Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (12): 419-427.doi: 10.11896/jsjkx.250100060

• Information Security • Previous Articles     Next Articles

Detection of Web Command Injection Vulnerabilities on IOS-XE Based on Static Analysis-drivenApproach

LU Bo, LYU Xiao   

  1. Naval University of Engineering, Wuhan 430033, China
  • Received:2025-01-09 Revised:2025-04-28 Online:2025-12-15 Published:2025-12-09
  • About author:LU Bo,born in 1985,engineer.His main research interests include computer confidentiality and network security.
    LYU Xiao,born in 1983,Ph.D,professor,is a member of CCF(No.61813M).Her main research interests include collaborative computing and computer network security.

PDF (PC)

7

Abstract: Vulnerability mining for the Web interface of network devices has become very common,and the abuse of vulnerabilities poses a serious threat,the security and stability of network devices catch the attention in the security field.Fuzzing is the main method for Web interface vulnerability mining of network devices,but these methods have little effect on the Cisco IOS-XE system.Therefore,a static analysis-driven fuzzing framework based on the IOS-XE webUI,called IOXFuzzer,is proposed to detect the underlying command injection vulnerabilities.IOXFuzzer increases the probability of discovering vulnerable code by mo-delling back-end Lua scripts with abstract syntax trees,constructing dangerous path libraries to trace dangerous paths backwards,constructing parameter trees to filter high-quality seed libraries,and generating high-coverage test cases.At the end,IOXFuzzer is evaluated on Cisco ASR 1000,ISR 4000 series physical devices,and CSR 1000v series devices with 69 different firmware versions from 2019 to present and detects a total of eight underlying command injection vulnerabilities,one of which is undisclosed.

Key words: Cisco, IOS-XE, Static analysis, Fuzzing, Command injection

CLC Number: 

