计算机科学 ›› 2023, Vol. 50 ›› Issue (4): 343-350.doi: 10.11896/jsjkx.220100113

• 信息安全 • 上一篇    下一篇

面向Cisco IOS-XE的Web命令注入漏洞检测

何杰, 蔡瑞杰, 尹小康, 陆炫廷, 刘胜利   

  1. 数学工程与先进计算国家重点实验室 郑州 450001
  • 收稿日期:2022-01-12 修回日期:2022-07-07 出版日期:2023-04-15 发布日期:2023-04-06
  • 通讯作者: 刘胜利(dr_liushengli@163.com)
  • 作者简介:(polaris201909@qq.com)
  • 基金资助:
    科技委基础加强项目(2019-JCJQ-ZD-113)

Detection of Web Command Injection Vulnerability for Cisco IOS-XE

HE Jie, CAI Ruijie, YIN Xiaokang, LU Xuanting, LIU Shengli   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China
  • Received:2022-01-12 Revised:2022-07-07 Online:2023-04-15 Published:2023-04-06
  • About author:HE Jie,born in 1996,master.His main research interests include cyber security and embedded network device.
    LIU Shengli,born in 1973,Ph.D,professor.His main research interests include network device security and network attack detection.
  • Supported by:
    Foundation Strengthening Key Project of Science & Technology Commission(2019-JCJQ-ZD-113).

摘要: 思科公司的新型操作系统Cisco IOS-XE广泛部署于Cisco路由器、交换机等平台,但系统的Web管理服务中存在通过命令注入实现权限逃逸的安全漏洞,使网络安全面临严重威胁。近年来,模糊测试常被用于检测嵌入式设备的安全漏洞,然而目前没有针对Cisco IOS-XE系统Web管理服务的模糊测试框架,由于IOS-XE特有的系统架构和命令模式,现有IoT模糊测试方法在IOS-XE上的检测效果不佳。为此,提出了一个针对Cisco IOS-XE系统Web管理服务的模糊测试框架CRFuzzer,用于检测命令注入漏洞。CRFuzzer结合Web前端请求和后端程序分析以优化种子生成,基于命令注入漏洞的特征发现脆弱代码以缩小测试范围。为了评估CRFuzzer的漏洞检测效果,在实体路由器ISR 4000系列和云路由器CSR 1000v上对31个不同版本共124个固件进行了测试,共检测出11个命令注入漏洞,其中2个为未公开漏洞。

关键词: Cisco IOS-XE, Web服务, 命令注入, 漏洞检测, 模糊测试

Abstract: Cisco’s new operating system,Cisco IOS-XE,is widely deployed on platforms such as Cisco routers and switches.However,there are vulnerabilities in the system’s Web management interface to allow permission escalation through command injection.Network security is facing serious threats.In recent years,fuzzing is usually used to detect security vulnerabilities in embedded devices,but there is currently no fuzzing framework for Cisco IOS-XE,and current fuzzing methods for IoT have poor performance due to the unique system architecture and command mode of IOS-XE.To solve the problems mentioned above,this paper proposes a novel fuzzing framework CRFuzzer for the Web management service in Cisco IOS-XE system to detect command injection vulnerabilities.CRFuzzer combines front-end requests and back-end scripts analysis to optimize seed generation,and locates vulnerable code based on characteristics of command injection to narrow the scope of testing.In order to evaluate the vulnerability detection performance of CRFuzzer,124 firmwares of 31 different versions are tested on the physical router ISR 4000 series and the cloud router CSR 1000v,and a total of 11 command injection vulnerabilities are detected,and 2 of them are undisclosed vulnerabilities.

Key words: Cisco IOS-XE, Web service, Command injection, Vulnerability detection, Fuzzing

中图分类号: 

