35 comments

[ 3.1 ms ] story [ 86.5 ms ] thread
without the enable password, you can't do much
except pivot into a higher-privileged management network full of juicy--and typically totally unpatched--Out-of-Band management equipment (consoles, IPMI, industrial gear)
Could you elaborate to those of us not familiar with Cisco routers?

My understanding is this exploit disables password authentication and allows you to access the device. A seperate command allows you to re-enable it.

Would this re-enabling kill your current connection? Is the password later needed to change settings on the router (like if you typed sudo and are forced to re-authenticate)?

In my lab, re-enabling did not kill the current connection, so it could be a very quick switch flick, login, revert to try and avoid detection.
The "enable" password is sort of like the root account on Cisco gear. When you first connect, you're in a low-priv state where you can do simple things like see the uptime of the device, interface info, etc. But to make any changes to the settings on the router, you have to run the "enable" command which typically asks for a password which is separate from the login password.

I guess the name comes from enabling admin functionality, but I don't know why Cisco didn't call the command admin. Anyway, this enable is different from enabling/disabling the login authentication.

On a Cisco router you login via SSH or Telnet, then you run a command to become 'enabled'. enable is a command like sudo on Linux-it elevates your permission level so you can make changes (although not all changes require you to be enabled, most do).

If you used ExtraBacon to clear the login user/password you would get a basic shell on connection. This would open at least 2 options to you as an attacker-1) using a local exploit to become an enabled user and 2) you can now send traffic to ALL the networks that the firewall/router knows about-for example, a non-internet connected management network that might be filled with never upgraded KVM/OOB control equipment.

Thanks! #2 definitely seems like a big issue. I can imagine many "internal" services that are potentially insecure.
My fav is IPMI. Many devices allow you to log in using cipher 0... basically, if you know the username, you get access. The rest... well, IMPI has a hash disclosure built into the protocol. If you can guess a username, you can get (and try to crack) the password.
So, I just did this. this is how i gained access to the ASA.

ssh alsjfailjgfakjndfakldflkajd@10.1.1.1

and I was in. Then i did:

en

it asked for a password, and i typed:

al;kdf;aklfjglkadfjglkadjfgljfglksjdf

and i was in.

kind of scary

For those without `showdead` on: (@dang / @sctb: this seems to be a false positive)

> XORcat 18 minutes ago [dead] [-]

> In my lab, re-enabling did not kill the current connection, so it could be a very quick switch flick, login, revert to try and avoid detection.

(comment deleted)
Instead of copying & pasting, you should be able to click on the timestamp of the comment and then click "Vouch" (which I just did for XORcat's comment).
Maybe you need a certain minimum karma level to have access to vouch?
This seems to be the case, at 926 karma I have comment downvotes but no vouch button yet.
Thanks for the tip and the vouching - as schoen suggests, it seems like I need a little bit more karma for this.
Ha! Someone sent 1.5 BTC (~800 USD) to the hacker's address 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK to bid on eqgrp_auction_file.tar.xz.asc. He sent it from a vanity bitcoin address starting with "1nice" ;-) https://blockchain.info/tx/c44b40b6d845d9cc256e21606821569db...
It embeds a Bitmessage[1] address using the OP_RETURN[2] opcode as EquationGroup requested:

    BM-2cXe6wAT7yTgoxGCpDMmdWq2xxWcdmL3Ek
[1] https://bitmessage.org/wiki/Main_Page [2] https://en.bitcoin.it/wiki/OP_RETURN
Could be the hackers themselves for all you know.
"ExtraBaconDemo" Ok, this is going to be hilarious.
So I downloaded the files and poked around the Python code. The code looked positively amateurish, not in its functionality (I'm sure it works) but in the coding style. I'm not sure what I expected, but the formatting, the types of comments, it all looked like it was written by someone who just started out with Python. Maybe it was written very hastily, I don't know, but I encourage others to take a look. It's interesting to see the source for this kind of stuff.
Maybe the coding style was done on purpose to defend against attribution?
Most hardcore reversers/exploit devs are not software engineers.
Be careful what you say.
Many people in infosec generally learn programming on their own and only code for their own need. They don't care about coding style, small optimizations, programming best practices, etc.
I'm curious if this has to do with their generally broken English, as I read on what I think was their blog post. Does English proficiency affect coding "fluency", seeing as you are coding in English?
They didn't author this. They state they stole it from the NSA.
I don't think that the English of that message is real. Looks made up, maybe too give a better aura of mystery and possibly to avoid the risk of being recognised by some writing style analysis software.
It looks exactly like I expect. It looks like what was written by a hacker. The end goal is to solve a problem. This code was not generated from a business requirements. It was not written for others to maintain. It's not going to be changing. It doesn't need tests. The author understands it and needs minimal comments. There is no need to make it object oriented, use design patterns or make it fancy. There are lots of such sources online. Here is an exploit for the stagefright/python code https://github.com/jduck/cve-2015-1538-1/blob/master/Stagefr...

Here is another exploit in ruby, https://github.com/jduck/addjsif/blob/master/add_js_interfac...

If we assume that the code really comes from a member of the "Equation Team" and we trust the conclusion from Kaspersky that those people are among the upper echelons of NSA hacker groups it is maybe a good point in time that we give our expectations a reality check.

What counts in the real world is that it gets the job done, unfortunately no time for fancy pythonic delicacies or experiments in functional coding paradigms.

Sorry for the little rant and nothing personal, I just find critizicing other people's code without considering the constraints under it was created an extremely annoying habit among my fellow coders.

Someone at Kiwicon (2015, I think?) went through breaking into a CISCO router. Newer Cisco hardware actually runs a Linux kernel and one, massive (I think it was like 50MB) binary. There's only one ethernet device too because the others are controlled by user-space PCI devices within that binary.

For what I could tell, it looked like Cisco use to have a full independent OS (ios) and when they switched to Intel hardware, it was easier for them to just build a shim layer between Linux and their OS so they could run on cheaper/newer hardware without a massive rewrite.

Anyway, that guy responsibly disclosed and his exploit was patched, but it did give full access to everything, including the ability to create new routes and filters that wouldn't even be visible from within ios.