计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (12): 419-427.doi: 10.11896/jsjkx.250100060

• 信息安全 • 上一篇    下一篇

基于静态分析驱动型的IOS-XE Web命令注入漏洞检测方法

鲁波, 吕晓   

  1. 海军工程大学 武汉 430033
  • 收稿日期:2025-01-09 修回日期:2025-04-28 出版日期:2025-12-15 发布日期:2025-12-09
  • 通讯作者: 吕晓(0909072004@nue.edu.cn)
  • 作者简介:(280856780@qq.com)

Detection of Web Command Injection Vulnerabilities on IOS-XE Based on Static Analysis-drivenApproach

LU Bo, LYU Xiao   

  1. Naval University of Engineering, Wuhan 430033, China
  • Received:2025-01-09 Revised:2025-04-28 Published:2025-12-15 Online:2025-12-09
  • About author:LU Bo,born in 1985,engineer.His main research interests include computer confidentiality and network security.
    LYU Xiao,born in 1983,Ph.D,professor,is a member of CCF(No.61813M).Her main research interests include collaborative computing and computer network security.

PDF (PC)

7

摘要: 目前针对网络设备webUI的漏洞挖掘已经变得非常普遍,漏洞滥用带来严重威胁,网络设备的安全稳定成为安全领域关注的重点。模糊测试是针对网络设备Web接口漏洞挖掘的主流方法,但这些方法在Cisco IOS-XE系统上效果均不理想。为此,针对IOS-XE系统的Web框架提出了一种基于静态分析驱动型模糊测试框架IOXFuzzer,用于检测底层命令注入漏洞。IOXFuzzer通过对后端Lua脚本进行抽象语法树建模,构建危险路径库反向追溯危险路径,再构建参数树筛选高质量种子库,生成高覆盖率测试用例,增加了发现脆弱代码的概率。最后在Cisco ASR 1000系列、ISR 4000系列实体设备和CSR 1000v系列虚拟设备上用2019年至今的69个不同版本固件对IOXFuzzer进行了评估,共检测出8个底层命令注入漏洞,其中1个为未公开漏洞。

关键词: Cisco, IOS-XE, 静态分析, 模糊测试, 命令注入

Abstract: Vulnerability mining for the Web interface of network devices has become very common,and the abuse of vulnerabilities poses a serious threat,the security and stability of network devices catch the attention in the security field.Fuzzing is the main method for Web interface vulnerability mining of network devices,but these methods have little effect on the Cisco IOS-XE system.Therefore,a static analysis-driven fuzzing framework based on the IOS-XE webUI,called IOXFuzzer,is proposed to detect the underlying command injection vulnerabilities.IOXFuzzer increases the probability of discovering vulnerable code by mo-delling back-end Lua scripts with abstract syntax trees,constructing dangerous path libraries to trace dangerous paths backwards,constructing parameter trees to filter high-quality seed libraries,and generating high-coverage test cases.At the end,IOXFuzzer is evaluated on Cisco ASR 1000,ISR 4000 series physical devices,and CSR 1000v series devices with 69 different firmware versions from 2019 to present and detects a total of eight underlying command injection vulnerabilities,one of which is undisclosed.

Key words: Cisco, IOS-XE, Static analysis, Fuzzing, Command injection

中图分类号: 

