BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
-
Upload
tomek-turba -
Category
Documents
-
view
214 -
download
0
Transcript of BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
1/21
George Hedfors
Working for Cybercom Sweden East AB(http://www.cybercomgroup.com)
12 years as IT- and information security consultant Previously worked for iX Security, Defcom, NetSec, n.runs and Pinion
Contact [email protected]
Web page http://george.hedfors.com
Owning the data centre, Cisco NX-OS
2011-03-18 Black Hat Europe 20111
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
2/21
Short intro to Cisco NX-OSHistory of researchOverview of underlying LinuxDisclosure of vulnerabilities
Undocumented CLi commands Command line interface escape Layer 2 attack Undocumented user account
2
nd
CLi escape (delayed) IDDQD
FAQ
Topics
2011-03-18 Black Hat Europe 20112
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
3/21
Based on MontaVista (http://www.mvista.com)embedded Linux with kernel 2.6.10
VDC Virtualization, Virtual DeviceContext
What is NX-OS?
2011-03-18 Black Hat Europe 20113
Nexus 4000 (for IBM BladeCenter)
Nexus 5000Nexus 7000
MDS 9500 FC DirectorsMDS 9222i FC Switch
MDS 9100 FC Switches
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
4/21
Accidentally made a Cisco-7020 fall over due to an9 years old denial of service attack
Was able to recover CORE dumps from the attackAble to extract all files from the Cisco .bin
installation packageFound a number of exploitable vulnerabilitiesTo do
Dig deeper into Cisco VDC/VRF security
What has been done
2011-03-18 Black Hat Europe 20114
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
5/21
Typical environment
Banking/financeOther large data centersImpact
Full exposure of interconnected networks andVLANs
Possibility to eavesdrop and trafficmodification
Switch based rootkit installation?
Cisco 7000-series
2011-03-18 Black Hat Europe 20115
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
6/21
Overview
2011-03-18 Black Hat Europe 20116
LINUX
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
7/21
Teh Linux
2011-03-18 Black Hat Europe 20117
root?!?
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
8/21
DC3 Shell the regular Cisco cli
Configurations contain hidden commands
Hidden commands
2011-03-18 Black Hat Europe 20118
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
9/21
Escaping CLi
2011-03-18 Black Hat Europe 20119
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
10/21
How could that happened?!
2011-03-18 Black Hat Europe 201110
Whatcouldpossiblygowronghere?
/usr/bin/gdbserver
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
11/21
Br0ken architecture
2010-07-06 Company presentation11
Everything is running as root
Everyone can execute with SUDO
Even binaries execute using SUDO..Isth
isevenfixa
ble??...
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
12/21
Cisco Discovery Protocol (CDP)
2001, FX crafted the first CDP DoS attack2010, the CDP attack was rediscovered in NX-OS
What about layer 2?
2011-03-18 Black Hat Europe 201112
CDP has become demonized and is now runningunder the root user context
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
13/21
The core dump
2011-03-18 Black Hat Europe 201113
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
14/21
More then 255 bytes is used as Device ID tocause the segfault.
The protocol specification allows length as a 16-bitinteger.
CDP Daemon vulnerability analysis
2010-07-06 Company presentation14
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
15/21
Debugging:
= (unsigned __int16)(payload - 4); // size field
= payload - 4 + 1;
(void *) = cdpd_malloc(13, );
memset( , 0, );
memcpy( , (const void *)(packet_ptr + 4), );
CDP Daemon vulnerability analysis
2010-07-06 Company presentation15
0x 57 8 (int) 1400
0x 57 (byte) 87
Anything larger than 255 is truncated
causing a consecutive HEAP overflow
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
16/21
So, where ftpuser come from?
Default user? Backdoor? Easter egg?
Recovered password nbv123
Undocumented user account
2011-03-18 Black Hat Europe 201116
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
17/21
Searching for nbv123
2011-03-18 Black Hat Europe 201117
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
18/21
IDDQD?
God Mode!!
2011-03-18 Black Hat Europe 201118
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
19/21
CSCti03724 CLI escape in NX-OS using GDB Workaround: None Fixed in NX-OS 4.1(4)
CSCti04026 Undocumented user available withdefault password on NX-OS system Workaround: None
CSCtf08873 CDP with long hostname crashesCDPD on N7k
Workaround: Disable CDPCSCti85295 NX-OS: SUDO privilege escalation
Workaround: None
Bug tracking
2011-03-18 Black Hat Europe 201119
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
20/21
Special thanks to Juan-Manuel Gonzales, PSIRT
Incident Manager
Thanks
2011-03-18 Black Hat Europe 201120
-
8/3/2019 BlackHat EU 2011 Hedfors Owning the Datacenter-Slides
21/21
Questions?
Contact [email protected]
FAQ
2011-03-18 Black Hat Europe 201121