Patrick Harper reported seeing attempts to access the http server in cisco routers with an old exploit (reported and fix in 2001) using level 16 to bypass authentication like this:
GET /level/16/exec/-///pwd HTTP/1.0
He reported seeing this traffic from many sources.
This has been fixed in IOS some time ago. However someone thinks they can get lucky and find some out of date routers.
Handler Don Smith advises: "Reporting this to the ISPs is a good idea.
They are often interested in anyone who is trying to break into a router:)"
One interesting property of this traffic is that it is not spoofed, a TCP 3-way handshake must be completed with the target before sending HTTP data such as a GET. That is true of all TCP based scans. TCPDUMP shows a P for PUSH so both ends are really talking. In a spoofed scan you never get farther than SYN. The SYN-ACK is sent back to the spoofed source who drops it most likely.
AAA.BBB.CCC.DDD.1873 > WWW.XXX.YYY.ZZZ.http: P [tcp sum ok] 99999
13645:1403813683(38) ack 221455884 win 64860 (DF) (ttl 107, id 46390, len 78)
2. The exploit is an old one, so why is it in circulation again?
Here is the original advisory form Cisco:
Best practices dictate turning off all unused services on a host. So go to your border router and if it does now have
"no ip http server"
in the configuration add it now. This will prevent this or any new http exploit from working on your router.
Some old tricks keep coming back, and Patrick thanks for sharing.
Feb 7th 2006
1 decade ago