Re: Update Cisco Smart Install rule 41722

[Alex McDonnell <amcdonnell () sourcefire com>]

Thanks for the information!
I'll have this flagged to investigation.

Alexandre McDonnell
Talos


On Tue, Dec 17, 2019 at 11:11 AM Quentin LATAUD via Snort-sigs <
snort-sigs () lists snort org> wrote:

> Hello everyone,
>
> I am currently performing analysis on the vulnerabilities related to the
> Cisco Smart Install service, to be published in our security magazine.
> 4 Snort rules aim at detecting the packets crafted by the public tools
> exploiting Smart Install (rules # 41722 to 41725, but only the 41722 is
> interesting us here).
> I identified a public exploitation tool that is different from the
> Metasploit exploit and the SIET tool (https://github.com/Sab0tag3d/SIET),
> available at the following URL :
>
> https://github.com/ChristianPapathanasiou/CiscoSmartInstallExploit
>
> I replayed it, and the exploit works on my Cisco switch (Catalyst 3750G
> PoE24). It actually differs from the packet that triggers the Smart Install
> rule 41722 because it does not contain the plaintext string ‘  ://  ‘.
> This exploit is actually NOT mentioned in the Talos blog post about Smart
> Install:
> https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html
>  .
>
> The original exploit packet contains this string command : configure
> tftp-server nvram:startup-config (see file
> Cisco_Smart_Install_Snort_bypass.pcap, packet #5). Actually, this string is
> not interpreted by the switch, which opens its TFTP server upon reception
> of any other string command, if the packet structure matches the one
> mentioned on the attached pcap file.
>
> The attached pcap demonstrate that it is possible to trigger a TFTP
> transfer in order to steal the configuration file of the Cisco switch. What
> differs from the famous exploits (Metasploit and SIET) is that the TFTP
> transfer is initiated by the attacker, not by the switch itself.
>
> So my suggestion is to change rule #41722 and remove the  content:"://" part
> of the rule, only to keep the 00000001 00000001 00000008 fingerprint.
> With this change, the rule #41722 will match both exploits packet.
>
> Thank you,
>
> Best regards,
> —
>
>
>
>
> Quentin LATAUD
> Security Consultant / Pentester
>
> +33 (0)1 79 35 29 30
> 18 rue Bayard 75008 PARIS - France
>
>
> www.xmco.fr / blog.xmco.fr
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!