Cisco config retrieval tool and password reuse

Wednesday, October 8th, 2008

The other day we were at a client site doing a penetration test. This was a very big deployment with almost 100 routers. At some point during the test we managed to get the read/write community string of one of the routers, as there was a script with the hard-coded credentials.

We managed to connect to the router with the SNMP credentials and pulled the Cisco config file. After that, we decoded the telnet and enable passwords and we were ready to go. We tried (with no much hope initially) a couple of other routers reusing the telnet password and they all worked. Every single router was protected with exactly the same password.

We had limited time and the prospect of telneting 100 routers pulling config files was not very appealing so we wrote a nice python script to pull them for us. We released the tool in our research section, so check it out if you are interested.

The lesson to learn here is that no matter how confident you are about the strength of your password because it can be potentially compromise and if you are reusing it, the impact for the business becomes critical.

Tags: cisco, cisco config, Penetration Testing, Tools
Posted in Penetration Testing, Tools | No Comments »

WordPress SQL column truncation vulnerability

Wednesday, October 8th, 2008

This vulnerability has been published some days ago where an attacker could create a duplicated “admin” user and recover the legitimate “admin” password. SQL column truncation is an attacking technique whereby an attacker take advance of some kind of mismatch between an application and the database structure used by it.

Let’s have a look to the vulnerable code.

In schema.php in the wordpress application it is defined the creation of the database table containing users:

CREATE TABLE $wpdb->users (
ID bigint(20) unsigned NOT NULL auto_increment,
user_login varchar(60) NOT NULL default '',

As we can see, the user_login field has a length of 60 bytes. However, the application does not enforce this limitation and allows longer usernames.

An attacker could create a user called “admin[55 spaces]X”. The last “X” is character 61 and therefore will be ignored by the database.

Later in the code, we can see that the user_login field is trim()ed and all the spaces are removed, so it becomes “admin”:

if ( strstr($_POST['user_login'], ‘@’) ) {
$user_data = get_user_by_email(trim($_POST['user_login']));
if ( empty($user_data) )
$errors->add(’invalid_email’, __(’ERROR: There is no user registered with that email address.’));
} else {
$login = trim($_POST['user_login']);
$user_data = get_userdatabylogin($login);
}

In summary, this is a very creative vulnerability and an interesting vector of attack.

Tags: SQL column truncation, vulnerability, wordpress
Posted in Penetration Testing, Vulnerabilities | No Comments »