bcook-r7 (9)
Last Login: June 05, 2020
bcook-r7's Latest (3) Contributions
Technical Analysis
Based on the great research work by Orange Tsai, exploiting this vulnerability is made fairly trivial. Adding exploited in the wild based on notes from EU CERT https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-017.pdf . Since this is VPN software, it’s often keys to the kingdom. Hope everyone has patched by now.
Technical Analysis
There are now public exploits for this and it is now reliable and low-risk to exploit. More info at https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix which is a pretty reasonable approximation for how this AKB entry would ideally look :) Also of note, https://twitter.com/buffaloverflow/status/1216807963974938624 mentions a number of files of interest to an attacker.
Technical Analysis
This requires IPv6 and particular settings to be enabled
Waiting for machine to boot. This may take a few minutes…
default: SSH address: 127.0.0.1:2222 default: SSH username: vagrant default: SSH auth method: private key
It seems you have to configure the virtual switch with a virtual serial port. ## VM Contents: There are only a few EXT3 filesystems that have useful data in the VMDK image. I think the most interesting bits are going to be inside of nxos.9.2.2.bin which is perhaps decoded or interpreted by the kernel or bootloader. The boot screen in the VM looks like it uses a modified version of GRUB and the Linux kernel, though my current environment has insufficient memory to make it actually boot.
<fs>add-ro ## Vulnerable targets:
It’s not clear if the 9000v virtual switch is vulnerable but that is the easiest to target for now, since it does not need special hardware.
The setup is here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/nx-osv/configuration/guide/b_Cisco_Nexus_9000v/b_Cisco_Nexus_9000v_chapter_011.html
NXOSV VM download
Downloading the ‘Vagrant’ image and running it with a basic Vagrantfile showed this output, which hung forever:
Bringing machine 'default' up with 'virtualbox' provider... ==> default: Clearing any previously set forwarded ports... ==> default: Clearing any previously set network interfaces... ==> default: Preparing network interfaces based on configuration... default: Adapter 1: nat ==> default: Forwarding ports... default: 22 (guest) => 2222 (host) (adapter 1) ==> default: Booting VM... ==> default: box-disk1.vmdk ><fs> run ><fs> list-filesystems /dev/sda1: vfat /dev/sda2: ext3 /dev/sda3: ext3 /dev/sda4: ext3 /dev/sda5: ext3 /dev/sda6: e boot cfglabel.sysmgr debug dme licenses linux log lost+foundxt3 /dev/sda7: ext3 ><fs> mount /dev/sda3 / ><fs> ls / lost+found ><fs> mount /dev/sda1 / ><fs> ls / EFI ><fs> mount /dev/sda2 / ><fs> ls / lost+found ><fs> mount /dev/sda3 / ><fs> ls / lost+found ><fs> mount /dev/sda4 / ><fs> ls / nxos.9.2.2.bin ><fs> mount /dev/sda5 / ><fs> ls / lost+found ><fs> mount /dev/sda6 / ><fs> ls / ascii bin no-erase ><fs> mount /dev/sda7 / ><fs> ls / lost+found
I copied out the .bin file, which appears to be another filesystem.
><fs> mount /dev/sda4 / ><fs> copy-out /nxos.9.2.2.bin . $ file nxos.9.2.2.bin nxos.9.2.2.bin: DOS/MBR boot sector
binwalk ./nxos.9.2.2.bin -------------------------------------------------------------------------------- 0 0x0 Netboot image, mode 2 1024 0x400 Microsoft executable, portable (PE) 17844 0x45B4 gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date) 2010881 0x1EAF01 MySQL ISAM index file Version 7 6283776 0x5FE200 gzip compressed data, maximum compression, from Unix, last modified: 2018-11-05 06:20:17
