Hello!

We came across a curious behavior on a number of Cisco 
routers, tied to the way the on-line help system presents 
options. It seems that, even though a regular 
(non-"enabled") user should not be able to see the access-
lists or other security-related information in the router, 
one can do just that. The online help systems doesn't list 
the commands as being available, but out of 75 extra "show" 
options that are available in "enable" mode (on a 12.0(5) 
3640), only 13 were actually restricted.

It seems that this has been known, to the point of being 
mentioned in some classes as an "insider trick", but when 
we looked up vulnerabilities for Cisco routers we couldn't 
find any reference to this. I hope that this helps document 
the issue and the workaround (see below).

Issue: Significant security-related information (such as 
access-lists) can be retrieved by an unprivileged user 
logged on to a Cisco router. While the on-line help system 
leads administrators to think that such information is not 
available, it is possible to obtain important information 
from the router.

Impact: Users with local, non-privileged, session access 
(such as junior administration staff telnetting to the 
router) can have access to sensitive information.

Workaround: a security-conscious Cisco router configuration 
should perform the following actions:
  . set the default privilege level for access lines 
to 0 (rather than leave at 1, the default)
  . using "privilege exec", specify which commands a 
user at level 0 can use

This will severely restrict the options a non-enabled user 
will have, thereby implementing a "default deny" stance on 
the router itself. Given the recent interest in Cisco 
routers (check Phrack 55 and 56), it seems to be a sensible 
thing to do.

Cisco's Product Security Incident Response Team has 
confirmed the issue and approved the recommended workaround.

A more verbose description can be found below. Thanks to 
Claudio Silotto (csilotto@hotmail.com) for help on 
discovering this and to Lisa Napier, from Cisco Security, 
for the feedback.

Cheers,
Fernando Montenegro
fsmontenegro@iname.com
--


Routers tested: 2500, 2600, 3600, 4000, 7200, 7500 series, 
running IOS 9.14, 11.1(21) (Distributed Director), 11.2(x) 
and 12.0(x). Some were tested on the local console, some 
over Telnet. We recently tested PIX 4.x, and found it was 
NOT vulnerable.

A regular user will log-on with privilege level equal to 1. 
This can be shown by running "show privilege" after logging 
on the router. For example:

 User Access Verification

 Username: joeuser
 Password: <password>
 Router2>sh priv
 Current privilege level is 1
 Router2>

Now, if we try to get a list of all possible "show" 
commands, by doing "show ?", we get:

 Router2>show privilege
 Current privilege level is 1
 Router2>show ?
   backup         Backup status
   cef            Cisco Express Forwarding
   clock          Display the system clock
   dialer         Dialer parameters and statistics
   flash:         display information about flash: file 
system
   history        Display the session command history
 ...

Notice that we did not see an "access-lists" option, so the 
help system thinks we should not be able to run it...

However,

 Router2>show privilege
 Current privilege level is 1
 Router2>show access-lists
 Standard IP access list 10
     permit 172.16.0.1
     deny   any
 Extended IP access list eth0-IN
     permit udp host 172.16.0.1 10.11.12.0 0.0.0.255 eq 
snmp (14982 matches)
     permit udp host 172.16.0.1 10.11.13.128 0.0.0.127 eq 
snmp (4026 matches)

So, we can see the configuration, even though we shouldn't. 
We can't alter it, but even seeing the access-list is 
beneficial to an attacker.

Upon further testing on a 3640 running IOS 12.0(5), we got 
the following results:
- We found 75 "show" commands that are supposed to be 
available only in enable mode. Meaning: the difference 
between "show ?" in enabled and disabled mode was this 75 
commands
- Out of 75, only 13 were truly restricted. The other 62 
were available to be viewed by a session in a disabled mode.
- Out of the 62 that were viewable, we counted 7 as being 
potentially very dangerous. "show ip" is one of them, as 
well as "show cdp", "show logging", "show cdp", "show 
vlans". There are others, but I don't have my list with me 
right now.
- By combining "show ip" and "show access-lists" we had a 
very clear picture of how access-lists were distributed in 
the router.

One way to solve the issue is to require more privilege to 
run the show command. This can be accomplished by the 
following configuration command:

 privilege exec level 15 show

Another, more efficient way, is to have users log in at 
level 0, as opposed to "1". Then, one needs to specify 
which commands will be "downgraded" to level 0. By doing 
this, we're "jailing" the user at level 0, leaving him/her 
only the commands we specifically downgraded.