I had an unpleasant surprise when I connected a new Cisco 887W router I had just configured to the Internet via its ADSL interface.
As it was the first time I worked with a 887, I did an nmap scan of its ADSL interface to check that I had closed all ports. Surprise: ports 2002, 4002, 6002 and 9002 were open. Even bigger surprise: I could logon via telnet to these ports with the default password, although I had changed it…
I’m omitting the details of how I figured out what went wrong, so here is the explanation.
The 887W has a wireless interface. But in this particular router, the wireless interface is not integrated in IOS (that’s Cisco’s IOS, not Apple’s iOS) like in other wireless routers like the 877W. In the 887W, the wireless interface is a service module with its own IOS and configuration. Both devices communicate with each other via a Gigabit interface.
The router IOS can be accesses via the serial console. The wireless IOS not (at least not directly).
To list the installed service modules, you issue the service-module ? command on the router CLI:
wlan-ap Service module interface to embedded AP
To access the wireless CLI, you issue the command service-module wlan-ap0 session command on the router CLI, and you get a telnet session on the wireless CLI. After I configured and hardened the wireless IOS, the ports were still open. The service-module wlan-ap0 status command displays the following information:
Service Module is Cisco wlan-ap0 Service Module supports session via TTY line 2 Service Module is in Steady state Service Module reset on error is disabled Service Module heartbeat-reset is enabled Getting status from the Service Module, please wait.. Image path = flash:/ap801-k9w7-mx.124-21a.JA1/ap801-k9w7-mx.124-21a.JA1 System uptime = 1 day, 6 hours, 0 minutes, 51 seconds
Notice that the session is accessible via the router’s TTY line 2. After I put an ACL on this tty (with the router CLI) to deny all traffic not originating from the internal network, all 4 ports were closed on the ADSL interface.
Another detail good to now: when you are connected to tty2, all ports are closed (because you can have only one session on tty2).
I don’t think that many would have done such investigating … but your name is Didier Stevens after all!
Do you think it’s an accident or by design? Have you considered asking Cisco about it? If it is a bug, surely they would be very interested to know about it and do something about it immediately?
Comment by Iain — Wednesday 5 October 2011 @ 15:55
@Iain No, I don’t think those ports are open by accident. @qxam told me he has seen this too with other service modules.
Comment by Didier Stevens — Wednesday 5 October 2011 @ 16:01
It’s scary how much stuff is open on the WAN interface of home routers (which, admittedly, Cisco gear isn’t). For example D-Link 502′s give you direct access to the ADSL modem on the router via port 22 (!!), which I found as I did a token scan and wondered why SSH was running on there (it wasn’t, it’s just listening on port 22 for anything that comes in over the WAN, with no way to disable it).
Comment by Dave — Saturday 8 October 2011 @ 0:33