[c-nsp] Cisco IOS-XE 3S platforms Series Root Shell License Bypass Vulnerability

Saku Ytti saku at ytti.fi
Sun Feb 28 07:23:17 EST 2016


On 28 February 2016 at 04:18, Robert Hass <robhass at gmail.com> wrote:

Hey,

> I'm looking for exploitation of issue 'Cisco IOS-XE 3S platforms Series
> Root Shell License Bypass Vulnerability' (CSCuv93130). I would like to
> check if it's really working on my Ciscos running IOS XE. Anyone have
> recipe how to do it ?

At least on 3650 +2 years ago when going to linux shell following happened:

1) shell_wrapper ask code_sign_verify_nova_pkg binary challenge response
2)  code_sign_verify_nova_pkg crypts/signs challenge with PKI and
compares to response, returning 0 if match, something else if not
3) however shell_wrapper does not call code_sign_verify_nova_pkg
securely, separating binary and arguments, instead it calls it through
shell expansion
4) IOS user controls the response
5) so if you make response '||/bin/true' you'll succeed the challenge
and get to linux shell

I didn't report this, because I don't view it as bug. It's my device,
I've authenticated myself to the IOS shell, I should be able to access
the Linux shell.

There were other vectors as well,
DISABLE_SHELL_AUTHENTICATION=1 environment variable set and
shell_wrapper ignores authencation
mtdblock6 RSA key can almost certainly be changed
you can escape the IOS filesystem (/mnt/sd3/user) by adding ../../ in
IOS to the path, potentially modify /etc/environment etc

I don't understand why IOS users shouldn't be able to access Linux or
why it would be security issue. Seems like waste of time for Cisco to
try to block this.
--
  ++ytti


More information about the cisco-nsp mailing list