Merge pull request #213 from aleff-github/patch-59

Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273
pull/227/head
Kalani Helekunihi 2024-05-24 16:17:38 -04:00 committed by GitHub
commit 525a4382fa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 228 additions and 0 deletions

View File

@ -0,0 +1,134 @@
# Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273
Use this script to set up an automated integrity verification system for your Cisco IOS XE machine in relation to the attack that could create a backdoor on Cisco IOS XE systems vulnerable to CVE-2023-20198 and CVE-2023-20273.
**Category**: incident-response
![](/assets/1.png)
## Index
- [Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273](#auto-check-cisco-ios-xe-backdoor-based-on-cve-2023-20198-and-cve-2023-20273)
- [Payload Description](#payload-description)
- [Settings](#settings)
- [Regex](#regex)
- [Conseguence](#conseguence)
- [Administrator Permissions](#administrator-permissions)
- [Sources](#sources)
- [Credits](#credits)
## Payload Description
This script can be used to set up a Shell script that allows users of Cisco IOS XE-based systems to periodically check for potential attacks using the recent 0-day vulnerabilities CVE-2023-20198 and CVE-2023-20273.
As of now, patches for these vulnerabilities have not been developed or made available to users. According to analyses conducted by the Fox-IT[[4](#sources)] and VulnCheck[[5](#sources)] teams, it appears that several tens of thousands of devices have already been attacked using these two vulnerabilities.
*Note: Patches for these issues were released over the weekend and are now available to customers via the Cisco software download. [[3](#sources)]*
The severity of these attacks has increased significantly in recent times as cybercriminals have improved their malware's ability to camouflage within the system. Consequently, detecting intrusions has become more challenging.
In response to this, Cisco has released a basic method for users to assess their system's integrity. This involves running a curl command with specific parameters from a Shell on which the Cisco IOS XE system is installed. If the response includes a hexadecimal string (e.g., 0123456789abcdef01), it implies that the machine may have been compromised through the mentioned vulnerabilities.
An immediate solution to the problem is to reboot the system, which would close the backdoor. However, this doesn't mitigate the vulnerabilities in the long term, as the machine remains just as susceptible after the reboot and also why the attacker's super user is not removed. This means that rebooting the system is an immediate measure to block the threat but doesn't provide a lasting mitigation of the threat.
The payload.txt file contains DuckyScript code that enables you to create a Shell script that periodically performs the Cisco-suggested verification to determine if the machine has been attacked. The script defines three variables: the script name, the superuser (sudo) password, and the file path. The only variable that must be modified is the sudo password because it varies from user to user. The other two variables can be changed but aren't strictly necessary for the payload's functionality. They represent the desired script name and the default path (the current folder).
Once the file is created, it's automatically saved at the end of the execution, and the payload proceeds to enable execution permissions using the permissions granted by the sudo+chmod command.
---
To maintain code readability, I chose to keep a less efficient but more straightforward version as follows:
```
REM Old script
REM STRINGLN sudo chmod +x #SCRIPT-NAME
REM DELAY 500
REM STRINGLN #SUDO-PSWD
REM DELAY 3000
REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $
REM STRINGLN exit
```
This coding style is not optimized since the `DELAY 3000` can vary significantly from one machine to another, making it inherently imprecise.
In order to optimize this code, I prefer the following version, which eliminates the previous waiting and includes only a short delay before entering the sudo password:
```
REM Optimized script
STRINGLN sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit
DELAY 500
STRINGLN #SUDO-PSWD
```
This command concatenates the assignment of execution permissions to the script and proceeds to set up the script for automatic execution every 5 minutes. The Shell is then closed after this operation.
As for the payload of the `curl` command, it has been copied and pasted from the official Cisco source [1].
## Settings
This payload is designed to operate without requiring the installation of third-party software and focuses on performing operations as quickly as possible, as time is a critical factor, as described in the [Consequences](#conseguence) section. The script operates in cycles, with one iteration every 300 seconds, but it is easily adaptable: simply modify the value `sleep 300 # wait time` in the `payload.txt` file to suit your preferences. However, it's important to note that completely removing this entry could generate a high volume of cURL requests, potentially causing issues.
It's crucial to keep in mind that system reboot doesn't fully resolve the problem. Even if the malware is removed, the high-privilege account created by attackers persists even after system reboot.
### Regex
The verification through the execution of the `curl` command involves examining the response of a POST request. If a hexadecimal string is detected within this response, it suggests that the machine may have been compromised using the vulnerabilities in question.
To ensure that the response indeed contains a hexadecimal string, you can use the regular expression (regex) `^[0-9a-zA-Z]+$`. This regex checks for the following criteria:
- `^` The string must start with...
- `[0-9A-Z-a-z]` ... a character that can be a digit from 0 to 9, an uppercase letter from A to Z, or a lowercase letter from a to z;
- `+` There must be at least one of the characters specified within the square brackets...
- `$` ... and the string must end with one of these characters.
Only if the response from the "curl" command contains characters other than hexadecimal ones or no characters at all, the regex will not find any matches, indicating that the machine under scrutiny has not been attacked up to that point.
### Conseguence
When an attack is detected, various actions can be taken. However, it's crucial to keep in mind that the more complex the programmed actions are, the longer the backdoor remains open.
It's important to note that the script, by default, has an approximately 5-minute check interval (300 seconds by default) during which no checks occur. Consequently, the accumulation of time required for various operations following the detection of an attack can increase the exposure time. Therefore, it's essential to carefully consider the actions to implement because adding complexity could negatively impact overall security.
In this scenario, sending a notification at the time of attack detection is suggested. You can customize the code to send an email or create a historical log file containing relevant information. However, it's essential to understand that the only way to definitively close the backdoor is by restarting the system. It's worth noting that a forced restart can carry risks, such as data loss or, in this specific case, the interruption of active connections. The decision to terminate a connection to close the backdoor or keep it open depends on the trade-off between security and operational continuity.
In conclusion, two key factors to consider are response times and the potential risk of data loss. As in any security analysis, the optimal solution depends on what you want to protect and the risks you are willing to accept.
### Administrator Permissions
Administrator privileges are not required to execute the script itself, but they are necessary to ensure that the file containing the script has the required permissions for execution. This type of permission granting is done using the command-line tool `chmod`, which is used to assign specific permissions to the script.
In this specific case, we are using the `-x` parameter, which signifies the execution permission for the script.
## Sources
- [1] Cisco comunication: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
- [2] Red Hot Cyber post: https://www.redhotcyber.com/post/37-000-dispositivi-cisco-contengono-backdoor-attenzione-in-quanto-il-malware-ora-risulta-piu-difficile-da-rilevare/
- [3] Patch: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
- [4] Fox-IT comunication: https://twitter.com/foxit/status/1716472673876730149
- [5] VulnCheck comunication: https://twitter.com/VulnCheckAI/status/1716541908489543725
---
## Credits
<h2 align="center"> Aleff</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/aleff-github">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Linkedin
</td>
</tr>
</table>
</div>

