HUGE VULNERABILITY Remote Code Execution Possible with Cisco Smart Install Protocol Misuse

By | November 27, 2017
.
Technical Details
Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. The Smart Install feature incorporates no authentica-tion by design.
SmartInstall also has mechanisms in place for subsequent Cisco IOS Software and configura-tion upgrades on groups of switches, using a single command line interface (CLI) and switch
replacement assistance. It can perform a configuration backup when a switch changes its con-figuration.
A Smart Install network consists of exactly one Smart Install Director switch or router, also known as an integrated branch director (IBD), and one or more Smart Install Client switches,
also known as integrated branch clients (IBCs). A client switch does not need to be directly connected to the director but can be up to seven hops away

Issues Identified

Knowing the characteristics of the protocol, the researchers have managed to
Change the TFTP server address on a client device by sending one malformed TCP packet.
Copy client’s startup-config to the new TFTP server.
Substitute client’s startup-config with another, manually modified one. Client device will
then reboot at predefined time.
Upgrade IOS image on the client device.
Execute random set of commands on the client device (it is a new feature working only at
3.6.0E and 15.2(2)E IOS versions).
A proof of concept is available

 

Exploit code available here:

https://github.com/Sab0tag3d/SIET/blob/master/README.md

SIET

Smart Install Exploitation Tool

Cisco Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. You can ship a switch to a location, place it in the network and power it on with no configuration required on the device.

You can easy identify it using nmap: nmap -p 4786 -v 192.168.0.1

This protocol has a security issue that allows:

  1. Change tftp-server address on client device by sending one malformed TCP packet.
  2. Copy client’s startup-config on tftp-server exchanged previously.
  3. Substitute client’s startup-config for the file which has been copied and edited. Device will reboot in defined time.
  4. Upgrade ios image on the “client” device.
  5. Execute random set of commands on the “client” device. IS a new feature working only at 3.6.0E and 15.2(2)E ios versions.

All of them are caused by the lack of any authentication in smart install protocol. Any device can act as a director and send malformed tcp packet. It works on any “client” device where smart install is enabled. It does not matter if it used smart install in the network or not.

Confim from vendor: https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-smi

Slides: https://2016.zeronights.ru/wp-content/uploads/2016/12/CiscoSmartInstall.v3.pdf

This simple tool helps you to use all of them.

USAGE

Example: sudo python siet.py -g -i 192.168.0.1

-t test device for smart install.

-g get device config.

-c change device config.

-u update device IOS.

-e execute commands in device’s console.

-i ip address of target device

-l ip list of targets (file path)

UPDATES

New option “-l”. You can use list of ip addresses for getting configuration file.

Fix bug with incorrect test of device.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *