Cisco 6509 switch telnet vulnerability
A vulnerability has been found on Cisco 6509 switches. The vulnerability was
found to work on 2 different Cisco 6509 switches running CATOS 5.4(2) and
5.5(2). The vulnerability can lead to information and commands being exectued
on the remote switch from the login prompt. Commands can be exectued at the
Enter password: prompt as long as they are followed by a space and a ?
Proof of concept below:
Cisco Systems Console
Enter password:
<data_size> Size of the packet (0..1420)
<cr>
Enter password: traceroute 127.0.0.1
This vulnerability has yet to be confirmed by Cisco but they have been alerted
about it.