  • TP393
[1]Open Web Application Security Project Top Ten[EB/OL].(2013-10-30)[2021-10-01].https://owasp.org/www-project-top-ten.
[2]STASINOPOULOS A,NTANTOGIAN C,XENAKIS C.Commix:automating evaluation and exploitation of command injection vulnerabilities in Web applications[J].International Journal of Information Security,2019,18(1):49-72.
[3]YOGESH R,NAGENDRA K N.Containers in Cisco IOS-XE,IOS-XR,and NX-OS:Orchestration and Operation[M].Cisco Press,2021.
[4]MUNIZ S,ORTEGA A.Fuzzing and debugging Cisco IOS[J/OL].BlackHat Europe,2011.https://infocon.org/cons/SyScan/SyScan 2011 Singapore/SyScan 2011 Singapore presentations/Syscan2011-CiscoIOS-Aortega-Smuniz.pdf.
[5]LI F,ZHANG L,CHEN D.Vulnerability mining of Cisco routerbased on fuzzing[C]//The 2014 2nd International Conference on Systems and Informatics(ICSAI 2014).IEEE,2014:649-653.
[6]ZHOU J X,FENG D,LI B.A fuzzing method based on dual variation strategy for Cisco IOS[C]//2017 3rd IEEE International Conference on Computer and Communications(ICCC).IEEE,2017:205-209.
[7]ZHANG Y,HUO W,JIAN K,et al.SrFuzzer:An automaticfuzzing framework for physical soho router devices to discover multi-type vulnerabilities[C]//Proceedings of the 35th Annual Computer Security Applications Conference.2019:544-556.
[8]CHEN J,DIAO W,ZHAO Q,et al.IoTFuzzer:DiscoveringMemory Corruptions in IoT Through App-based Fuzzing[C]//NDSS.2018.
[9]FENG X,SUN R,ZHU X,et al.Snipuzz:Black-box fuzzing of iot firmware via message snippet inference[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.2021:337-350.
[10]ZHENG Y,DAVANIAN A,YIN H,et al.FIRM-AFL:high-throughput greybox fuzzing of iot firmware via augmented process emulation[C]//28th {USENIX} Security Symposium({USENIX} Security 19).2019:1099-1114.
[11]SRIVASTAVA P,PENG H,LI J,et al.Firmfuzz:Automated iot firmware introspection and analysis[C]//Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things.2019:15-21.
[12]CHEN D D,WOO M,BRUMLEY D,et al.Towards Automated Dynamic Analysis for Linux-based Embedded Firmware[C]//NDSS.2016,1:1.1-8.1.
[13]OpenResty-a dynamic web platform based on NGINX and LuaJIT[EB/OL].(2013-08-26)[2021-12-16].http://openresty.org/.
[14]BOLLAPRAGADA V,MURPHY C,WHITE R.Inside cisco ios software architecture[M].Cisco Press,2000.
[15]WANG Z,ZHANG Y,LIU Q.Rpfuzzer:A framework for discovering router protocols vulnerabilities based on fuzzing[J].KSII Transactions on Internet and Information Systems(TIIS),2013,7(8):1989-2009.
[16]ZHU L,FU X,YAO Y,et al.FIoT:detecting the memory cor-ruption in lightweight IoT device firmware[C]//2019 18th IEEE International Conference on Trust,Security And Privacy In Computing And Communications/13th IEEE International Conference on Big Data Science And Engineering(TrustCom/BigDataSE).IEEE,2019:248-255.
[17]YU L,WANG H,LI L,et al.Towards Automated Detection of Higher-Order Command Injection Vulnerabilities in IoT Devices:Fuzzing With Dynamic Data Flow Analysis[J].International Journal of Digital Crime and Forensics(IJDCF),2021,13(6):1-14.
[18]JIANG Y,XIE W,TANG Y.Detecting authentication-bypassflaws in a large scale of IoT embedded web servers[C]//Proceedings of the 8th International Conference on Communication and Network Security.2018:56-63.
[19]CHEN L,WANG Y,CAI Q,et al.Sharing More and Checking Less:Leveraging Common Input Keywords to Detect Bugs in Embedded Systems[C]//30th {USENIX} Security Symposium({USENIX} Security 21).2021.
