08月06, 2020

One Byte Tear Down the Wall of Cisco Router

Author:
Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team


0x1. Background

The Cisco security bulletin in the middle of last month indicated that one of our super simple logical RCE vulnerability was fixed.

CVE-2020-3330, the details of the vulnerability are as follows:
111.jpg

0x2. Influence

Product : Cisco Small Business RV110W Wireless-N VPN Firewall

Affected versions: < 1.2.2.8

Firmware version talk about here:1.2.2.5 [2019-12-05 to 2020-06-17]

The number of public network devices that may be affected is shown as below.

222.png

0x3. Vulnerability hunting process

For the security research of IoT devices, port scanning is a basic operation, which can help us quickly discover potential attack surfaces.

333.png

The scan results surprised us a lot, the telnet service is enabled by default !

Moving on now, let's look at the strength of Cisco's passwords :)

Firstly, let us find where the telnet service is enabled. The suspicious target start_services was quickly located.

undefined4 start_services(void)
{
  int iVar1;
  int iVar2;
  FILE *__stream;
  char *__nptr;
  char acStack4112 [4096];

  __nptr = (char *)nvram_get("lan_ip_mode");
  if (__nptr == (char *)0x0) {
    __nptr = "";
  }
  iVar1 = atoi(__nptr);
  ...
  ...


  if (iVar1 == 2) {
  ...
  }
  else {
    start_upnp();
    start_igd();
    start_eapd();
    start_nas();
    start_zebra();
    start_snmp();
    start_upnp();
    start_wps(0);
    start_lltd();
    start_telnet();    <---  (1)
  }

If the value of "lan_ip_mode" is not the string "2", it will enter the logic of start_telnet function.

undefined4 start_telnet(void)

{
  char *__s1;
  int iVar1;
  undefined4 uVar2;
  FILE *__s;
  char **ppcVar3;
  char *local_158;
  undefined *local_154;
  undefined *local_150;
  char *local_14c;
  undefined *local_148;
  int local_144;
  undefined4 local_140;
  char *local_13c;
  undefined *local_138;
  undefined *local_134;
  int local_130;
  undefined *local_12c;
  char *local_128;
  undefined *local_124;
  int local_120;
  undefined4 local_11c;
  char acStack280 [256];

  __s1 = (char *)nvram_get("telnet_enable");                                <---  (2)
  if ((__s1 != (char *)0x0) && (iVar1 = strcmp(__s1,"1"), iVar1 != 0)) {
    return 0;
  }
  iVar1 = is_exist("/bin/login");
  if (iVar1 == 0) {
    __s = fopen("/dev/console","w");
    if (__s == (FILE *)0x0) {
      uVar2 = 0xffffffff;
    }
    else {
      fwrite("Start telnetd failed! Can\'t find /bin/login!\n",1,0x2d,__s);
      fclose(__s);
      uVar2 = 0xffffffff;
    }
  }
  else {
    __s1 = (char *)nvram_get("telnet_wan_enable");
...
...

The logic of start_telnet is simpler. It is judged that as long as the value of telnet_enable is null or "1", the telnet service will be started.

Do the values of lan_ip_mode and telnet_enable satisfy the conditions? ^_^

Let's check them using the command below:

image.png

In the subsequent logic, we found the password hash value of the administrator account, and the hash algorithm chosen was md5.

444.png

Once hashcat is started, we will get the plain text value of the hash quickly, which is a weak password (***** 123).

0x4.Vulnerability Exploit demo

555.png

0x5. Vulnerability Patch

The latest firmware version has deleted the start_telnet() function.

666.png

Note:

When this article was published, Cisco has officially fixed the vulnerability and the firmware has also been updated.

Ref:

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-rv110w-static-cred-BMTWBWTy.html

本文链接:https://blogs.360.cn/post/One-Byte-Tear-Down-the-Wall-of-Cisco-Router.html

-- EOF --

Comments