Re: Remote Cisco IOS FTP exploit

From: Russell L. Smoak <>
To: security curmudgeon <>
Cc: Andy Davis <>,,
Subject: Re: Remote Cisco IOS FTP exploit

Good morning,

Look in the 'Impact' section of the advisory.   We break out the
probable impact into a separate section.

In that section, we clearly state that arbitrary code execution is
possible.  We also included the access vector in the bug scoring
(Remote, no authentication required).

Hopefully it clarifies your question.

Here is the section:

Successful exploitation of these vulnerabilities may allow unauthorized,
remote users to access the filesystem on the IOS device, cause the
affected device to reload, or execute arbitrary code.

Unauthorized users could retrieve the device's startup-config file from
the filesystem. This file may contain information that could allow the
attacker to gain escalated privileges.

Repeated exploitation of the vulnerabilities could lead to an extended
Denial of Service (DoS).


security curmudgeon wrote:
> (Note the date, late reply I know..)
> On Tue, 29 Jul 2008, Andy Davis wrote:
> : The IOS FTP server vulnerabilities were published in an advisory by 
> : Cisco in May 2007. The FTP server does not run by default, it is not 
> : widely used and has since been removed from new versions of IOS. 
> : Therefore, I took the decision to release this exploit code in order to 
> : show that IOS can be reliably exploited to provide remote level 15 exec 
> : shell access. This clearly demonstrates that patching your router is 
> : just as important as patching your servers.
> :  Cisco IOS FTP server remote exploit by Andy Davis 2008
> : 
> :  Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007
> From the Cisco advisory:
>   The Cisco IOS FTP Server feature contains multiple vulnerabilities that 
>   can result in a denial of service (DoS) condition, improper verification 
>   of user credentials, and the ability to retrieve or write any file from 
>   the device filesystem, including the device's saved configuration. This 
>   configuration file may include passwords or other sensitive information.
> None of those sound like "remote overflow" to me. If this exploit code 
> included in this mail is accurate, that means the Cisco advisory used 
> crafty wording to hide the nate of the bug. Given they scored CSCek55259 / 
> CVE-2007-2586 as 10.0 (and the other issue 2.0), that means that "improper 
> verification of user credentials" and "Improper authorization checking in 
> IOS FTP server" is really "remote overflow that allows unauthenticated 
> code execution".
> Andy or Cisco, could you confirm?


*Russell Smoak*
*Director, Technical Svcs *
* Security Operations and Research **
* <>
Phone :*615 791 0972*
Mobile :*615 545 6473


*Cisco Systems, Inc.*
1604 Championship Blvd.,
Franklin, TN 37064
USA <>


This e-mail may contain confidential and privileged material for the
sole use of the intended
recipient. Any review, use, distribution or disclosure by others is
strictly prohibited.
If you are not the intended recipient (or authorized to receive for the
recipient), please
contact the sender by reply e-mail and delete all copies of this message.

Copyright © 1995-2019 All rights reserved.