Snort mailing list archives
Re: Update Cisco Smart Install rule 41722
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Tue, 17 Dec 2019 12:34:18 -0500
Thanks for the information! I'll have this flagged to investigation. Alexandre McDonnell Talos On Tue, Dec 17, 2019 at 11:11 AM Quentin LATAUD via Snort-sigs < snort-sigs () lists snort org> wrote:
Hello everyone, I am currently performing analysis on the vulnerabilities related to the Cisco Smart Install service, to be published in our security magazine. 4 Snort rules aim at detecting the packets crafted by the public tools exploiting Smart Install (rules # 41722 to 41725, but only the 41722 is interesting us here). I identified a public exploitation tool that is different from the Metasploit exploit and the SIET tool (https://github.com/Sab0tag3d/SIET), available at the following URL : https://github.com/ChristianPapathanasiou/CiscoSmartInstallExploit I replayed it, and the exploit works on my Cisco switch (Catalyst 3750G PoE24). It actually differs from the packet that triggers the Smart Install rule 41722 because it does not contain the plaintext string ‘ :// ‘. This exploit is actually NOT mentioned in the Talos blog post about Smart Install: https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html . The original exploit packet contains this string command : configure tftp-server nvram:startup-config (see file Cisco_Smart_Install_Snort_bypass.pcap, packet #5). Actually, this string is not interpreted by the switch, which opens its TFTP server upon reception of any other string command, if the packet structure matches the one mentioned on the attached pcap file. The attached pcap demonstrate that it is possible to trigger a TFTP transfer in order to steal the configuration file of the Cisco switch. What differs from the famous exploits (Metasploit and SIET) is that the TFTP transfer is initiated by the attacker, not by the switch itself. So my suggestion is to change rule #41722 and remove the content:"://" part of the rule, only to keep the 00000001 00000001 00000008 fingerprint. With this change, the rule #41722 will match both exploits packet. Thank you, Best regards, — Quentin LATAUD Security Consultant / Pentester +33 (0)1 79 35 29 30 18 rue Bayard 75008 PARIS - France www.xmco.fr / blog.xmco.fr _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Update Cisco Smart Install rule 41722 Quentin LATAUD via Snort-sigs (Dec 17)
- Re: Update Cisco Smart Install rule 41722 Alex McDonnell (Dec 17)