Category: HTTP

IOS HTTP vulnerability

The Cisco Subnet RSS feed I’m receiving from Network World contained interesting information a few days ago: Cisco has reissued the HTTP security advisory from 2005. The 2005 bug was “trivial”: they forgot to quote the “<” character in the output HTML stream as “&lt;” and you could thus insert HTML code into the router’s output by sending pings to the router and inspecting the buffers with show buffers assigned dump (I found the original proof-of-concept exploit on the Wayback Machine). However, I’ve checked the behavior on 12.4(15)T1 and all dangerous characters (“<” and quotes) were properly quoted. So, I’m left with two explanations.

read more see 1 comments

Interesting links | 2008-11-08

As always, Jeremy Stretch posted several interesting articles: how to hijack HSRP, introduction to split horizon in distance vector routing protocols and (long needed) default redistribution metrics.

Petr Lapukhov started playing with HTTP URL regular expressions within NBAR and documented his findings. The most interesting is the last Q/A pair: can I use NBAR as a content filtering engine?

And last but definitely not least, if you’re worried what will happen to WPA2 now that WPA has been cracked, Robert Graham explains the fundamental differences between WPA and WPA2. Also, make sure you read the detailed explanation of the WPA flaw to understand its implications.

see 2 comments

Cisco IOS violates RFC 2616 (HTTP/1.1)

Update 2012-08-27: Stefan de Kooter reported the bug had been fixed in IOS release 15.1(4)M.

I simply had to check with the RFC; by setting the Host: field of HTTP request to an IP address (instead of a host name), Cisco IOS violates section 14.23 of RFC 2616, which says:

The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource ... The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL.
add comment

IOS HTTP client sets Host: field to IP address

Update 2012-08-27: Stefan de Kooter reported the bug had been fixed in IOS release 15.1(4)M.

If you run multiple web sites on a single physical server, it's highly likely that you rely on the ability of HTTP/1.1 clients to specify the Host: field in the HTTP request to indicate which web site they're trying to access.

Cisco IOS always inserts the web server's IP address (not the hostname) in the Host: field of the HTTP request, regardless of whether you enter IP address or hostname in the URL part of an IOS command that supports HTTP (for example, copy or more command) ... and regardless of whether the hostname is locally configured with the ip host command or resolved by an external DNS server specified in the ip name-server command.

End result: Cisco IOS-based routers (tested up to release 12.4(11)T) can access only the default web site on a web server hosting multiple web sites.

add comment

Home page for Cisco IOS web server

Another un(der)documented fact: when you access the router's home page (assuming HTTP or HTTPS server has been enabled), the router displays:
  1. The home.html file if it exists in any filesystem;
  2. The home.shtml file if it exists in any filesystem;
  3. a default page with links to exec, SDM, QDM and TAC support

Note: even though you can access home.html file on flash: device directly, that web page cannot reference any other file in flash: as a relative link unless you specify flash: as the default path for the HTTP requests with the ip http path flash: command.

see 2 comments

Disable command execution with Cisco IOS web server

If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):
  1. List all the web applications your Cisco IOS supports with the show ip http server session-module command. By default, all web applications should be active.
  2. Create a subset of applications you want to activate with the ip http session-module-list list-name module-list. global configuration command, for example.
  3. ip http session-module-list NoExec HTTP_IFS,HOME_PAGE,QDM,QDM_SA,XML_Api,EzVPN-Web-Intercept
  4. Activate the desired applications with the ip http active-session-modules list-name configuration command (you should also use the ip http secure-active-session-modules command if you've enabled HTTPS server).
  5. Verify the results with the show ip http server session-module command. Only the applications listed in your module list should be active, all others should be inactive.
add comment

Include a default username/password in web request

I've got a great question related to a previous post:
Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?
You can specify username and password as part of standard URL syntax http://username:password@host/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):
Note: this syntax no longer works in Internet Explorer with latest security patches, please read for more information on how to re-enable this behavior.
add comment

Multilevel web (HTTP) access to a router

In some scenarios you want to use true username/password authentication when accessing the router's web server (by default, you have to use enable password). To change the HTTP authentication method, use the ip http authentication local configuration command; it tells the router to use local usernames and passwords when authentication web requests.

Before changing the HTTP authentication, you must define local usernames with the username username privilege-level level password password command, for example:
username guest privilege 1 password 0 guest
username admin privilege 15 password 0 admin
Note: unless you configure service password-encryption, the passwords in your configuration will remain in cleartext.

The last bit of the puzzle is the correct formation of the URLs: when executing a command on the router through a URL, you have to specify the required privilege level (the router will then prompt you for a username/password with at least that privilege level). The URL syntax is http://router/level/privilege-level/exec/command. For example, to execute non-privileged (level-1) show users command, use the following URL:
Note: the /CR suffix at the end of the URL tells the router to execute a command that contains optional (non-present) parameters.
add comment

Reload a router from VBScript or PERL with a HTTP (web) request

If you have HTTP enabled on your router, you can use it to automate router reloads through web requests. To enable HTTP on the router, use the following commands:
ip http server
ip http access-class 90
access-list 90 permit network-management-ip-address
The ip http access-class configuration command is vital - it limits the access to the web server on your router to well-defined IP addresses.

The Visual Basic script to reload the router is extremely simple (just save the following lines into a file called reload.vbs):
Const RouterIP = "" ' replace with router's IP address
Const EnablePassword = "password" ' replace with enable password

Set WebRq = CreateObject("MSXML2.XMLHTTP")
WebRq.Open "GET","http://" & RouterIP & "/level/15/exec/reload/CR",false,"Username",EnablePassword
And here is the equivalent PERL code for the open source community:
use LWP::UserAgent;

$routerIP = "";
$enablePwd = "password";

$ua = LWP::UserAgent->new;
$req = HTTP::Request->new(GET => "http://$routerIP/level/15/exec/reload/CR");
$req->authorization_basic('', $enablePwd);
print $ua->request($req)->as_string;
By default, the username specified in the web request is ignored by the router and the password has to be the enable password. Of course, if you change the authentication scheme on the router with the ip http authentication configuration command, you'd use proper username/password pair in the HTTP request.
add comment

Download Router Configuration to a Web Browser

If you have HTTP server enabled on your router (on by default in many IOS releases, enable with ip http server), you can download the current router configuration into your web browser simply by typing in the URL http://router/exec/show/running/full. To get the startup configuration, use http://router/exec/show/startup-config/CR.

Of course, you need to authenticate to the router. By default, you can use anything as the username and the enable-password as the password, but you also use local usernames or AAA authentication. To use local usernames, configure ip http authentication local and enter username and password with the username username privilege 15 password password configuration command.
see 4 comments

Use HTTP to Store Router Configurations on Web Server

It's been possible for a long time to use HTTP to download information from a web server to a router. In IOS release 12.3(2)T, integrated in 12.4 release, Cisco has introduced the ability to store local information (for example, router configurations) on a web server. To use this feature, configure the username and password giving you write access to the web server with:
ip http client username web-user
ip http client password secret-password
After the username and password have been configured, you can use copy running http: to copy router's configuration to a web server.
Note: on the web server, you have to configure the target virtual directory for write access (default: disabled) and allow file-system write access to the underlying physical directory for the target user.
Alternatively, you can specify the username and password in the URL using the copy running http://user:password@host/file syntax.
router#copy running http://student:[email protected]/router-config
Address or name of remote host []?
Destination filename [router]?
Storing http://student:[email protected]/router-config !!
4231 bytes copied in 0.864 secs (4897 bytes/sec)
see 2 comments