Sunday, November 04, 2007

Some previously disclosed Cisco CLI Vulns, the joys of youth hockey practice, and fuzzing like a ninja

The highlight of my Sunday is my son's hockey practice at the Skatium here in Skokie. Among the more amusing things that almost always happen:
  • One of the parents (who acts & looks like a coach, but I don't think he is) arguing with the real coach about religion (the parent is a Christian, probably fundamentalist, and the coach is Jewish, I assume)
  • Eight and nine year olds tripping and falling on the ice and occasionally doing some nasty checks on each other (usually unintentionally)
  • The previously mentioned parent (who is out on the ice for some reason, has a flattop and is a damn good skater) doing "hockey stops" (resulting in a shower of ice fragments) in the faces of kids. Today he also banged on his son's knee with his stick shouting "knee's can't get hurt" while his son was flat on his back, not wanting to get up.
All Good stuff. But other than that (and the upcoming election of the 12th Bishop of the Episcopal Diocese of Chicago , today I've been sort of been fixated on CLI vulnerabilities after my last blog entry on the futility of router vuln work in 2008 and Thomas's Quarterly Affirmation (reversing IOS images is not an option for a whole lot of reasons) so I was curious what was out there:

In cisco-sa-20060712-cucm we see this
The CallManager CLI provides a backup management interface to the system in order to diagnose and troubleshoot the primary HTTPS-based management interfaces. The CLI, which runs as the root user, contains two vulnerabilities in the parsing of commands. The first vulnerability may allow an authenticated CUCM administrator to execute arbitrary operating system programs as the root user. The second vulnerability may allow output redirection of a command to a file or a folder specified on the command line.
And in cisco-sa-20010131-arrowpoint-cli-fs
The Cisco CSS11000 must be configured to permit command line access to users by providing a management address and defining user accounts. Once command line access is gained by non privileged users (defined user accounts without administrative privileges), running a command requiring a filename, and providing a filename that is the maximum length of the input buffer can cause the switch to reboot, and a system check to be started which will prevent normal function of the switch for up to 5 minutes. The show script, clear script, show archive, clear archive, show log, and clear log commands are capable of causing the CSS to restart if the specified file name is the maximum length of the input buffer. Cisco Bug ID CSCdt08730.
And from cisco-sa-20060719-mars
The CS-MARS CLI is a restricted shell environment which allows authenticated administrators to perform system maintenance tasks. The CLI contains several privilege escalation vulnerabilities which may allow shell commands to be executed on the underlying appliance operating system with root privileges. These vulnerabilities are documented by Cisco bug IDs CSCsd29111 ( registered customers only) , CSCsd31371 ( registered customers only) , CSCsd31377 ( registered customers only) , CSCsd31392 ( registered customers only) and CSCsd31972 ( registered customers only) .
And Cisco Security Response: Cisco IOS Reload on Regular Expression Processing
Some regular expressions that make use of combined repetition operators ('*' or '+') and pattern recalls ("\1", "\2", etc.) into the same expression may result in a stack overflow on the Cisco IOS regular expression engine. A stack overflow will result in a reload of the device.
Given the ubiquity of dumb (IOS-like) shells on network devices (and not just on Cisco boxes), it would appear that this might be fertile ground for a tool that:
  • Allowed you to connect to various transports (SSH, Telnet, serial)
  • Obviously support authenticated/unauthenticated sessions and configuration modes
  • Using built in command expansion and help documentation, map out the various commands (and their syntax) depending on the helpfulness of the shell you could probably prepopulate various payloads for common configuration parameters that have to be parse (IP addresses, netmasks, hashes, etc.)
  • Could leverage some existing fuzzing/fault injection framework so you would have to generate control characters, malformed arguments, and other sequences
Although this is sort of intriguing, I doubt I have the time to pull this off. And if I've managed sketch up this idea, somebody has probably already written a tool like this somewhere. And if not, it would certainly be a more useful project than what they are teaching the kidz these days at Berkeley. Of course I'm probably just bitter that I couldn't get into any dept. there, let alone that one. Yeah some parent's hard-earned cash is going towards having their little one learn how "fuzz like a Ninja."

No comments: