发布时间 :2000-05-03 00:00:00
修订时间 :2008-09-10 15:04:11

[原文]The on-line help system options in Cisco routers allows non-privileged users without "enabled" access to obtain sensitive information via the show command.


        Cisco路由器中的在线帮助系统选项存在漏洞,无权限的用户可以通过show 命令在没有"enabled"选项时访问并获得敏感信息。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:cisco:ios:12.0%282%29xdCisco IOS 12.0.2 XD
cpe:/o:cisco:ios:12.0sCisco IOS 12.0S
cpe:/o:cisco:ios:12.0Cisco IOS 12.0
cpe:/o:cisco:ios:12.0%282%29xcCisco IOS 12.0.2 XC
cpe:/o:cisco:ios:11.2%289%29xaCisco IOS 11.2.9 XA
cpe:/o:cisco:ios:12.0%283%29t2Cisco IOS 12.0.3 T2
cpe:/o:cisco:ios:12.0%282%29Cisco IOS 12.0.2
cpe:/o:cisco:ios:12.0%282%29xfCisco IOS 12.0.2 XF
cpe:/o:cisco:ios:11.2%2810%29bcCisco IOS 11.2.10 BC
cpe:/o:cisco:ios:11.1%2816%29Cisco IOS 11.1(16)
cpe:/o:cisco:ios:12.0%284%29sCisco IOS 12.0.4 S
cpe:/o:cisco:ios:12.0%281%29xeCisco IOS 12.0.1 XE
cpe:/o:cisco:ios:12.0%286%29Cisco IOS 12.0.6
cpe:/o:cisco:ios:11.2%288%29sa1Cisco IOS 11.2.8 SA1
cpe:/o:cisco:ios:12.0%287%29tCisco IOS 12.0(7)T
cpe:/o:cisco:ios:11.1%2813%29aaCisco IOS 11.1.13 AA
cpe:/o:cisco:ios:11.2%288%29pCisco IOS 11.2.8 P
cpe:/o:cisco:ios:11.1%2817%29ctCisco IOS 11.1.17 CT
cpe:/o:cisco:ios:11.2%2817%29Cisco IOS 11.2(17)
cpe:/o:cisco:ios:12.0%285%29Cisco IOS 12.0.5
cpe:/h:cisco:router_7500Cisco Router 7500
cpe:/o:cisco:ios:11.1Cisco IOS 11.1
cpe:/o:cisco:ios:12.0%281%29xbCisco IOS 12.0.1 XB
cpe:/o:cisco:ios:11.2%2810%29Cisco IOS 11.2.10
cpe:/o:cisco:ios:12.0dbCisco IOS 12.0DB
cpe:/o:cisco:ios:12.0%288%29Cisco IOS 12.0(8)
cpe:/o:cisco:ios:11.1%2816%29aaCisco IOS 11.1.16 AA
cpe:/o:cisco:ios:11.2%288%29sa3Cisco IOS 11.2.8 SA3
cpe:/h:cisco:router_2500Cisco Router 2500
cpe:/o:cisco:ios:11.2%284%29f1Cisco IOS 11.2.4 F1
cpe:/o:cisco:ios:11.1%2813%29caCisco IOS 11.1.13 CA
cpe:/o:cisco:ios:9.14Cisco IOS 9.14
cpe:/h:cisco:router_4000Cisco Router 4000
cpe:/o:cisco:ios:12.0%284%29tCisco IOS 12.0.4 T
cpe:/h:cisco:router_2600Cisco Router 2600
cpe:/o:cisco:ios:11.2%289%29pCisco IOS 11.2.9 P
cpe:/o:cisco:ios:11.2pCisco IOS 11.2P
cpe:/o:cisco:ios:12.0%284%29Cisco IOS 12.0.4
cpe:/o:cisco:ios:11.2%288%29Cisco IOS 11.2.8
cpe:/o:cisco:ios:12.0%281%29wCisco IOS 12.0.1 W
cpe:/o:cisco:ios:11.1%2813%29iaCisco IOS 11.1.13 IA
cpe:/o:cisco:ios:11.1%2817%29ccCisco IOS 11.1.17 CC
cpe:/o:cisco:ios:11.1%2816%29iaCisco IOS 11.1.16 IA
cpe:/h:cisco:router_3600Cisco Router 3600
cpe:/o:cisco:ios:11.2Cisco IOS 11.2
cpe:/o:cisco:ios:11.1%2813%29Cisco IOS 11.1.13
cpe:/o:cisco:ios:12.0%285%29t1Cisco IOS 12.0(5)T1
cpe:/o:cisco:ios:11.2%288%29sa5Cisco IOS 11.2.8 SA5
cpe:/h:cisco:router_7200Cisco Router 7200
cpe:/o:cisco:ios:12.0%281%29xa3Cisco IOS 12.0.1 XA3
cpe:/o:cisco:ios:11.1%2815%29caCisco IOS 11.1.15 CA
cpe:/o:cisco:ios:12.0%282%29xgCisco IOS 12.0.2 XG
cpe:/o:cisco:ios:12.0tCisco IOS 12.0T
cpe:/o:cisco:ios:12.0%289%29sCisco IOS 12.0(9)S

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20000502 Possible issue with Cisco on-line help?

- 漏洞信息

低危 访问验证错误
2000-05-03 00:00:00 2005-10-20 00:00:00
        Cisco路由器中的在线帮助系统选项存在漏洞,无权限的用户可以通过show 命令在没有"enabled"选项时访问并获得敏感信息。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: However in the original post to Bugtraq the author submits the following workaround and claims Cisco's Lisa Napier from Cisco Security validated the workaround as being sufficient.

