SUMMARY: A wierd clear text password problem with snoop...

From: Raymond Bero (bero@lternet.washington.edu)
Date: Mon Dec 01 1997 - 20:20:35 CST


Hello!
        Ok, here is what I found out. First of all, when it
says '(Loopback)' it doesn't mean the loopback interface on the snoop'ing
machine. The '(loopback)' shown below is referring to the 'Type=9000'
ether net protocol called the 'Configuration Test Protocol'.
        It turns out that my Cisco terminal server was setup to send out
keepalive packets over its ether device using this protocol. For some
extremely bad reason, this keepalive packet seems to always contain the
username and password of the last user to logon to my termeinal server!
It's like the Cisco box needs some data to put in this packet and it gets
it from the top of some buffer somewhere. When I talked to Cisco people
they said it was a bug in there IOS software that deals with tacacs. They
claimed this has been a problem since IOS version 9.21. I'm using IOS
version 10.2. It wouldn't surprise to find out its still a problem in there
latest IOS version 11.2, although I haven't got a way to verify it.
        
        The important thing to note is that it wasn't my sun box. Thanks
for all those with suggestions and concerns. The original posting is below.

Ray Bero

Original problem description...

> Hello,
> I was running snoop today trying to track down some network
> goofiness. I was reading through some of the output files with
> 'snoop -V -x 0...' and sprinkled through out are some entries of the
> form...
>
> ________________________________
> 806 0.03368 ? -> * ETHER Type=9000 (Loopback),
> size = 118 bytes
>
> 0: 0000 0c47 285f 0000 0c47 285f 9000 0000 ...G(_...G(_....
> 16: 0100 0604 0001 0000 0c47 285f 805f 2409 .........G(_._$.
> 32: 0000 0c02 5ac5 cf57 0685 0000 0000 0000 ....Z..W........
> 48: 0000 0000 0000 0000 0000 0000 0004 0000 ................
> 64: 0000 0000 UUUU UUUU PPPP PPPP PPPP PPPP ....UUUUPPPPPPPP
> 80: 797a 442a 2f32 7847 5f5a 7b5a 6c31 7820 yzD*/2xG_Z{Zl1x
> 96: 7231 3962 7b56 232d 3a29 0000 0000 0000 r19b{V#-:)......
> 112: 0000 0000 0000 ......
> ________________________________
>
> Only the UUUU is replaced with my username and the PPPPPPPP with my
> password in clear text! We've recently dealt with a hacker, so I'm a bit
> concerned about this. I even rebooted a machine, telneted to it as root,
> and snoop still shows MY user name and password about twice every 10 second
> snoop interval. To the Loopback interface?
>
> I'm sure there is a logical explanation? Don't I sound sure? :)
>
> I'm running Solaris 2.4 and 2.5.1. This seems to be the case and all the
> machines I checked for this on.
>
> Any insight would be greatly appreciated. Thanks.
>
> Ray Bero
> bero@lternet.edu
>
>
>



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:10 CDT