Owning the data centre, Cisco NX-OS George Hedfors Working for - - PowerPoint PPT Presentation

George Hedfors

• Working for Cybercom Sweden East AB

(http://www.cybercomgroup.com)

• 12 years as IT- and information security consultant

– Previously worked for iX Security, Defcom, NetSec, n.runs and Pinion

Contact george.hedfors@cybercomgroup.com Web page http://george.hedfors.com

Owning the data centre, Cisco NX-OS

2011-03-18 Black Hat Europe 2011 1

• Short intro to Cisco NX-OS
• History of research
• Overview of underlying Linux
• Disclosure of vulnerabilities

– Undocumented CLi commands – Command line interface escape – Layer 2 attack – Undocumented user account – 2nd CLi escape (delayed) – IDDQD…

• FAQ

Topics

2011-03-18 Black Hat Europe 2011 2

• Based on MontaVista (http://www.mvista.com)

embedded Linux with kernel 2.6.10

• VDC Virtualization, Virtual Device

Context

What is NX-OS?

2011-03-18 Black Hat Europe 2011 3

Nexus 4000 (for IBM BladeCenter) Nexus 5000 Nexus 7000 MDS 9500 FC Directors MDS 9222i FC Switch MDS 9100 FC Switches

• Accidentally made a Cisco-7020 fall over due to an

9 years old denial of service attack

• Was able to recover CORE dumps from the attack
• Able to extract all files from the Cisco .bin

installation package

• Found a number of exploitable vulnerabilities

To do

• Dig deeper into Cisco VDC/VRF security

What has been done

2011-03-18 Black Hat Europe 2011 4

Typical environment

• Banking/finance
• Other large data centers

Impact

• Full exposure of interconnected networks and

VLAN’s

• Possibility to eavesdrop and traffic

modification

• Switch based rootkit installation?

Cisco 7000-series

2011-03-18 Black Hat Europe 2011 5

Overview

2011-03-18 Black Hat Europe 2011 6

LINUX

Teh Linux

2011-03-18 Black Hat Europe 2011 7

r

• t

? ! ?

DC3 Shell ‘the regular Cisco cli’

• Configurations contain ‘hidden’ commands

Hidden commands

2011-03-18 Black Hat Europe 2011 8

Escaping CLi

2011-03-18 Black Hat Europe 2011 9

How could that happened?!

2011-03-18 Black Hat Europe 2011 10

What could possibly go wrong here?

/usr/bin/gdbserver

Br0ken architecture

2010-07-06 Company presentation 11

Everything is running as root Everyone can execute with SUDO Even binaries execute using SUDO..

I s t h i s e v e n f i x a b l e ? ? . . .

Cisco Discovery Protocol (CDP)

• 2001, FX crafted the first CDP DoS attack
• 2010, the CDP attack was rediscovered in NX-OS

What about layer 2?

2011-03-18 Black Hat Europe 2011 12

• CDP has become demonized and is now running

under the ‘root’ user context

The core dump

2011-03-18 Black Hat Europe 2011 13

• More then 255 bytes is used as ‘Device ID’ to

cause the segfault.

• The protocol specification allows length as a 16-bit

integer.

CDP Daemon vulnerability analysis

2010-07-06 Company presentation 14

Debugging:

= (unsigned __int16)(payload - 4); // size field = payload - 4 + 1; (void *) = cdpd_malloc(13, ); … memset( , 0, ); memcpy( , (const void *)(packet_ptr + 4), );

CDP Daemon vulnerability analysis

2010-07-06 Company presentation 15

0x 57 8 (int) 1400 0x 57 (byte) 87 Anything larger than 255 is truncated causing a consecutive HEAP overflow…

So, where ‘ftpuser’ come from? Default user? Backdoor? Easter egg? Recovered password ‘nbv123’

Undocumented user account

2011-03-18 Black Hat Europe 2011 16

Searching for ‘nbv123’

2011-03-18 Black Hat Europe 2011 17

IDDQD?

God Mode!!

2011-03-18 Black Hat Europe 2011 18

• CSCti03724 – CLI escape in NX-OS using GDB

– Workaround: None – Fixed in NX-OS 4.1(4)

• CSCti04026 – Undocumented user available with

default password on NX-OS system

– Workaround: None

• CSCtf08873 – CDP with long hostname crashes

CDPD on N7k

– Workaround: Disable CDP

• CSCti85295 – NX-OS: SUDO privilege escalation

– Workaround: None

Bug tracking

2011-03-18 Black Hat Europe 2011 19

Special thanks to Juan-Manuel Gonzales, PSIRT Incident Manager <juagonza@cisco.com>

Thanks

2011-03-18 Black Hat Europe 2011 20

Questions? Contact george.hedfors@cybercomgroup.com

FAQ

2011-03-18 Black Hat Europe 2011 21