- 漏洞信息

Cisco Routers On-line Help System show Command Local Information Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-05-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cisco Router Online Help Vulnerability
Access Validation Error 1161
Yes Yes
2000-05-03 12:00:00 2009-07-11 01:56:00
This bug was discovered and documented by Fernando Montenegro and Claudio Silotto ( The message detailing this vulnerability was sent to the Bugtraq mailing list on 2 May 2000.

- 受影响的程序版本

Cisco IOS 12.0.7
Cisco IOS 12.0.6
Cisco IOS 12.0.5
Cisco IOS 12.0.4 T
Cisco IOS 12.0.4 S
Cisco IOS 12.0.4
Cisco IOS 12.0.3 T2
Cisco IOS 12.0.2 XG
Cisco IOS 12.0.2 XF
Cisco IOS 12.0.2 XD
Cisco IOS 12.0.2 XC
Cisco IOS 12.0.2
Cisco IOS 12.0.1 XE
Cisco IOS 12.0.1 XB
Cisco IOS 12.0.1 XA3
Cisco IOS 12.0.1 W
Cisco IOS 11.2.10 BC
Cisco IOS 11.2.10
Cisco IOS 11.2.9 XA
Cisco IOS 11.2.9 P
Cisco IOS 11.2.8 SA5
Cisco IOS 11.2.8 SA3
Cisco IOS 11.2.8 SA1
Cisco IOS 11.2.8 P
Cisco IOS 11.2.8
Cisco IOS 11.2.4 F1
Cisco IOS 11.1.17 CT
Cisco IOS 11.1.17 CC
Cisco IOS 11.1.16 IA
Cisco IOS 11.1.16 AA
Cisco IOS 11.1.16
Cisco IOS 11.1.15 CA
Cisco IOS 11.1.13 IA
Cisco IOS 11.1.13 CA
Cisco IOS 11.1.13 AA
Cisco IOS 11.1.13
Cisco IOS 9.14
Cisco IOS 12.0T
Cisco IOS 12.0S
Cisco IOS 12.0DB
Cisco IOS 12.0(9)S
Cisco IOS 12.0(8)
Cisco IOS 12.0(7)T
Cisco IOS 12.0(5)T1
Cisco IOS 12.0
Cisco IOS 11.2P
Cisco IOS 11.2(17)
Cisco IOS 11.2
Cisco IOS 11.1
Cisco HSRP 7500.0
Cisco HSRP 7200.0
Cisco HSRP 4000.0
Cisco HSRP 3600.0
Cisco HSRP 2600.0
Cisco HSRP 2500.0
Cisco 7500
Cisco 7200
Cisco 4000
Cisco 3600
Cisco 2600
Cisco 2500

- 漏洞讨论

Under certain revisions of IOS multiple Cisco routers have an information leakage vulnerability in their online help systems. In essence this vulnerability allows users who currently have access to the router at a low level of privilege (users without access to the 'enable' password) can use the help system to view information which should only in theory be available to an 'enabled' user. This information is comprised of access lists among other things. The help system itself does not list these items as being available via the 'show' commands yet none the less it will execute them.

The message which detailed this vulnerability to the Bugtraq mailing list is attached in the 'Credit' section of this vulnerability entry. It is suggested that you read it if this vulnerability affects your infrastructure.

- 漏洞利用

As taken from the original post on this vulnerability (See the Credit Section):

Routers tested: 2500, 2600, 3600, 4000, 7200, 7500 series,
running IOS 9.14, 11.1(21) (Distributed Director), 11.2(x)
and 12.0(x). Some were tested on the local console, some
over Telnet. We recently tested PIX 4.x, and found it was
NOT vulnerable.

A regular user will log-on with privilege level equal to 1.
This can be shown by running "show privilege" after logging
on the router. For example:

User Access Verification

Username: joeuser
Password: <password>
Router2>sh priv
Current privilege level is 1

Now, if we try to get a list of all possible "show"
commands, by doing "show ?", we get:

Router2>show privilege
Current privilege level is 1
Router2>show ?
backup Backup status
cef Cisco Express Forwarding
clock Display the system clock
dialer Dialer parameters and statistics
flash: display information about flash: file
history Display the session command history

Notice that we did not see an "access-lists" option, so the
help system thinks we should not be able to run it...


Router2>show privilege
Current privilege level is 1
Router2>show access-lists
Standard IP access list 10
deny any
Extended IP access list eth0-IN
permit udp host eq
snmp (14982 matches)
permit udp host eq
snmp (4026 matches)

So, we can see the configuration, even though we shouldn't.
We can't alter it, but even seeing the access-list is
beneficial to an attacker.

Upon further testing on a 3640 running IOS 12.0(5), we got
the following results:

- We found 75 "show" commands that are supposed to be
available only in enable mode. Meaning: the difference
between "show ?" in enabled and disabled mode was this 75

- Out of 75, only 13 were truly restricted. The other 62
were available to be viewed by a session in a disabled mode.

- Out of the 62 that were viewable, we counted 7 as being
potentially very dangerous. "show ip" is one of them, as
well as "show cdp", "show logging", "show cdp", "show
vlans". There are others, but I don't have my list with me
right now.

- By combining "show ip" and "show access-lists" we had a
very clear picture of how access-lists were distributed in
the router.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: However in the original post to Bugtraq the author submits the following workaround and claims Cisco's Lisa Napier from Cisco Security validated the workaround as being sufficient.

- 相关参考