 to  the guys  that will  end up  coming to their
    house and  setting it  up for  them.   The problem  is, *most*  of
    these guys don't set  passwords on the 675's.   It is very  simple
    to compromise  an unpassworded  675.   Simply hit  'enter' at  the
    password prompt after telnetting in, if you get a cbos> promt  you
    are half way there, NOT GOOD.   If there is no exec mode  password
    set, then  there most  likely won't  be an  enable(superuser) mode
    password either.  So, at this prompt you simply type 'enable'  and
    hit enter  twice.   If you  are in  enable mode,  your prompt will
    change  to  the  #  symbol,  and  you  have full access to all the
    router's  settings.   ISP's  are  letting  this happen, people are
    buying this technology  without any knowlege  that they may  be at
    this kind of  risk.  Below  is a log  of one such  Cisco 675.  The
    ip's and hostnames have been changed to protect the  irresponsible
    *and* the uninformed.

        $telnet adslppp93.lame.isp.net Trying 296.161.127.93...
        Connected to adslppp93.lame.isp.net.
        Escape character is '^]'.

        User Access Verification
        Password:                  (Just hit enter, whoa! No password!)

        cbos>enable                (with just 8 keystrokes full access is given)

        Password:

        cbos#stats ppp             (Hmm, who's 675 is this?)

        VC       VPI/VCI  STATE          MRU    USERNAME  RADIUS   TX RX
        wan0-0   01/01   Opened State    2048   poorsap   disabled 358673 358956

        cbos#exit
        Connection closed by foreign host.

    This is pretty well known, and not to mention that you can  really
    get free  dialups through  this method  by doing  'show nvram' and
    reading the username and password in the display, for example..

        cbos# show nvram
        <snip>
        PPP Port User Name = 00, username
        PPP Port User Password = 00, mycleartextpass
        <snip>

    Since  this  anonymous  ISP  provides  'roaming' access with their
    DSLs, if you are  in their 14 state  region, you can use  that l/p
    combination  to  have  a  free  dialup..  there are numerous other
    things you can do from the router...

    Francis Bodie added followwing (sort of related).  He had to do  a
    password recovery on a 675, which is an undocumented procedure (or
    at least not in the manual).   To recover the password you do  the
    following steps:

        1. Reboot the Cisco 675
        2. Access the device through the serial Console (Speed: 34000, 8, N,1)
        3. Issue the break command, <CTRL>-C
        4. The Cisco 675 should be display a prompt =>
        5. Issue the command: ES 6   (Erase Page? 6)
        6. Issue the command: M0     (Turn of monitor mode)
        7. Issue the command: go
        8. The modem should reboot, with exec and ena passwords removed

    NOTE:   You will  also loose  your entire  config.  Apparently the
    whole ROM monitor mode  on the 675 is  a bit strange, most  likely
    due to it being a former NetSpeed product.

Solution

    Cisco has recognized this as a  problem.  This is fixed in  2.1.0a
    or in 2.2.0 (2.2.0 out shortly).  The 675 will react like  classic
    IOS and not allow telnet if a  exec password is not set.  Now,  to
    change these passwords (the easiest way of securing the router)

        - type 'enable' hit enter to enter administration mode
        - then type 'set password exec clear NEWPASSWORD exec' to keep
          them out
        - and then 'set  password enable clear NEWPASSWORD  enable' to
          change the superuser password.

    This is what the person who setup the 675 *SHOULD* have done prior
    to leaving the jobsite.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH