exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Device Hardcoded Credentials / GNU glibc / BusyBox

Cisco Device Hardcoded Credentials / GNU glibc / BusyBox
Posted Sep 4, 2019
Authored by T. Weber | Site sec-consult.com

Many Cisco devices such as Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, and Cisco 160W suffer from having hard-coded credentials, known GNU glibc, known BusyBox, and IoT Inspector identified vulnerabilities.

tags | exploit, vulnerability
systems | cisco
advisories | CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472, CVE-2015-5277, CVE-2015-7547, CVE-2015-8778, CVE-2015-8779, CVE-2015-9261, CVE-2016-2147, CVE-2016-2148, CVE-2016-6301, CVE-2017-1000366, CVE-2017-16544, CVE-2018-20679, CVE-2019-5747
SHA-256 | 3726cd3c69f647990c48b627f7552d3a2fdba185bb79ef1247f427b865bde817

Cisco Device Hardcoded Credentials / GNU glibc / BusyBox

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20190904-0 >
=======================================================================
title: Multiple vulnerabilities
product: Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P,
Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160,
Cisco 160W
vulnerable version: Cisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15
fixed version: see "Solution"
CVE number: -
impact: High
homepage: https://www.cisco.com/
found: 2019-05-15
by: T. Weber, S. Viehböck (Office Vienna)
IoT Inspector
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Securely connecting your small business to the outside world is as important
as connecting your internal network devices to one another. Cisco Small
Business RV Series Routers offer virtual private networking (VPN) technology
so your remote workers can connect to your network through a secure Internet
pathway."

Source: https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html


Business recommendation:
------------------------
We want to thank Cisco for the very quick and professional response and great
coordination. Customers are urged to update the firmware of their devices.


Vulnerability overview/description:
-----------------------------------
1) Hardcoded Credentials
The device contains hardcoded users and passwords which can be used to login
via SSH on an emulated device at least.

During the communication with Cisco it turned out that:
"Accounts like the 'debug-admin' and 'root' can not be accessed
from console port, CLI or webui".
Therefore, these accounts had no real functionality and cannot be used for
malicious actions.

2) Known GNU glibc Vulnerabilities
The used GNU glibc in version 2.19 is outdated and contains multiple known
vulnerabilities. The outdated version was found by IoT Inspector. One of
the discovered vulnerabilities (CVE-2015-7547, "getaddrinfo() buffer overflow")
was verified by using the MEDUSA scalable firmware runtime.

3) Known BusyBox Vulnerabilities
The used BusyBox toolkit in version 1.23.2 is outdated and contains multiple
known vulnerabilities. The outdated version was found by IoT Inspector.
One of the discovered vulnerabilities (CVE-2017-16544) was verified by using
the MEDUSA scaleable firmware runtime.


4) Multiple Vulnerabilities - IoT Inspector Report
Further information can be found in IoT Inspector report:
https://r.sec-consult.com/ciscoiot


Proof of concept:
-----------------
1) Hardcoded Credentials
The following hardcoded hashes were found in the 'shadow' file of the firmware:
root:$1$hPNSjUZA$7eKqEpqVYltt9xJ6f0OGf0:15533:0:99999:7:::
debug-admin:$1$.AAm0iJ4$na9wZwly9pSrdS8MhcGKw/:15541:0:99999:7:::
[...]

The undocumented user 'debug-admin' is also contained in this file.

Starting the dropbear daemon as background process on emulated firmware:
-------------------------------------------------------------------------------
# dropbear -E
# [1109] <timestamp> Running in background
#
# [1112] <timestamp> Child connection from <IP>:52718
[1112] <timestamp> /var must be owned by user or root, and not writable by others
[1112] <timestamp> Password auth succeeded for 'debug-admin' from <IP>:52718
-------------------------------------------------------------------------------

Log on via another host connected to the same network. For this PoC the
password of the debug-admin was changed in the 'shadow' file.
-------------------------------------------------------------------------------
[root@localhost medusa]# ssh debug-admin@<IP> /bin/ash -i
debug-admin@<IP>'s password:
/bin/ash: can't access tty; job control turned off


BusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash)

/tmp $
-------------------------------------------------------------------------------

The 'debug-admin' user has the same privileges like 'root'. This can be
determined from the corresponding sudoers file in the firmware:
[...]
## User privilege specification
##
root ALL=(ALL) ALL
debug-admin ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
[...]

During the communication with Cisco it turned out that:
"Accounts like the 'debug-admin' and 'root' can not be accessed
from console port, CLI or webui".
Therefore, these accounts had no real functionality and cannot be used for
malicious actions.

2) Known GNU glibc Vulnerabilities
GNU glibc version 2.19 contains multiple CVEs like:
CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472,
CVE-2015-5277, CVE-2015-8778, CVE-2015-8779, CVE-2017-1000366 and more.

The getaddrinfo() buffer overflow vulnerability was checked with the help of
the exploit code from https://github.com/fjserna/CVE-2015-7547. It was compiled
and executed on the emulated device to test the system.

# python cve-2015-7547-poc.py &
[1] 961
# chroot /medusa_rootfs/ bin/ash


BusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash)

# gdb cve-2015-7547_glibc_getaddrinfo
[...]
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
Connected with 127.0.0.1:41782
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
[TCP] Request2 len recv 36
Cannot access memory at address 0x4

Program received signal SIGSEGV, Segmentation fault.
0x76f1fd58 in ?? () from /lib/libc.so.6
(gdb)

References:
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://github.com/fjserna/CVE-2015-7547


3) Known BusyBox Vulnerabilities
BusyBox version 1.23.2 contains multiple CVEs like:
CVE-2016-2148, CVE-2016-6301, CVE-2015-9261, CVE-2016-2147, CVE-2018-20679,
CVE-2017-16544 and CVE-2019-5747.
The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on
an emulated device:

A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the
vulnerability.
-------------------------------------------------------------------------------
# ls "pressing <TAB>"
test
]55;test.txt
#
-------------------------------------------------------------------------------

4) Multiple Vulnerabilities - IoT Inspector Report
Further information can be found in IoT Inspector report:
https://r.sec-consult.com/ciscoiot

The summary is below:
IoT Inspector Vulnerability #1 BusyBox CVE entries
Outdated BusyBox version is affected by 7 published CVEs.

IoT Inspector Vulnerability #2 curl CVE entries
Outdated curl version is affected by 35 published CVEs.

IoT Inspector Vulnerability #3 GNU glibc CVE entries
Outdated GNU glibc version is affected by 44 published CVEs.

IoT Inspector Vulnerability #4 GNU glibc getaddrinfo() buffer overflow
Outdated GNU glibc version is affected by CVE-2015-7547.

IoT Inspector Vulnerability #5 Hardcoded password hashes
Firmware contains multiple hardcoded credentials.

IoT Inspector Vulnerability #6 Linux Kernel CVE entries
Outdated Linux Kernel version affected by 512 published CVEs.

IoT Inspector Vulnerability #7 MiniUPnPd CVE entries
Outdated MiniUPnPd version affected by 2 published CVEs.

IoT Inspector Vulnerability #8 Dnsmasq CVE entries
Outdated MiniUPnPd version affected by 1 published CVE.

IoT Inspector Vulnerability #9 Linux Kernel Privilege Escalation “pp_key”
Outdated Linux Kernel version is affected by CVE-2015-7547.

IoT Inspector Vulnerability #10 OpenSSL CVE entries
Outdated OpenSSL version affected by 6 published CVEs.


Vulnerable / tested versions:
-----------------------------
The following firmware versions have been tested with IoT Inspector and
firmware emulation techniques:
Cisco RV340 / 1.0.02.16
Cisco RV340W / 1.0.02.16
Cisco RV345 / 1.0.02.16
Cisco RV345P / 1.0.02.16
The following firmware versions have been tested with IoT Inspector only:
Cisco RV260 / 1.0.00.15
Cisco RV260P / 1.0.00.15
Cisco RV260W / 1.0.00.15
Cisco RV160 / 1.0.00.15
Cisco RV160P / 1.0.00.15

The firmware was obtained from the vendor website:
https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.02.16
https://software.cisco.com/download/home/286316464/type/282465789/release/1.0.00.15


Vendor contact timeline:
------------------------
2019-05-15: Contacting vendor through psirt@cisco.com.
2019-05-16: Vendor confirmed the receipt.
2019-05-2019-08: Periodic updates about the investigation from the vendor.
Clarification which of the reported issues will be fixed.
2019-08-20: The vendor proposed the next possible publication date for the
advisory for 2019-09-04. The vendor added the RV160 and RV260
router series to be vulnerable to the same issues too.
2019-09-04: Coordinated advisory release.


Solution:
---------
Upgrade to the newest available firmware version.

Additionally, the vendor provides the following security notice:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sb-vpnrouter


Workaround:
-----------
None.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2019

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close