Hackers Desk Reference

username name [callback-line [tty] line-number [ending-line-number]]

username name [nocallback-verify]

username name [noescape] [nohangup]

username name [privilege level]

Syntax Description

name Host name, server name, user ID, or command name. The name argument can be only one word. White spaces and quotation marks are not allowed.

encryption-type (Optional) Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.

encrypted password Encrypted password a user enters.

password (Optional) Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

secret For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated.

access-class (Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session.

number Access list number.

autocommand (Optional) Causes the specified command to be issued automatically after

the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

command The command string. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

a rotary group number. The next available line in the rotary group is selected.

rotary-group-number For asynchronous callback only: integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback.

the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero.

ending-line-number (Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers.

an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another login prompt.

privilege (Optional) Sets the privilege level for the user.

level (Optional) Number between 0 and 15 that specifies the privilege level for the user.

Default

None

Command Mode

Global configuration

Usage Guidelines

The following commands first appeared in Cisco IOS Release 10.0:

username name {nopassword | password password [encryption-type encryptedpassword]}

username name password secret username name [access-class number] username name [autocommand command] username name [noescape] [nohangup] username name [privilege level]

The following commands first appeared in Cisco IOS Release 11.1: username name [callback-dialstring telephone-number]

username name [callback-rotary rotary-group-number]

username name [callback-line [tty] line-number [ending-line-number]] username name [nocallback-verify]

The username command provides username and/or password authentication for login purposes only. (Note that it does not provide username and/or password authentication for enable mode when the enable use-tacacs command is also configured.)

Multiple username commands can be used to specify options for a single user.

Add a username entry for each remote system that the local router communicates with

and requires authentication from. The remote device must have a username entry for the local router. This entry must have the same password as the local router's entry for that remote device.

This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an "info" username that does not require a password, but connects the user to a general purpose information service.

The username command is required as part of the configuration for the Challenge Handshake Authentication Protocol (CHAP). Add a username entry or each remote system the local router requires authentication from.

Note To enable the local router to respond to remote CHAP challenges, one username name entry must be the same as the hostname name entry that has already been assigned to your router.

If there is no secret specified and the debug serial-interface command is enabled, an error is displayed when a link is established and the CHAP challenge is not implemented. CHAP debugging information is available using the debug serial-interface and debug serial-packet commands. For more information about debug commands, refer to the Debug Command Reference.

Examples

To implement a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the router, the username command takes the following form:

username who nopassword nohangup autocommand show users

To implement an information service that does not require a password to be used, the command takes the following form:

username info nopassword noescape autocommand telnet nic.ddn.mil

To implement an ID that works even if the TACACS servers all break, the command takes the following form:

username superuser password superpassword

The following example configuration enables CHAP on interface serial 0. It also defines a password for the local server, Adam, and a remote server, Eve.

hostname Adam

interface serial 0

encapsulation ppp

ppp authentication chap

username Adam password oursystem

username Eve password theirsystem

When you look at your configuration file, the passwords will be encrypted and the display will look similar to the following:

hostname Adam

interface serial 0

encapsulation ppp

ppp authentication chap

or stream data to port84 of an NT server, it will cause an error to be recorded in the event long. In some systems, this can cause the hard drive to completely fill up with error messages, causing other applications to fail due to lack of drive space. The flaw will also cause the server to respond extremely slow.

For the telnet attack, simply telnet to the WINS port on an NT server and type on garbage characters, hit enter and it will cause the event log entry.

The same effect was achieved by using an application called pepsi to stream UDP informaiton to the same port.

[13.0.2] WindowsNT and SNMP

Found by Christopher Rouland (from ntsecurity.net)

Christopher writes:

I have found two significant "features" in the SNMP agent implementations under NT 4.0 Server, and I am sure there are more if I feel like really digging. The first issue I sent in earlier this year to Microsoft and received no response other than "expected behavior" and the second I just found and puts any large NT shop at a serious denial of service (DOS) risk.

1. This first exploit demonstrates the ability via SNMP to dump a list of all usernames in an NT domain (assuming the target box is a DC) or on an NT Server.

Here is the simplest NT example I could find to use this:

C:\NTRESKIT>snmputil walk public .1.3.6.1.4.1.77.1.2.25

should be a domain controller or server

2.The second exploit demonstrates the ability via SNMP to delete all of the records in a WINS database remotely, bypassing all NT security. If you understand large scale WINS architecture, you can understand the implications of this. Knowledge of SNMP community strings would allow an attacker to effectively shut down any large NT infrastructure with "N" commands (N=number of WINS servers). This is permitted due to the extensive "cmd" set implemented in the WINS extension agent, specifically:

2. cmdDeleteWins OBJECT-TYPE

SYNTAX IpAddress

ACCESS read-write

STATUS mandatory

DESCRIPTION

"This variable when set will cause all information pertaining to a WINS (data records, context information to be deleted from the local WINS. Use this only when owneraddress mapping tables getting to near capacity. NOTE: deletion of all information pertaining to the managed WINS is not permitted"

::= { cmd 3 }

Since the SNMP toolset implemented under NT will not do snmp-set-requests, my sample exploit was done using the CMU SNMP development kit under Unix. The command "rnjdev02:~/cmu$ snmpset -v 1 192.178.16.2 public .1.3.6.1.4.1.311.1.2.5.3.0 a 192.178.16.2" successfully entirely deleted my WINS database.

