Re: PIX Privilege Escalation Vulnerability

[Eloy Paris <elparis () cisco com>]

Hi Terry,

On Thu, Jan 24, 2008 at 03:42:53AM -0000, tbbunn () ctc net wrote:

> Back in May of last year I started doing research on any possible
> security flaws that exist in the Pix/ASA Finesse operating System,
> versions 7.1 and 7.2. I discovered that a design flaw that was
> previously unknown in Finesse will allow a level 0 user to escalate
> their privilege to level 15. I believe the vulnerability may originate
> in the local authentication service, thus not being possible to
> exploit when Radius and TACACS is implemented. Implementing AAA in any
> other way that keeps the passwords locally defined seems to have no
> affect on the vulnerability. I have been able to repeatedly bypass the
> privilege-exec login both locally, through the console and remotely,
> through a telnet connection. After many attempts I have found that the
> SSH service does not seem to suffer from the vulnerability.
>
> I am now going to go over the simplicity of the exploit and I will be
> releasing a white paper hopefully sooner than later on the specifics
> of the underlying cause. Once a user has logged on to the user-exec
> (level0) of the device they will then be able to proceed with the
> <enable> command which should give you a login prompt. At this prompt
> if you move your cursor forward with a space or character(it doesn't
> matter if there are more then one), and then proceed to delete any
> spaces or characters, by holding down the backspace a second after
> deleting the last character it should immediately drop you into level
> 15 privilege-exec mode. This attack was originally performed on a PIX
> 515E running version 7.2 of Finesse. I will be posting all updates
> regarding this exploit as they come, and I apologize for it taking so
> long to release this information.

Dumb question: can you reproduce this issue when you have a non-blank
enable password? I can see this behavior when a blank enable password is
set, but if I have a non-blank enable password I don't see the behavior
- I get dropped back into unprivilege EXEC after using the backspace
key.

When the enable password is blank you still get prompted for a password
when you want to go into privileged EXEC mode via the "enable" command.
However, hitting just <Enter> will grant you access. There is no
password set after all.

Could you make sure that you have an non-blank enable password set by
using the command "enable password <some password>" and try again?

Note: even if "show running-config enable" shows an "enable password"
command in the configuration that doesn't mean that the enable password
is non-blank; the output just displays a hash of a blank password.

Cheers,

-- 

Eloy Paris.-
CCIE #19207
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.