  • TP393
[1]MUNIZ S.Killing the myth of Cisco IOS rootkits[EB/OL].(2008-05-01) [2025-01-05].https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf.
[2]LI F,ZHANG L,CHEN D.Vulnerability mining of Cisco router based on fuzzing [C]//The 2014 2nd International Conference on Systems and Informatics.2014:649-653.
[3]ZHOU J X,FENG D,LI B.A fuzzing method based on dual variation strategy for Cisco IOS [C]//2017 3rd IEEE International Conference on Computer and Communications(ICCC).2017:205-209.
[4]LI J,ZHAO B D,ZHANG C.Fuzzing:a survey [J].Cybersecurity,2018,1(1):6.
[5]MANES V J M,HAN H S,HAN C,et al.The Art,Science,and Engineering of Fuzzing:A Survey[J].IEEE Transactions on Software Engineering,2019,47(11):2312-2331.
[6]COSTIN A,ZARRAS A,FRANCILLON A.Automated Dy-namic Firmware Analysis at Scale:A Case Study on Embedded Web Interfaces[C]//Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security.2015:437-448.
[7]XU W,WU Z H,WANG Z M,et al.Protocol Fuzzing Based on Testcases Automated Generation[J].Computer Science,2023,50(12):58-65.
[8]GU S K,CHEN W.Function Level Code Vulnerability Detection Method of Graph Neural Network Based on Extended AST[J].Computer Science,2023,50(6):283-290.
[9]COSTIN A.lua code:security overview and practical approaches to static analysis [C]//2017 IEEE Security and Privacy Workshops(SPW).IEEE,2017:132-142.
[10]WANG D,ZHANG X,CHEN T,et al.Discovering Vulnerabilities in COTS IoT Devices through Blackbox FuzzingWeb Management Interface[J/OL].https://doi.org/10.1155/2019/5076324.
[11]YU B,WANG P F,YUE T,et al.Poster:Fuzzing IoT Firmware via Multi-stage Message Generation[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.2019:2525-2527.
[12]XIA C S,PALTENGHI M,TIAN J L,et al.Fuzz4All:Universal Fuzzing with Large Language Models[C]//2024 IEEE/ACM 46th International Conference on Software Engineering(ICSE).2024:1547-1559.
[13]JIAO W H,LI X L,LI Q B,et al.Adaptive mutation based on multi-population evolution strategy for greybox fuzzing[J].Information Sciences,2025,705:121959.
[14]GODEFROID P,LEVIN M Y,MOLNAR D.SAGE:WhiteboxFuzzing for Security Testing[J].Queue,2012,10(3):20-27.
[15]CADAR C,DUNBAR D,ENGLER D R.KLEE:Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs[C]//Usenix Conference on Operating Systems Design & Implementation.USENIX Association,2008:209-224.
[16]WANG K L,CHEN M D,HE L,et al.OSmart:Whitebox Program Option Fuzzing[C]//Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security.2024:705-719.
[17]WANG J,ZHANG B,ZHANG Z J,et al.Java DeserializationVulnerability Mining Based on Fuzzing[J].Netinfo Security,2025,25(1):1-12.
[18]SHERIN S,MUQEET A,KHAN M U,et al.Qexplore:An exploration strategy for dynamicWeb applications using guided search[J].Journal of Systems and Software,2023,195:111512.
[19]WANG E Z,WANG B,XIE W,et al.EWVHunter:Grey-Box Fuzzing with Knowledge Guide on EmbeddedWeb Front-Ends[J].Applied Sciences,2020,10(11):4015.
[20]ZHANG H,LU K,ZHOU X,et al.SIoTFuzzer:Fuzzing Web Interface in IoT Firmware via Stateful Message Generation[J].Applied Sciences,2021,11(7):3120.
[21]GAO Y F,ZHOU X,XIE W,et al.Optimizing IoTWeb Fuzzing by Firmware Infomation Mining.Applied Sciences[J].Applied Sciences,2022,12(13):6429.
[22]GULER E,SCHUMILO S,SCHLOEGEL M,et al.Atropos:Effective Fuzzing ofWeb Applications for Server-Side Vulnerabilities[C]//Proceedings of the 33rd USENIX Security Sympo-sium.Boston:USENIX Association,2024:4765-4782.
[23]ROOIJ O V,CHARALAMBOUS M A,KAIZER D,et al.WebFuzz:Grey-Box Fuzzing for Web Applications[C]//European Symposium on Research in Computer Security.2021.
[24]WANG J,ZHANG Z J,YANG H Y,et al.Gray-box Fuzzing for JavaWeb with Parse Tree[J].Computer Systems & Applications,2023,32(9):67-76.
[25]ZHANG H X,RONG Y Y,HE Y F,et al.LLAMAFUZZ:Large Language Model Enhanced Greybox Fuzzing[J].arXiv:2406.07714,2024.
[26]HE J,CAI R J,YIN X K,et al.Detection ofWeb Command Injection Vulnerability for Cisco IOS-XE[J].Computer Science,2023,50(4):343-350.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发