[c-nsp] Cisco IOS-XE 3S platforms Series Root Shell License Bypass Vulnerability

Saku Ytti saku at ytti.fi
Sun Feb 28 07:23:17 EST 2016

On 28 February 2016 at 04:18, Robert Hass <robhass at gmail.com> wrote:


> I'm looking for exploitation of issue 'Cisco IOS-XE 3S platforms Series
> Root Shell License Bypass Vulnerability' (CSCuv93130). I would like to
> check if it's really working on my Ciscos running IOS XE. Anyone have
> recipe how to do it ?

At least on 3650 +2 years ago when going to linux shell following happened:

1) shell_wrapper ask code_sign_verify_nova_pkg binary challenge response
2)  code_sign_verify_nova_pkg crypts/signs challenge with PKI and
compares to response, returning 0 if match, something else if not
3) however shell_wrapper does not call code_sign_verify_nova_pkg
securely, separating binary and arguments, instead it calls it through
shell expansion
4) IOS user controls the response
5) so if you make response '||/bin/true' you'll succeed the challenge
and get to linux shell

I didn't report this, because I don't view it as bug. It's my device,
I've authenticated myself to the IOS shell, I should be able to access
the Linux shell.

There were other vectors as well,
DISABLE_SHELL_AUTHENTICATION=1 environment variable set and
shell_wrapper ignores authencation
mtdblock6 RSA key can almost certainly be changed
you can escape the IOS filesystem (/mnt/sd3/user) by adding ../../ in
IOS to the path, potentially modify /etc/environment etc

I don't understand why IOS users shouldn't be able to access Linux or
why it would be security issue. Seems like waste of time for Cisco to
try to block this.

More information about the cisco-nsp mailing list