Hacking NX-OS Part 3
PATH not properly set in shell scripts
Input not properly sanity checked in scripts
IFS together with PATH exploitable
gdbserver running has root, can allow you to kill any process, including securityd
The binaries for the most part are stripped. So there is no symbol information, I plan to eventually re-construct the symbol table using some tools. This combined with gdb would give you the ability to call any function you want as root.
Many processes run as root (via /etc/sudoers), its very sloppy
I have found at least 5 ways to get shell access.
gdb could (Theoritically) be used to overflow the stack on a number of functions to run arbitrary shellcode. I haven't done this because its tedious but should work. The security problem is that you can use gdb to remotely connect in the first place.
At least one serious problem is the ability to crash a nexus remotely via CDP, I don't believe this is fixed yet. Productive evening. I was able to get shell access on a 5k, 7k, 1000v, and MDS, that is from the CLI I was able to get to an actual bash shell. Oddly using different exploits on MDS vs. 5k/7k/1000v. As far as I know these are not known to Cisco. Its not really a serious issue since you have to have access to the box anyways. I only tried as admin, but its likely to work from any user level. I did not post every method that I was able to obtain root with, nor did I post the straight forward malicious methods such as constructing a special CDP packet that will take NX-OS down every time (at least it used to). If you have any interesting things you have found in NX-OS please let me know! gdb The gdb is visable via the which command. you can do "sh processes" and see all processes, then use "gdp <process id>" to run gdb as a server. Then from your workstation you can connect to gdb process using "gdb target remote x.x.x.x:yyyyy" where x.x.x.x is the ip address of the mds and yyyyyy is the port the gdb says its listening on (starts at 10001). Then you can use gdb to do things like stack smashing and other hacks. These are advanced topics beyond what I am willing to write here, but trival for those that know security and gdb. I have found many security holes in the shell programs, and can pass things from CLI that crash the system. Yes most of these work in older versions of SanOS as well as NX-OS.
Recent Posts
See AllRecently I was working on a problem with Time Series. Time Series can quickly add up to a lot of data, as you are using previous...
One of the biggest bottlenecks in Deep Learning is loading data. having fast drives and access to the data is important, especially if...
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; import org.apache.hadoop.hbase.TableName;...
Commenti