Hacking NX-OS Part 3

Some notes from when I first started hacking away at NX-OS in 2011:

Basically the Nexus underlying operating system, made by MonteVista, which was formally called Hard Hat Linux (a hardened version of Red Hat Linux).  I can tell you that there are numerous ways to attack these boxes.  Some that I have found:

  1. PATH not properly set in shell scripts
  2. Input not properly sanity checked in scripts
  3. IFS together with PATH exploitable
  4. gdbserver running has root, can allow you to kill any process, including securityd
  5. The binaries for the most part are stripped.  So there is no symbol information, I plan to eventually re-construct the symbol table using some tools.  This combined with gdb would give you the ability to call any function you want as root.
  6. Many processes run as root (via /etc/sudoers), its very sloppy
  7. I have found at least 5 ways to get shell access.
  8. gdb could (Theoritically) be used to overflow the stack on a number of functions to run arbitrary shellcode.  I haven’t done this because its tedious but should work.  The security problem is that you can use gdb to remotely connect in the first place.
  9. At least one serious problem is the ability to crash a nexus remotely via CDP, I don’t believe this is fixed yet.

Productive evening.  I was able to get shell access on a 5k, 7k, 1000v, and MDS, that is from the CLI I was able to get to an actual bash shell.  Oddly using different exploits on MDS vs. 5k/7k/1000v.  As far as I know these are not known to Cisco.  Its not really a serious issue since you have to have access to the box anyways.  I only tried as admin, but its likely to work from any user level.

I did not post every method that I was able to obtain root with, nor did I post the straight forward malicious methods such as constructing a special CDP packet that will take  NX-OS down every time (at least it used to).  If you have any interesting things you have found in NX-OS please let me know!


The gdb is visable via the which command.  you can do “sh processes” and see all processes, then use “gdp <process id>” to run gdb as a server.

Then from your workstation  you can connect to gdb process using “gdb target remote x.x.x.x:yyyyy" where x.x.x.x is the ip address of the mds and yyyyyy is the port the gdb says its listening on (starts at 10001).  Then you can use gdb to do things like stack smashing and other hacks.  These are advanced topics beyond what I am willing to write here, but trival for those that know security and gdb.

I have found many security holes in the shell programs, and can pass things from CLI that crash the system.  Yes most of these work in older versions of SanOS as well as NX-OS.


This entry was posted in Cisco, Network Technology, Nexus, NX-OS and tagged , . Bookmark the permalink.

Leave a Reply