[20]HALLER I,SLOWINSKA A,NEUGSCHWANDTNER M,et al.Dowsing for Overfiows:A Guided Fuzzer to Find Buffer Boundary Violations[C]//22nd {USENIX} Security Sympo-sium({USENIX} Security 13).2013:49-64.
[21]COSTIN A.Lua code:security overview and practical approaches to static analysis[C]//2017 IEEE Security and Privacy Workshops(SPW).IEEE,2017:132-142.
[1] 杨鹏飞, 蔡瑞杰, 郭世臣, 刘胜利.
一种基于容器的Cisco IOS-XE系统入侵检测方法
Container-based Intrusion Detection Method for Cisco IOS-XE
计算机科学, 2023, 50(4): 298-307. https://doi.org/10.11896/jsjkx.220300264
[2] 刘泽润, 郑红, 邱俊杰.
基于抽象语法树裁剪的智能合约漏洞检测研究
Smart Contract Vulnerability Detection Based on Abstract Syntax Tree Pruning
计算机科学, 2023, 50(4): 317-322. https://doi.org/10.11896/jsjkx.220300063
[3] 杨亚辉, 麻荣宽, 耿洋洋, 魏强, 贾岩.
基于工控私有协议逆向的黑盒模糊测试方法
Black-box Fuzzing Method Based on Reverse-engineering for Proprietary Industrial Control Protocol
计算机科学, 2023, 50(4): 323-332. https://doi.org/10.11896/jsjkx.211200258
[4] 黄松, 杜金虎, 王兴亚, 孙金磊.
以太坊智能合约模糊测试技术研究综述
Survey of Ethereum Smart Contract Fuzzing Technology Research
计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069
[5] 胡志濠, 潘祖烈.
基于QRNN的网络协议模糊测试用例过滤方法
Testcase Filtering Method Based on QRNN for Network Protocol Fuzzing
计算机科学, 2022, 49(5): 318-324. https://doi.org/10.11896/jsjkx.210300281
[6] 张潆藜, 马佳利, 刘子昂, 刘新, 周睿.
以太坊Solidity智能合约漏洞检测方法综述
Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts
计算机科学, 2022, 49(3): 52-61. https://doi.org/10.11896/jsjkx.210700004
[7] 陈乔松, 何小阳, 许文杰, 邓欣, 王进, 朴昌浩.
基于预训练技术和专家知识的重入漏洞检测
Reentrancy Vulnerability Detection Based on Pre-training Technology and Expert Knowledge
计算机科学, 2022, 49(11A): 211200182-8. https://doi.org/10.11896/jsjkx.211200182
[8] 王昌晶, 丁希龙, 陈茜, 罗海梅, 左正康.
基于模型驱动的Web服务建模与三阶段模型转换方法
Web Service Modeling Based on Model-driven and Three-stage Model Transformation Method
计算机科学, 2022, 49(11A): 211100055-14. https://doi.org/10.11896/jsjkx.211100055
[9] 张冰清, 费琪, 王轶辰, 杨召.
面向SOA的集成测试序列生成算法研究
Study on Integration Test Order Generation Algorithm for SOA
计算机科学, 2022, 49(11): 24-29. https://doi.org/10.11896/jsjkx.210400210
[10] 王田原, 武淑红, 李兆基, 辛昊光, 李璇, 陈永乐.
PGNFuzz:基于指针生成网络的工业控制协议模糊测试框架
PGNFuzz:Pointer Generation Network Based Fuzzing Framework for Industry Control Protocols
计算机科学, 2022, 49(10): 310-318. https://doi.org/10.11896/jsjkx.210700248
[11] 李明磊, 黄晖, 陆余良, 朱凯龙.
SymFuzz:一种复杂路径条件下的漏洞检测技术
SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions
计算机科学, 2021, 48(5): 25-31. https://doi.org/10.11896/jsjkx.200600128
[12] 李毅豪, 洪征, 林培鸿.
基于深度优先搜索的模糊测试用例生成方法
Fuzzing Test Case Generation Method Based on Depth-first Search
计算机科学, 2021, 48(12): 85-93. https://doi.org/10.11896/jsjkx.200800178
[13] 涂良琼, 孙小兵, 张佳乐, 蔡杰, 李斌, 薄莉莉.
智能合约漏洞检测工具研究综述
Survey of Vulnerability Detection Tools for Smart Contracts
计算机科学, 2021, 48(11): 79-88. https://doi.org/10.11896/jsjkx.210600117
[14] 于扬, 邢镔, 曾骏, 文俊浩.
KSN:一种基于知识图谱和相似度网络的Web服务发现模型
KSN:A Web Service Discovery Method Based on Knowledge Graph and Similarity Network
计算机科学, 2021, 48(10): 160-166. https://doi.org/10.11896/jsjkx.200900026
[15] 龚扣林, 周宇, 丁笠, 王永超.
基于BiLSTM模型的漏洞检测
Vulnerability Detection Using Bidirectional Long Short-term Memory Networks
计算机科学, 2020, 47(5): 295-300. https://doi.org/10.11896/jsjkx.190800046
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!