Pwning Cisco Devices Using Smart Install Exploitation Tool (siet.py)
I was on a recent internal assessment engagement and boy oh boy, this clients’ environments looked pretty solid. Until I came across some of their Cisco Switches running a vulnerable version of Smart Install as reported by Nessus at https://www.tenable.com/plugins/nessus/108723
Verified the existence of this vulnerability with NMAP and Metasploit:
nmap -p 4786 -v <IP Address(s)>use auxiliary/scanner/misc/cisco_smart_install
Looked around for a way to exploit this & stumbled upon the Smart Install Exploitation Tool (SEIT) at https://github.com/Sab0tag3d/SIET With this tool, I was able to download the config files of their Core Switch which showed passwords in clear text for some of the user accounts configured. Other accounts used weak cisco type 7 encryption algorithms which can be cracked within seconds using online tools like: http://ibeast.com/tools/CiscoPassword/index.asp
This eventually gave me access to the core routers and other Cisco Network Infra devices since the user accounts credentials were the same across the devices.
The tools has other capabilities such as installing new configuration file to the remote device, and also multiple remote devices, update the cisco IOS running on the remote device and execute code on the remote device.
A simple shodan search for port 4786 shows that there are over 70K Devices which have the smart install services exposed to the internet.
And guess what it takes to close on this critical vulnerability? Just running the no-vstack command on your Cisco Switch will do the wonders.
This was reported to Cisco in 2018 (CVE-2018–0171) with a CVSS 3.0 base score of 9.8. Cisco since then released several advisories to fix it.
There is also detailed presentation of this vulnerability available at https://2016.zeronights.ru/wp-content/uploads/2016/12/CiscoSmartInstall.v3.pdf