Exploiting Smart Install Client Vulnerability and Resetting Telnet on Switch Catalyst 2960

As we have known that Cisco is one of the biggest vendor of Network Devices besides its competitor such as HPE, Juniper and Huawei. At the beginning of March 2018, International Data Corporation (IDC) released an articel about The Top 5 Network Device Companies based on their revenue untill the end of 2017. The detail chart is showned by the figure below:

Source : https://www.networkworld.com/article/3211410/lan-wan/the-10-most-powerful-companies-in-enterprise-networking.html

According to the Figure above, Cisco was leading with the biggest revenue USD6,2 Million. That is why many Cisco’s products either exploited or attacked by hacker and also many vulnerabilities are disclosured at several forums. Nevertheless, we had been taken aback by the interesting news released by Wikileaks about the secret documents of CIA-USA for carring out their intelligent operation. It was called as Vault7. Those documents consist of many zero-day and malware exploit of some famous vendor such as IOS, Samsung, Microsoft and Cisco. Both of those exploits are Smart Install Client Vulnerability (CVE-2016-1349) and Cluster Management Protocol (CVE-2017-2881).

Through this article, We will show how to Proof of Concept both vulnerabilities on Catalyst Switch 2960 using the scenario as below:

Hereby the detail of steps exploiting those vulnerabilities :

  • Check the firmware version of the switch through Host Client by serial connection
  • Check the status of Smart Install Client configuration and its port (4786)
  • Then from the attacker side, we use Metasploit for probing the status of Smart Install Client using Auxiliary Modul like below:
  • According to both figures above, we got that the smart install client had been actived and the port had been opened. Besides metasploit, we also tried to check the configuration using an incridible tool developed by Sab0tag3d.  
  • The first exploit testing, we tried running the buffer over flow attack using the python script developed by Embeddi which is smi_ibc_init_discovery_BoF.py like below:
  • As the impact of the BoF attack figured above, the switch got crash like figure below (we can see through Host Client via Serial Connection):
  • One of features the Siet is grabbing the configuration file of the device like below:
  • According to the Figure above, we had succeeded grabbing the configuration file and named by “192.168.1.1.conf”. Hereby we checked the content of the file:
  • From the figure above, there is an interesting information which is the plain credential of configuration mode. That is a misconfiguration in switch configuration. It should be encrypted using command “secret [password]”. The configuration mode’s password is “cisco”.
  • Then we tried to check the telnet connection through Attacker Machine like below:
  • According to the figure above, the switch has a telnet service which secured by a password. Lets reset the password using the python script developed by Artkond like below (c2960-lanbasek9-m-12.2.55.se11.py):
  • Finally, we succeeded reseting the telnet password and entering the configuration mode of the switch.

In order to fix those vulnerabilities, there are several recommendations which should be followed such as:

  1. Update the firmware of the switch immediately.
  2. Change the remote service from telnet into ssh.
  3. Disable the Smart Install Client configuration if we don’t use it.

 

Refferences:

Leave a Reply

Your email address will not be published. Required fields are marked *