bcook-r7 (9)

Last Login: June 05, 2020
Assessments
3
Score
9

bcook-r7's Latest (3) Contributions

Sort by:
Filter by:
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Based on the great research work by Orange Tsai, exploiting this vulnerability is made fairly trivial. Adding exploited in the wild based on notes from EU CERT https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-017.pdf . Since this is VPN software, it’s often keys to the kingdom. Hope everyone has patched by now.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

There are now public exploits for this and it is now reliable and low-risk to exploit. More info at https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix which is a pretty reasonable approximation for how this AKB entry would ideally look :) Also of note, https://twitter.com/buffaloverflow/status/1216807963974938624 mentions a number of files of interest to an attacker.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

This requires IPv6 and particular settings to be enabled

Waiting for machine to boot. This may take a few minutes…

default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: private key

It seems you have to configure the virtual switch with a virtual serial port.

## VM Contents:

There are only a few EXT3 filesystems that have useful data in the VMDK image. I think the most interesting bits are going to be inside of nxos.9.2.2.bin which is perhaps decoded or interpreted by the kernel or bootloader.  The boot screen in the VM looks like it uses a modified version of GRUB and the Linux kernel, though my current environment has insufficient memory to make it actually boot.

<fs> add-ro ## Vulnerable targets:

It’s not clear if the 9000v virtual switch is vulnerable but that is the easiest to target for now, since it does not need special hardware.

The setup is here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/nx-osv/configuration/guide/b_Cisco_Nexus_9000v/b_Cisco_Nexus_9000v_chapter_011.html

NXOSV VM download

Downloading the ‘Vagrant’ image and running it with a basic Vagrantfile showed this output, which hung forever:

Bringing machine 'default' up with 'virtualbox' provider...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
==> default: Forwarding ports...
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
==> default: box-disk1.vmdk
><fs> run
><fs> list-filesystems
/dev/sda1: vfat
/dev/sda2: ext3
/dev/sda3: ext3
/dev/sda4: ext3
/dev/sda5: ext3
/dev/sda6: e
boot
cfglabel.sysmgr
debug
dme
licenses
linux
log
lost+foundxt3
/dev/sda7: ext3
><fs> mount /dev/sda3 /
><fs> ls /
lost+found
><fs> mount /dev/sda1 /
><fs> ls /
EFI
><fs> mount /dev/sda2 /
><fs> ls /
lost+found
><fs> mount /dev/sda3 /
><fs> ls /
lost+found
><fs> mount /dev/sda4 /
><fs> ls /
nxos.9.2.2.bin
><fs> mount /dev/sda5 /
><fs> ls /
lost+found
><fs> mount /dev/sda6 /
><fs> ls /
ascii
bin
no-erase
><fs> mount /dev/sda7 /
><fs> ls /
lost+found

I copied out the .bin file, which appears to be another filesystem.

><fs> mount /dev/sda4 /
><fs> copy-out /nxos.9.2.2.bin .

$ file nxos.9.2.2.bin
nxos.9.2.2.bin: DOS/MBR boot sector
binwalk ./nxos.9.2.2.bin
--------------------------------------------------------------------------------
0             0x0             Netboot image, mode 2
1024          0x400           Microsoft executable, portable (PE)
17844         0x45B4          gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
2010881       0x1EAF01        MySQL ISAM index file Version 7
6283776       0x5FE200        gzip compressed data, maximum compression, from Unix, last modified: 2018-11-05 06:20:17