Re: Cisco Smart Install script

[Gordon Fyodor Lyon <fyodor () nmap org>]

On Mon, Aug 26, 2019 at 4:08 AM XenoN. w0w <e-net15 () hotmail com> wrote:

> Hello guys, during penetration testing engagements I often come to cisco
> devices which allows me to grab their config over smart install protocol.
>
> I would like to make a script and add functionality of testing and getting
> config within the script.
>
> Here is the link for reference exploit https://github.com/Sab0tag3d/SIET
>
>
>
> What do you guys think about it?

Thanks for the details.  And wow, the Cisco advisory[1] really tries to
shirk all responsibility for this mess by writing:

"Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the
Smart Install feature itself but a misuse of the Smart Install protocol,
which does not require authentication by design."

Well maybe they shouldn't have introduced such a lame "feature" in the
first place.  And even though it is broken by design, there are lots of
ways that Cisco could have at least mitigated the problem.  Apparently they
only recently added a command to turn this crap off.

Anyway, yeah, we'd like to see an NSE script or other Nmap features related
to this.  For example, does Nmap version detection (-sV) detect this
properly? Are there good ways to detect the vulnerability (beyond just port
4786 being open) without reconfiguring the device or otherwise being too
intrusive?  I mean an exploitation feature is nice too, but often Nmap
users just want to learn as much as possible about the device and
vulnerability without doing anything too intrusive.

Cheers,
Fyodor


[1]
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/