blackhat eu 2011 hedfors owning the datacenter-slides

8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides

1/21

George Hedfors

Working for Cybercom Sweden East AB(http://www.cybercomgroup.com)

12 years as IT- and information security consultant Previously worked for iX Security, Defcom, NetSec, n.runs and Pinion

Contact [email protected]

Web page http://george.hedfors.com

Owning the data centre, Cisco NX-OS

2011-03-18 Black Hat Europe 20111


2/21

Short intro to Cisco NX-OSHistory of researchOverview of underlying LinuxDisclosure of vulnerabilities

Undocumented CLi commands Command line interface escape Layer 2 attack Undocumented user account

2

nd

CLi escape (delayed) IDDQD

FAQ

Topics



3/21

Based on MontaVista (http://www.mvista.com)embedded Linux with kernel 2.6.10

VDC Virtualization, Virtual DeviceContext

What is NX-OS?


Nexus 4000 (for IBM BladeCenter)

Nexus 5000Nexus 7000

MDS 9500 FC DirectorsMDS 9222i FC Switch

MDS 9100 FC Switches


4/21

Accidentally made a Cisco-7020 fall over due to an9 years old denial of service attack

Was able to recover CORE dumps from the attackAble to extract all files from the Cisco .bin

installation packageFound a number of exploitable vulnerabilitiesTo do

Dig deeper into Cisco VDC/VRF security

What has been done



5/21

Typical environment

Banking/financeOther large data centersImpact

Full exposure of interconnected networks andVLANs

Possibility to eavesdrop and trafficmodification

Switch based rootkit installation?

Cisco 7000-series



6/21

Overview


LINUX


7/21

Teh Linux


root?!?


8/21

DC3 Shell the regular Cisco cli

Configurations contain hidden commands

Hidden commands



9/21

Escaping CLi



10/21

How could that happened?!


Whatcouldpossiblygowronghere?

/usr/bin/gdbserver


11/21

Br0ken architecture

2010-07-06 Company presentation11

Everything is running as root

Everyone can execute with SUDO

Even binaries execute using SUDO..Isth

isevenfixa

ble??...


12/21

Cisco Discovery Protocol (CDP)

2001, FX crafted the first CDP DoS attack2010, the CDP attack was rediscovered in NX-OS

What about layer 2?


CDP has become demonized and is now runningunder the root user context


13/21

The core dump



14/21

More then 255 bytes is used as Device ID tocause the segfault.

The protocol specification allows length as a 16-bitinteger.

CDP Daemon vulnerability analysis



15/21

Debugging:

= (unsigned __int16)(payload - 4); // size field

= payload - 4 + 1;

(void *) = cdpd_malloc(13, );

memset( , 0, );

memcpy( , (const void *)(packet_ptr + 4), );

CDP Daemon vulnerability analysis


0x 57 8 (int) 1400

0x 57 (byte) 87

Anything larger than 255 is truncated

causing a consecutive HEAP overflow


16/21

So, where ftpuser come from?

Default user? Backdoor? Easter egg?

Recovered password nbv123

Undocumented user account



17/21

Searching for nbv123



18/21

IDDQD?

God Mode!!



19/21

CSCti03724 CLI escape in NX-OS using GDB Workaround: None Fixed in NX-OS 4.1(4)

CSCti04026 Undocumented user available withdefault password on NX-OS system Workaround: None

CSCtf08873 CDP with long hostname crashesCDPD on N7k

Workaround: Disable CDPCSCti85295 NX-OS: SUDO privilege escalation

Workaround: None

Bug tracking



20/21

Special thanks to Juan-Manuel Gonzales, PSIRT

Incident Manager

Thanks



21/21

Questions?

Contact [email protected]

FAQ


blackhat eu 2011 hedfors owning the datacenter-slides

Documents