Hi Terry, On Thu, Jan 24, 2008 at 03:42:53AM -0000, tbbunn@xxxxxxx wrote: > Back in May of last year I started doing research on any possible > security flaws that exist in the Pix/ASA Finesse operating System, > versions 7.1 and 7.2. I discovered that a design flaw that was > previously unknown in Finesse will allow a level 0 user to escalate > their privilege to level 15. I believe the vulnerability may originate > in the local authentication service, thus not being possible to > exploit when Radius and TACACS is implemented. Implementing AAA in any > other way that keeps the passwords locally defined seems to have no > affect on the vulnerability. I have been able to repeatedly bypass the > privilege-exec login both locally, through the console and remotely, > through a telnet connection. After many attempts I have found that the > SSH service does not seem to suffer from the vulnerability. > > I am now going to go over the simplicity of the exploit and I will be > releasing a white paper hopefully sooner than later on the specifics > of the underlying cause. Once a user has logged on to the user-exec > (level0) of the device they will then be able to proceed with the > <enable> command which should give you a login prompt. At this prompt > if you move your cursor forward with a space or character(it doesn't > matter if there are more then one), and then proceed to delete any > spaces or characters, by holding down the backspace a second after > deleting the last character it should immediately drop you into level > 15 privilege-exec mode. This attack was originally performed on a PIX > 515E running version 7.2 of Finesse. I will be posting all updates > regarding this exploit as they come, and I apologize for it taking so > long to release this information. Dumb question: can you reproduce this issue when you have a non-blank enable password? I can see this behavior when a blank enable password is set, but if I have a non-blank enable password I don't see the behavior - I get dropped back into unprivilege EXEC after using the backspace key. When the enable password is blank you still get prompted for a password when you want to go into privileged EXEC mode via the "enable" command. However, hitting just <Enter> will grant you access. There is no password set after all. Could you make sure that you have an non-blank enable password set by using the command "enable password <some password>" and try again? Note: even if "show running-config enable" shows an "enable password" command in the configuration that doesn't mean that the enable password is non-blank; the output just displays a hash of a blank password. Cheers, -- Eloy Paris.- CCIE #19207 Product Security Incident Response Team (PSIRT) Cisco Systems, Inc.
