Hi,

this is another bug I found during my research on console servers
which is presumably fixed by now. So here you go:


Summary:
Port Access Control Bypass Vulnerability


Details:

Avocents CCM console server have a flaw which enables users to
bypass access control by using ssh with standard password based
authentication. On modern console servers you can set port permissions
per user basis. Research showed however that in this case access control
failed if you ssh directly into the console server with your user account
and then use the "connect" command to access the illegitimate serial
port. Which means that every user can access consoles of every device
hooked up. ssh'ing directly to the tcp port representing the serial port
didn't show this flaw.


Vulnerable Versions:
Tested on S/W Version 2.1, CCM4850


Patches/Workarounds:
Vendor has released firmware 2.3 which according to the vendor fixes
this problem also if the release notes don't mention this. See:

ftp://ftp.avocent.com/public/product-upgrades/$ds1800/CCMx50%20Series/CCMx50%27s_AV_2.3/

"Exploit:"
Design Flaw, exploit not needed. This is for demonstration:


TCP-Port 3101 is -- if enabled serial port 1.
User mylocal should have access only to ports 2 through 48. Direct
access to 3101/tcp is correctly denied. However connecting to the
Avocent first using mylocal account and then use connect command
allows access to this port. In this experiment a cisco switch is
hooked up to serial port 1.

-------- snip


~/console/lab-notizen/avo|19% ssh Admin@ccm
Admin@ccm's password:
Avocent CCM4850 S/W Version 2.1


> show user
User:           Admin
Level:          Appliance Administrator
Access:         PALL,USER,SCON,SMON,PCON,BREAK
Groups:
Port Access:    BY PORT
Locked:         N/A
Last Login:     00 10:17:11

Port  Username            Duration      Socket    From Socket
CLI   Admin               00 00:00:04   22        0.0.0.0(58798)
> show user mylocal
User:           mylocal
Level:          User
Access:         P2-48,BREAK
Groups:
Port Access:    BY PORT
Locked:         NO
Last Login:     00 08:10:24
>
>Connection to ccm closed
~/console/lab-notizen/avo|20% ssh mylocal@ccm -p 3101
mylocal@ccm's password:
Received disconnect from 192.168.100.209: 2: Access denied - No access to port 1
~/console/lab-notizen/avo|21% ssh mylocal@ccm
mylocal@ccm's password:
Avocent CCM4850 S/W Version 2.1


> connect 1
Connected to Port: 1 9600,8,N,1,NONE

cisco#Connection to ccm closed.
~/console/lab-notizen/avo|22%


-------- snap
(see also http://drwetter.org/cs-probs)


Cheers,
        Dirk




--
Dr. Dirk Wetter                                  http://drwetter.org
Consulting IT-Security + Open Source
Key fingerprint = 80A2 742B 8195 969C 5FA6  6584 8B6E 59C1 E41B 9153