Binary file not shown.

After

Width:  |  Height:  |  Size: 32 KiB

View File

@ -0,0 +1,68 @@
REM #############################################################################################
REM # #
REM # Title : Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273 #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : incident-response #
REM # Target : Cisco IOS XE #
REM # #
REM #############################################################################################
REM Set the script name, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
DEFINE #SCRIPT-NAME auto-check.sh
REM Here you must set your sudo password that permit to give the executable permissions to the file
DEFINE #SUDO-PSWD example
REM Here you chould define the script path, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path
DEFINE #PATH-TO-SCRIPT ./
DELAY 2000
CTRL-ALT t
DELAY 1000
STRINGLN_BLOCK
echo 'while true; do
response=$(curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1)
if [[ $response =~ ^[0-9a-zA-Z]+$ ]]; then
if [ $? -eq 0]; then
# Attack detected, here you decide what to do in this moment
# 1. Send an email to sec-team
# 2. Do some other ops
# ...
# 3. What do you want to do?
# Can you reboot the system or you need to do something else before?
# Do you want to close it?
# ...
# The only one way to close the backdoor is reboot the system, so don t change it (?)...
# |-> See the Conseguence section in README
reboot
else
# You are safe :-)
fi
fi
sleep 300 # wait time
done' > #PATH-TO-SCRIPT#SCRIPT-NAME
END_STRINGLN
REM To avoid some bad DELAY I decided to use only one command row
REM Old script
REM STRINGLN sudo chmod +x #SCRIPT-NAME
REM DELAY 500
REM STRINGLN #SUDO-PSWD
REM DELAY 3000
REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $
REM STRINGLN exit
REM Optimized script
STRINGLN sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit
DELAY 500
STRINGLN #SUDO-PSWD

View File

@ -0,0 +1,26 @@
#!/bin/bash
while true; do
response=$(curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1)
if [[ $response =~ ^[0-9a-zA-Z]+$ ]]; then
if [ $? -eq 0]; then
# Attack detected, here you decide what to do in this moment
# 1. Send an email to sec-team
# TODO
# 2. Do some other ops like save some log information somewhere or save before stop the process
# ...
# 3. What do you want to do?
# Can you reboot the system or you need to do something else before?
# Do you want to close it?
# ...
# The only one way to close the backdoor is reboot the system, so don t change it (?)...
# |-> See the Conseguence section in README
reboot
else
# You are safe :-)
fi
fi
sleep 300 # wait time
done