3.It appears that there are several other pieces of the LMMIB2 definition that allow for things such as remote session deletion or disconnect, etc, but I have not yet looked into them.

4.Stopping the Problem:

The simplest fix is to disable SNMP, or to remove the extension agents through the SNMP configuration in the registry.

If you MUST use SNMP, then at least block inbound access to that port. Be aware that using NT's various SNMP agents, a malicious intruder could gain knowledge about your

entire network. In fact, they could quite easily gain everything they need to enter your network, except a password -- and those come in due time. BEWARE.

[13.0.3] Frontpage98 and Unix

Found by Marc Slemko (from netsecurity.net)

The attack was described most adequated by the discoverer:

Change History

Sat Oct 11 1997: Initial posting of web page

Wed Oct 15 1997: Microsoft posted a note responding to the issues raised. I am glad to see that they have plans to release the source of the revised version for review when it is complete. I will update this page with further comments when the fixed version is released.

Wed Oct 22 1997: Microsoft has released a new version of the extensions that claim to fix the security issues. I will comment further on the security of their proposed fix after I have time to review the changes. Check back here in a few days for my comments.

Introduction

The information below talks about using Microsoft's FrontPage 98 extensions with Apache on Unix with Microsoft's mod_frontpage changes. This do not apply to running it on any other server or to running it on Unix without the Microsoft mod_frontpage changes or to running it on Windows NT. There are, however, other security issues on such servers, some of which are similar to those in the FrontPage 97 extensions. I should also note that the Unix server extensions seem to be written in part or completely by Ready-to-Run Software Inc. (RTR) for Microsoft. I will refer to it as Microsoft's product because it is, no matter who wrote it. This discussion is specific to the FrontPage 98 extensions. For more general information on some security problems in earlier versions, some of which are resolved and some of which aren't, see Scott Fritchie's Why I Don't Like Microsoft's FrontPage Web Authoring Tool web page. Parts of it are no longer entirely relevant, but it provides a good background.

It is no secret that the security of the FrontPage 97 and earlier Unix server extensions is quite poor, if Microsoft's instructions are followed. Some of their instructions were quite hilarious when first released, like the suggestion of running your web server as root. It is

possible to make them more acceptable--acceptable enough for some sites--but it requires careful work by the administrator.

It had appeared like Microsoft had increased the security of the extensions in the FP98 version available from Microsoft's Web Site. However, a closer examination reveals startling flaws. What they have done is make a small setuid root wrapper that the web server calls. This wrapper than setuid()s to the appropriate user and runs the requested FP CGI as that user. The problem lies in the fact that the wrapper ("fpexe") is written very poorly. while making such a wrapper secure can be difficult, the gaping holes in this program show a complete lack of understanding of security in the Unix environment.

The fpexe program is available for you to inspect yourself. It was originally posted in RTR's FrontPage FAQ. This version is not exactly the same as the one currently distributed (at least it is not the same as the one in the BSD/OS 2.1 kit), but it is close. Both appear to exhibit the same failings.

When I refer to the FP CGI programs, I am referring to the three files normally referenced under the _vti_bin directory: shtml.exe, admin.exe and author.exe.

The key in this discussion is the fact that nothing is stopping anyone from trying to run this fpexe wrapper. If they can trick it into running, they can possible gain privileges they shouldn't.

How It Works

Before you can understand the holes in the FP server extensions, you need to understand what I mean when I talk about the "key". When the Frontpage-modified Apache server starts up, it generates a pseudo-random string of 128 ASCII characters as a key. This key is written to a file that is only readable by the user that starts Apache; normally root. The server than passes the key to fpexe. Since fpexe is setuid root, it can compare the key stored on disk with the one it was passed to be sure they match; if not, it refuses to run. This is used in an attempt to guarantee that the only thing calling fpexe is the web server. Used properly this is a powerful part of possible security precautions. I am not convinced that the generation of the key is cryptographically adequate and it may be subject to intelligent guessing attacks, however I have not looked at it to see. As discussed later, the cryptographical robustness of the key doesn't really matter.

There are a number of problems with the setuid root fpexe program. I am not attempting a complete description of all the problems and their possible consequences and fixes, just making a light sweep over the top. The more obvious problems include:

Return codes from library calls are not properly checked. An example:

f = fopen( buf, "r");

fgets( key, 129, f );