COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco CBOS v2.3.0.053

PROBLEM

    Povl H. Pedersen found  a strange bug in  Cisco CBOS on the  Cisco
    677 ADSL router.

        cbos#sh ver

        Cisco Broadband Operating System
        CBOS (tm) 677 Software (C677-I-M), Version v2.3.0.053 - Release Software
        Copyright (c) 1986-2000 by cisco Systems, Inc.
        Compiled Feb 13 2000 17:19:50
        DMT firmware version 0x2219be04
        NVRAM image at 0x1032cd00

    He had doing  a "sh nat"  with a very  long listing in  one telnet
    session.   When  he  telnetted  from  another  machine,  the  c677
    switched output to that connection before prompting for password.

    The listing would continue in whatever telnet window had the  last
    keypress.  Also seemd to screw up something on the first terminal.

    Matthew Rench  confirmed that  this bug  exists in  CBOS v2.4.1 as
    well.

SOLUTION

    Cisco  confirmed  this  is  indeed  true.   This behavior has been
    reported to them, prior this posting, by Knud Erik Højgaard.

    Cisco  are  working  on  a  fix  for  this.  To  the best of their
    knowledge, this trick can be performed only by using this command,
    "sh nat".   Apparently, this  can not  be reproduced  by any other
    command, most  notably "sh  conf" can  not be  exploited this way.
    Even this  current behavior  is not  acceptable but,  it seems so,
    one can not grab the router's configuration this way.

    In addition to this, please note that you can only see the  output
    from the first session.  The  second session is not logged in  and
    you can not  execute any commands  in it (unless  you actually log
    in).  Also, only output of  a single command is displayed and  all
    subsequent  commands  will  be  displayed  in  the  right  session
    (unless you trigger this vulnerability with "sh nat" again).