try another color:
try another fontsize: 60% 70% 80% 90%
dueyesterday.net
Documentation for the masses

Cisco SNMP Injection

Tue, 12/09/2008 - 20:06 — bsdixon
Back in April of this year I was asked to help out with some testing on several networking devices. The devices I was setup to test were my Cisco routers, switches and access points. The goal of the testing was to identify whether or not malicious input could be used as a device's name. If this were true then further testing would be done to see if the malicious code would be executed upon a successful login to the device (over HTTP). The end result was successful on all of the devices. Below is my documentation from testing.

Problem


This attack uses SNMP and the lack of special character filtering to inject malicious code within the web consoles of Cisco devices. The devices tested were:

  • Cisco 1130 Access Point
  • Cisco 3640 Router
  • Cisco 3700 Series Router
  • Cisco 3524XL Switch

    • I was able to inject a simple Javascript alert box onto each of the devices and successfully see it upon logging into the web console (see attached screenshots). Though this demonstration in itself does not pose a significant threat, the general idea that Javascript was indeed executed leaves the attack open to more detail.

    Configuration break down


  • SNMP has to be enabled with read/write community string
  • ip http server must be on (this may be possible to turn on via SNMP)

    • Another thing that should be mentioned is that the Cisco 1130 Access Point displayed the host name on all the pages, but it was not until you went to System Information and then Tech support that it worked

  • http://AP_Address/exec/show/tech-support/cr
  • http://AP_Address/level/15/exec/-
  • http://AP_Address/level/15/exec/-/configure/http

    • The others (router and switch) worked right in the beginning and was affected on all pages. Below is the string used to pop up an alert box after a successful login.

    snmpset -v2c -c public1 192.168.0.101 sysName.0 string "jstag alert("""xss snmp""")/jstag"

    Note jstag would be replaced with script tag. For whatever reason the use of “””URL””” was able to translate out to a single “URL” allowing me to specify a string for the alert.

    Solution


    Because special characters are allowed when setting a hostname this attack can be turned into something malicious. To mitigate this attack it should be considered to remove the use of special characters (specifically “<”, “>”, “/”, “:”, “%”) when setting the hostname (or any character variable such as location or admin contact) of a device.

    Conclusions


    The proof demonstrated will do know true harm to a user. What administrator's need to keep in mind is that attacker's will not care about popping up alert boxes. Their goal will be to execute Javascript in the victim's browser. Attacks could range from password stealing to browser hijacking depending on the method taken. Administrators should ensure that if SNMP is enabled that they are using a strong community string that can not easily be guessed.

    SNMP Walk Information


    Cisco 1130 AP
    SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(3g)JA1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 19-Jul-07 23:19 by kellythw
    SNMPv2-MIB::sysObjectID.0 = OID:
    SNMPv2-SMI::enterprises.9.1.618 DISMAN-EVENT-MIB::sysUpTimeInst ance = Timeticks: (614036220) 71 days, 1:39:22.20
    SNMPv2-MIB::sysContact.0 = STRING:
    SNMPv2-MIB::sysName.0 = STRING: x0ne
    SNMPv2-MIB::sysLocation.0 = STRING:
    SNMPv2-MIB::sysServices.0 = INTEGER: 2
    SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

    Cisco 3700 Router
    SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS (tm) 3700 Software (C3725-I-M), Version 12.2(13)T8, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Sun 17-Aug-03 02:35 by kellmill
    SNMPv2-MIB::sysObjectID.0 = OID:
    SNMPv2-SMI::enterprises.9.1.414 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (614039584) 71 days, 1:39:55.84
    SNMPv2-MIB::sysContact.0 = STRING:
    SNMPv2-MIB::sysName.0 = STRING:
    SNMPv2-MIB::sysLocation.0 = STRING:
    SNMPv2-MIB::sysServices.0 = INTEGER: 78
    SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

    Cisco 3524XL Switch
    SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.2)XU, MAINTENANCE INTERIM SOFTWARE Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Mon 17-Jul-00 18:29 by ayounes
    SNMPv2-MIB::sysObjectID.0 = OID:
    SNMPv2-SMI::enterprises.9.1.287 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (614103166) 71 days, 1:50:31.66
    SNMPv2-MIB::sysContact.0 = STRING:
    SNMPv2-MIB::sysName.0 = STRING: x0neSwitch
    SNMPv2-MIB::sysLocation.0 = STRING:
    SNMPv2-MIB::sysServices.0 = INTEGER: 2
    SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

    Acknowledgements

  • http://www.procheckup.com/PDFs/SNMP_injection.pdf
  • Adrian Pastor of GNUCitizen

    • AttachmentSize
    1130 Access Point Screen Shot750.05 KB
    3725 Router Screen Shot750.05 KB
    3524 Switch Screen Shot750.05 KB
    Your rating: None Average: 2.5 (23 votes)

    Comments

    Very Sexy!

    Wed, 02/04/2009 - 21:27 — Anonymous

    Very Cool Stuff Dude!

    --riley porter
    www.synthetos.com

    Problem with activation

    Sat, 05/22/2010 - 13:52 — Anonymous

    Hi there, I dont know if I am writing in a proper board but I have got a problem with activation, link i receive in email is not working... http://www.dueyesterday.net/?82b25e4f67878ec3dc434b6485b,