Cisco RVS 4000 vulnerabilities

About Cisco router

Cisco RVS 4000 is a small business class security router which offers such features as: Firewall, IPS, VPN. The router can be managed via web management console.

The vulnerabilities were tested on firmware: V2.0.0.3 (newest available at the time).

Image from Cisco.com

Compromise

After you made a backup of the router (using built in web management) system creates a file named 'Routercfg.cfg'. The file can be accessed through web management without authentication. If web management is open to WAN, then the config can be accessed remotely from WAN (Internet). Routercfg.cfg is hosted on the router until next reboot.

The file has all router configuration in plain text (including web management passwords, VPN PSK keys, etc). Click image below for details.

When you are logged in to the web administration, simple injection in the underlaying web application leads to OS root access.

Many characters lead to injection, including at least:

;
&
|
`` (backquotes)
%0a (newline)
$
>

OS exec as root can be performed in two places:

ping functionality (admnistration tab)
traceroute functionality (admnistration tab)

At the router there is also a possibility to get unathenticated access to a SSL certificate, with private key included (used for VPN functionality on the machine) - by just making GET request to ROUTER_IP/RVS4000_Admin.pem

Vendor's reaction / issue history

The research was performed in late 2010.
31.01.2011 - full disclosure sent to the vendor
03.02.2011 - PSIRT ID assigned
11.04.2011 – got info that all vulnerabilities were reproduced on a newest „test” firmware „V2.0.2.5”
25.05.2011 - Cisco public announcement
25.05.2011 – public disclosure

Research / contact

We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ devices_hacking@securitum.pl

Disclaimer

All the information is provided for educational use only.
We strongly discourage to use the information for cracking / illegal purposes.
We are not responsible for damages made to your router - play with your router carefully.

Michal Sajdak
michal.sajdak@securitum.pl

Przydatne informacje? Polub nas na facebooku.

Polecamy

Aktualności: Szkolenie: monitoring bezpieczeństwa sieci 2012-01-26; SEMAFOR 2012 2012-01-25; Spotkanie ISACA - Warszawa 2012-01-02; Cisco SRP500 os root 2011-11-25; Krakowskie spotkanie OWASP 2011-11-15

Oferta

Sprawdź bezpieczeństwo:

Więcej informacji

Sprawdź szkolenia

Subskrybuj RSS:

Tagcloud: zabezpieczenia testy bezpieczeństwa oferta ochrona systemów IT bezpieczeństwo www bezpieczeństwo danych aplikacje

Szkolenia: Najbardziej interesowałoby mnie szkolenie z zakresu:

Bezpieczeństwa sieci
Hardeningu systemów operacyjnych
Testów penetracjnych aplikacji
Bezpiecznego pisania kodu; Głosów : 410

Sekcje