lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87odf5pp57.fsf@mid.deneb.enyo.de>
Date: Thu, 11 Oct 2007 18:55:16 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: "Halvar Flake" <halvar.flake@...re-security.com>
Cc: "Gaus" <gaus@...co.com>, <bugtraq@...urityfocus.com>
Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques

* Halvar Flake:

> So in short, they are demonstrating that 
>
> * IF you have console access
> * AND the enable password
> * AND you enable the debugger
>
> you can execute code ?
>
> So all in all, it's a complete non-issue ?

Not completely.  There are some configurations in which EXEC mode is not
fully privileged.  For instance, someone might be covertly capturing
flows passing through the router.  The ability to execute arbitrary code
can be used to reveal that activity, and the router operator may not be
authorized to do so.

However, it seems to me that this is more or less a compliance thing,
not a security issue.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