[TCLUG] Cisco675 Web Vulnerability & upgrades (was: Lots of denied packets. Port 80)

[Bill Layer]

On Thu, 19 Jul 2001 20:50:50 -0500 (CDT)
"Timothy Wilson" <wilson at visi.com> wrote:

> On Thu, 19 Jul 2001, James Spinti wrote:
> 
> > According to the buzz on /., that won't help.  You have to upgrade the
CBOS.
> > Otherwise you have to power cycle it every time it gets hit...

Interesting, the old known vulnerability of the 675 was any HTTP GET
request would hang the router, this coincidental vulnerability seems to be
a new one...

> Anyone got a link for downloading the latest and greatest CBOS?

I upgraded my CBOS to 2.4.1 about 6 or 7 weeks ago, and I sent a post to
the list detailing the exact procedure to upgrade using tftp. Here is a
clip of that little HOW-TO:

First, while Cisco and Qwest both claim that Xmodem works over the serial
port, I was not able to get it working with Minicom, using the same
settings that normally allow me to operate the 675's serial console. Just
errored out every time I tried, so I gave up on it. Second, the CAP/DMT
firmware is *not* related to the CBOS, so a change of CBOS version is
irrelevant to this. CAP/DMT is seperate firmware.

The easy & fast way to upgrade the CBOS (the latest version I found was
2.4.1, so I used it) is via tftp. The drill goes like this: (IMPORTANT
NOTE: I assume that the 675 is ip 10.0.0.1, and the client used to send
the upgrade is 10.0.0.2. Adjust as required for your network.)

Log into CBOS over the serial cable, enter enable mode.

#set tftp enabled
#set tftp remote 10.0.0.2 (this may be optional, but I set it the address
of my desktop. This forces the 675 tftp to only accept tftp connects from
a single host (security)).

Now, from the client machine 10.0.0.2, and assuming you have downloaded
CBOS 2.4.1 as filename 'nsrouter.c675.2.4.1.bin':

$mv nsrouter.c675.2.4.1.bin nsrouter.c675.2.4.1.bin.hr
$tftp 10.0.0.1 69
tftp>mode binary
tftp>put nsrouter.c675.2.4.1.bin.hr
tftp>quit

Back to the CBOS serial console on more time:

#set tftp disabled
#reboot

The modem should reboot, check a bunch of checksums, *then* it flashes the
EEPROM, reboots again and wakes up with the new version. You shouldn't
have to touch any of your NVRAM settings, but if they are ugly, log into
the serial console, enter enable mode and do:

#set nvram erase
#write
#reboot

Then you may configure the unit as if factory-fresh; ppp passwords and
all...

(End.)

I still have a 675, I have web disabled, and I have NAT redirecting port
80 requests to my webserver. I have seen at least 30 of these attacks
today, and the 675 hasn't batted an eye. All appears well...

You can get the CBOS 2.4.1 and 2.4.2 (Latest, AFAIK) for the 675 from me,
at this address:

http://frogtown.dynu.com/UserX/nsrouter.c675.2.4.1.bin.hr
http://frogtown.dynu.com/UserX/nsrouter.c675.2.4.2.bin


                           -.bill.layer.-
                          
-.those who are talking don't know, and those who know aren't talking.-

           -.frogtown.-     -.minnesota.-      -.u.s.a.-