A few months back I was asked to help out with some testing on several networking devices. The devices I setup to test on were my Cisco routers, switches and access points. The goal of the testing was to identify whether or not malicious input could be used as a device's name. If this were true then further testing would be done to see if the malicious code would be executed upon a successful login to the device (over HTTP). The end result was successful on all of the devices. Below is my documentation from testing.

Demo

Video of a sample attack can be found here.

Screenshots from testing can be found here.

Problem

This attack uses SNMP and the lack of special character filtering to inject malicious code within the web consoles of Cisco devices. The devices tested were:

• Cisco 1130 Access Point
• Cisco 3640 Router
• Cisco 3700 Series Router
• Cisco 3524XL Switch

I was able to inject a simple Javascript alert box onto each of the devices and successfully see it upon logging into the web console (see attached screenshots). Though this demonstration in itself does not pose a significant threat, the general idea that Javascript was indeed executed leaves the attack open to more detail.

Configuration Break Down

• SNMP has to be enabled with read/write community string
• ip http server must be on (this may be possible to turn on via SNMP)

Another thing that should be mentioned is that the Cisco 1130 Access Point displayed the host name on all the pages, but it was not until you went to System Information and then Tech support that it worked.

• http://AP_Address/exec/show/tech-support/cr
• http://AP_Address/level/15/exec/-
• http://AP_Address/level/15/exec/-/configure/http

The others (router and switch) worked right in the beginning and was affected on all pages. Below is the string used to pop up an alert box after a successful login.

snmpset -v2c -c public1 192.168.0.101 sysName.0 string "jstag alert("""xss snmp""")/jstag"

Note jstag would be replaced with script tag. For whatever reason the use of “””URL””” was able to translate out to a single “URL” allowing me to specify a string for the alert.

Solution

Because special characters are allowed when setting a hostname this attack can be turned into something malicious. To mitigate this attack it should be considered to remove the use of special characters (specifically “<”, “>”, “/”, “:”, “%”) when setting the hostname (or any character variable such as location or admin contact) of a device.

Conclusions

The proof demonstrated will do no true harm to a user, but the video shows what an attacker could do. What administrator's need to keep in mind is that attacker's will not care about popping up alert boxes. Their goal will be to execute Javascript in the victim's browser. Attacks could range from password stealing to browser hijacking depending on the method taken. Administrators should ensure that if SNMP is enabled that they are using a strong community string that can not easily be guessed.

Acknowledgements

• http://www.procheckup.com/PDFs/SNMP_injection.pdf
• Adrian Pastor of GNUCitizen