Sekcje

Przejdź na skróty do treści. | Przejdź do nawigacji


Devices hacking research Cisco RVS 4000 vulnerabilities

Cisco RVS 4000 vulnerabilities

About Cisco router

Cisco RVS 4000 is a small business class security router which offers such features as: Firewall, IPS, VPN. The router can be managed via web management console.

The vulnerabilities were tested on firmware: V2.0.0.3 (newest available at the time).

rvs

Image from Cisco.com

Compromise

  1. After you made a backup of the router (using built in web management) system creates a file named 'Routercfg.cfg'. The file can be accessed through web management without authentication. If web management is open to WAN, then the config can be accessed remotely from WAN (Internet). Routercfg.cfg is hosted on the router until next reboot.

    The file has all router configuration in plain text (including web management passwords, VPN PSK keys, etc). Click image below for details.
  2.  

    config access

     

  3. When you are logged in to the web administration, simple injection in the underlaying web application leads to OS root access.
  4. Many characters lead to injection, including at least:

    • ;
    • &
    • |
    • `` (backquotes)
    • %0a (newline)
    • $
    • >

    OS exec as root can be performed in two places:

    • ping functionality (admnistration tab)
    • traceroute functionality (admnistration tab)

     

    ping exec

    tracert exec


     

  5. At the router there is also a possibility to get unathenticated access to a SSL certificate, with private key included (used for VPN functionality on the machine) - by just making GET request to ROUTER_IP/RVS4000_Admin.pem

 

Cert ssl

Vendor's reaction / issue history

  • The research was performed in late 2010.
  • 31.01.2011 - full disclosure sent to the vendor
  • 03.02.2011 - PSIRT ID assigned
  • 11.04.2011 – got info that all vulnerabilities were reproduced on a newest „test” firmware „V2.0.2.5”
  • 25.05.2011 - Cisco public announcement
  • 25.05.2011 – public disclosure

Research / contact

  • We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ devices_hacking@securitum.pl

Disclaimer

  • All the information is provided for educational use only.
  • We strongly discourage to use the information for cracking / illegal purposes.
  • We are not responsible for damages made to your router - play with your router carefully.

 

Michal Sajdak
michal.sajdak@securitum.pl

Przydatne informacje? Polub nas na facebooku.

Darmowy magazyn o ITsec

zine
Subskrybuj RSS:
RSS