exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Dec 28, 2005
Authored by Oleg Tipisov

Cisco PIX / CS ACS suffers from a downloadable RADIUS ACLs vulnerability.

tags | advisory
systems | cisco
SHA-256 | 6f16059639e83d55bc12bb4a13b51373fd439c7b0266db849011c26e6b3c9d58


Change Mirror Download

The following is the description of the vulnerability in the Cisco implementation of downloadable ACLs, which are used by the Cisco PIX firewall authentication proxy (aka cut-through proxy) and VPN 3000 concentrators.

When an administrator creates an ACL on the Cisco Secure Access Control Server (CS ACS Radius server) it is assigned the internal name #ACSACL#-IP-uacl-<random>. For example, the name may be the following: #ACSACL#-IP-uacl-43a97a9d. The <random> is changed by CS ACS every time the ACL is modified by the administrator. At the same time the internal hidden user with the name #ACSACL#-IP-uacl-43a97a9d and the password #ACSACL#-IP-uacl-43a97a9d (!) is created by CS ACS. This user is not seen in the CS ACS GUI.

The protocol used by the PIX to download the ACL works as follows: 0) User goes to Internet (for example) thru the PIX via HTTP(s). PIX asks a username and a password. User enters them into the dialog window. 1) PIX sends Radius Access-Request to CS ACS to authenticate the user (the user password is encrypted by Radius). 2) Radius server authenticates the user and sends back the cisco-av-pair Vendor-specific attribute (VSA) with the value ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-uacl-43a97a9d. 3) PIX again sends Radius Access-Request to authenticate the user #ACSACL#-IP-uacl-43a97a9d. 4) Radius server authenticates the user and sends back the ACL body as another cisco-av-pair VSA attribute (ip:inacl#1= ...).


This basically means that everybody with a sniffer can see the username #ACSACL#-IP-uacl-43a97a9d which is sent over the network in clear by the Radius protocol from the CS ACS server to the PIX. The password of this user is the same as the username. If some network device is configured to use the very same CS ACS server for login authentication then the sniffed username can be used to login to this network device.

Setting Radius IETF attribute Service-type to "Outbound" to prevent using this username for logins may not help: 1) it's impossible to set this attribute for the user #ACSACL#-IP-uacl-43a97a9d, because the user is not seen in the CS ACS Web interface 2) it's not always possible to set it for the "default" group (the user #ACSACL#-IP-uacl-43a97a9d always belongs to the "default" CS ACS group), because this group may be used for something else 3) some network devices (most notably the PIX firewall) ignore the Service-Type attribute (PIX firewall 6.x code does not support login authorization at all (!)). Cisco routers ignore this attribute if authorization is not configured (only authentication is configured).

Generally speaking the Radius protocol is not appropriate for doing such things as downloading ACLs or other attributes on behalf of the user on an "as-needed" basis, as it doesn't separate the authentication and authorization. Usually this leads to creation of a fake user with the password "cisco" or "<username>". Unfortunately this practice is common on Cisco devices.

Oleg Tipisov,
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By