  • TP393
[1]MUNIZ S.Killing the myth of Cisco IOS rootkits[EB/OL].(2008-05-01) [2025-01-05].https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf.
[2]LI F,ZHANG L,CHEN D.Vulnerability mining of Cisco router based on fuzzing [C]//The 2014 2nd International Conference on Systems and Informatics.2014:649-653.
[3]ZHOU J X,FENG D,LI B.A fuzzing method based on dual variation strategy for Cisco IOS [C]//2017 3rd IEEE International Conference on Computer and Communications(ICCC).2017:205-209.
[4]LI J,ZHAO B D,ZHANG C.Fuzzing:a survey [J].Cybersecurity,2018,1(1):6.
[5]MANES V J M,HAN H S,HAN C,et al.The Art,Science,and Engineering of Fuzzing:A Survey[J].IEEE Transactions on Software Engineering,2019,47(11):2312-2331.
[6]COSTIN A,ZARRAS A,FRANCILLON A.Automated Dy-namic Firmware Analysis at Scale:A Case Study on Embedded Web Interfaces[C]//Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security.2015:437-448.
[7]XU W,WU Z H,WANG Z M,et al.Protocol Fuzzing Based on Testcases Automated Generation[J].Computer Science,2023,50(12):58-65.
[8]GU S K,CHEN W.Function Level Code Vulnerability Detection Method of Graph Neural Network Based on Extended AST[J].Computer Science,2023,50(6):283-290.
[9]COSTIN A.lua code:security overview and practical approaches to static analysis [C]//2017 IEEE Security and Privacy Workshops(SPW).IEEE,2017:132-142.
[10]WANG D,ZHANG X,CHEN T,et al.Discovering Vulnerabilities in COTS IoT Devices through Blackbox FuzzingWeb Management Interface[J/OL].https://doi.org/10.1155/2019/5076324.
[11]YU B,WANG P F,YUE T,et al.Poster:Fuzzing IoT Firmware via Multi-stage Message Generation[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.2019:2525-2527.
[12]XIA C S,PALTENGHI M,TIAN J L,et al.Fuzz4All:Universal Fuzzing with Large Language Models[C]//2024 IEEE/ACM 46th International Conference on Software Engineering(ICSE).2024:1547-1559.
[13]JIAO W H,LI X L,LI Q B,et al.Adaptive mutation based on multi-population evolution strategy for greybox fuzzing[J].Information Sciences,2025,705:121959.
[14]GODEFROID P,LEVIN M Y,MOLNAR D.SAGE:WhiteboxFuzzing for Security Testing[J].Queue,2012,10(3):20-27.
[15]CADAR C,DUNBAR D,ENGLER D R.KLEE:Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs[C]//Usenix Conference on Operating Systems Design & Implementation.USENIX Association,2008:209-224.
[16]WANG K L,CHEN M D,HE L,et al.OSmart:Whitebox Program Option Fuzzing[C]//Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security.2024:705-719.
[17]WANG J,ZHANG B,ZHANG Z J,et al.Java DeserializationVulnerability Mining Based on Fuzzing[J].Netinfo Security,2025,25(1):1-12.
[18]SHERIN S,MUQEET A,KHAN M U,et al.Qexplore:An exploration strategy for dynamicWeb applications using guided search[J].Journal of Systems and Software,2023,195:111512.
[19]WANG E Z,WANG B,XIE W,et al.EWVHunter:Grey-Box Fuzzing with Knowledge Guide on EmbeddedWeb Front-Ends[J].Applied Sciences,2020,10(11):4015.
[20]ZHANG H,LU K,ZHOU X,et al.SIoTFuzzer:Fuzzing Web Interface in IoT Firmware via Stateful Message Generation[J].Applied Sciences,2021,11(7):3120.
[21]GAO Y F,ZHOU X,XIE W,et al.Optimizing IoTWeb Fuzzing by Firmware Infomation Mining.Applied Sciences[J].Applied Sciences,2022,12(13):6429.
[22]GULER E,SCHUMILO S,SCHLOEGEL M,et al.Atropos:Effective Fuzzing ofWeb Applications for Server-Side Vulnerabilities[C]//Proceedings of the 33rd USENIX Security Sympo-sium.Boston:USENIX Association,2024:4765-4782.
[23]ROOIJ O V,CHARALAMBOUS M A,KAIZER D,et al.WebFuzz:Grey-Box Fuzzing for Web Applications[C]//European Symposium on Research in Computer Security.2021.
[24]WANG J,ZHANG Z J,YANG H Y,et al.Gray-box Fuzzing for JavaWeb with Parse Tree[J].Computer Systems & Applications,2023,32(9):67-76.
[25]ZHANG H X,RONG Y Y,HE Y F,et al.LLAMAFUZZ:Large Language Model Enhanced Greybox Fuzzing[J].arXiv:2406.07714,2024.
[26]HE J,CAI R J,YIN X K,et al.Detection ofWeb Command Injection Vulnerability for Cisco IOS-XE[J].Computer Science,2023,50(4):343-350.
[1] CHEN Wangxu, WEN Hao, NI Yang. Application of Requirements Traceability in Code Static Analysis [J]. Computer Science, 2025, 52(6A): 241000024-5.
[2] HU Mengze, MA Xutong, ZHANG Hao, ZHANG Jian. Flow-sensitive Coding Style Checking for C/C++ Programs [J]. Computer Science, 2025, 52(6): 35-43.
[3] WEI Zihan, MA Rongkuan, LI Beibei, YANG Yahui, LI Zhuo, SONG Yunkai. Firmware Recovery Based Emulation and Testing Method for Industrial Gateway [J]. Computer Science, 2025, 52(12): 411-418.
[4] MAO Ruiqi, CHEN Zhe. Lightweight Memory Safety Runtime Detection Method Combined with Static Analysis [J]. Computer Science, 2025, 52(11A): 241100060-8.
[5] YIN Jiale, CHEN Zhe. Dynamic Analysis Based Fuzz Testing for Memory Safety Vulnerabilities [J]. Computer Science, 2025, 52(11): 382-389.
[6] JIA Fan, YIN Xiaokang, GAI Xianzhe, CAI Ruijie, LIU Shengli. Function-call Instruction Characteristic Analysis Based Instruction Set Architecture Recognization Method for Firmwares [J]. Computer Science, 2024, 51(6): 423-433.
[7] MA Yingzi, CHEN Zhe, YIN Jiale, MAO Ruiqi. Memory Security Vulnerability Detection Combining Fuzzy Testing and Dynamic Analysis [J]. Computer Science, 2024, 51(2): 352-358.
[8] LIN Jiahan, RAN Meng, PENG Jianshan. SSFuzz:State-sensitive Greybox Fuzzing for Network Protocol Services [J]. Computer Science, 2024, 51(12): 71-78.
[9] DING Duo, SUN Cong, ZHENG Tao. Robust Binary Program Debloating [J]. Computer Science, 2024, 51(10): 208-217.
[10] FU Jianming, JIANG Yuqian, HE Jia, ZHENG Rui, SURI Guga, PENG Guojun. Cryptocurrency Mining Malware Detection Method Based on Sample Embedding [J]. Computer Science, 2024, 51(1): 327-334.
[11] ZHUANG Yuan, CAO Wenfang, SUN Guokai, SUN Jianguo, SHEN Linshan, YOU Yang, WANG Xiaopeng, ZHANG Yunhai. Network Protocol Vulnerability Mining Method Based on the Combination of Generative AdversarialNetwork and Mutation Strategy [J]. Computer Science, 2023, 50(9): 44-51.
[12] ZHAO Mingmin, YANG Qiuhui, HONG Mei, CAI Chuang. Smart Contract Fuzzing Based on Deep Learning and Information Feedback [J]. Computer Science, 2023, 50(9): 117-122.
[13] DU Hao, WANG Yunchao, YAN Chenyu, LI Xingwei. Test Cases Generation Techniques for Root Cause Location of Fault [J]. Computer Science, 2023, 50(7): 10-17.
[14] YANG Pengfei, CAI Ruijie, GUO Shichen, LIU Shengli. Container-based Intrusion Detection Method for Cisco IOS-XE [J]. Computer Science, 2023, 50(4): 298-307.
[15] YANG Yahui, MA Rongkuan, GENG Yangyang, WEI Qiang, JIA Yan. Black-box Fuzzing Method Based on Reverse-engineering for Proprietary Industrial Control Protocol [J]. Computer Science, 2023, 50(4): 323-332.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.