SlideShare a Scribd company logo

Owning nx os-sec-t_2010

Download as PPTX, PDF
B
blh42

Slides presented at SEC-T September 10th, 2010.

Education
1 of 17
Owning the data centre, Cisco NX-OS George Hedfors Working for Cybercom Sweden East AB(http://www.cybercomgroup.com) 12 years as IT- and information security consultant Previously worked for iX Security, Defcom, NetSec, n.runs and Pinion Contact george.hedfors@cybercomgroup.com Web page http://george.hedfors.com 2010-08-10 SEC-T 2010 1
Short intro to Cisco NX-OS History of research Overview of underlying Linux Disclosure of vulnerabilities Undocumented CLi commands Command line interface escape Layer 2 attack Undocumented user account 2ndCLi escape (delayed) FAQ Topics 2010-08-10 SEC-T 2
Based on MontaVista (http://www.mvista.com)embedded Linux with kernel 2.6.10 VDC Virtualization, Virtual Device Context What is NX-OS? 2010-08-10 SEC-T 2010 3 Nexus 4000 (for IBM BladeCenter) Nexus 5000 Nexus 7000 MDS 9500 FC Directors MDS 9222i FC Switch MDS 9100 FC Switches
Accidentally made a Cisco-7020 fall over due to an 9 years old denial of service attack Was able to recover CORE dumps from the attack Able to extract all files from the Cisco .bin installation package Found a number of exploitable vulnerabilities To do Dig deeper into Cisco VDC/VRF security What has been done 2010-08-10 SEC-T 4
Typical environment Banking/finance Other large data centers Impact Full exposure of interconnected networks and VLAN’s Possibility to eavesdrop and trafficmodification Switch based rootkit installation? Cisco 7000-series 2010-08-10 SEC-T 5
Overview 2010-08-10 SEC-T 6 Linux
Teh Linux 2010-08-10 SEC-T 7 root?!?
DC3 Shell ‘the regular Cisco cli’ Configurations contain ‘hidden’ commands Hidden commands 2010-08-10 SEC-T 8
Escaping CLi 2010-08-10 SEC-T 9
How could that happened?! 2010-08-10 SEC-T 10 What could possibly go wrong here? /usr/bin/gdbserver
Cisco Discovery Protocol (CDP) 2001, FX crafted the first CDP DoS attack 2010, the CDP attack was rediscovered in NX-OS What about layer 2? 2010-08-10 SEC-T 11 ,[object Object],[object Object]
So, where ‘ftpuser’ come from? Default user? Backdoor? Easter egg? Recovered password ‘nbv123’ Undocumented user account 2010-08-10 SEC-T 13
Searching for ‘nbv123’ 2010-08-10 SEC-T 14
CSCti03724 – CLI escape in NX-OS using GDB Workaround: None Fixed in NX-OS 4.1(4) CSCti04026 – Undocumented user available with default password on NX-OS system Workaround: None CSCtf08873 – CDP with long hostname crashes CDPD on N7k Workaround: Disable CDP CSCti85295 – NX-OS: SUDO privilege escalation Workaround: None Bug tracking 2010-08-10 SEC-T 15
Special thanks to Juan-Manuel Gonzales, PSIRT Incident Manager <juagonza@cisco.com> Thanks 2010-08-10 SEC-T 16
Questions? Contact george.hedfors@cybercomgroup.com FAQ 2010-08-10 SEC-T 17
Owning nx os-sec-t_2010

Recommended

Owning NX-OS - t2 2010
Owning NX-OS - t2 2010Owning NX-OS - t2 2010
Owning NX-OS - t2 2010blh42
 
HWallet: The simplest Bitcoin hardware wallet
HWallet: The simplest Bitcoin hardware walletHWallet: The simplest Bitcoin hardware wallet
HWallet: The simplest Bitcoin hardware walletNemanja Nikodijević
 
Full disclosure-vulnerabilities
Full disclosure-vulnerabilitiesFull disclosure-vulnerabilities
Full disclosure-vulnerabilitiesslideseces
 
1142996034 597183
1142996034 5971831142996034 597183
1142996034 597183smumbahelp
 
Low-cost Protection against Cold Boot Attacks for an Authentication Token
Low-cost Protection against Cold Boot Attacks for an Authentication TokenLow-cost Protection against Cold Boot Attacks for an Authentication Token
Low-cost Protection against Cold Boot Attacks for an Authentication TokenGraeme Jenkinson
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesbsidesaugusta
 
データーベース - SELECT文入門
データーベース - SELECT文入門 データーベース - SELECT文入門
データーベース - SELECT文入門金沢工業高等専門学校
 
Workplace gardening philosophy for frontline leaders
Workplace gardening philosophy for frontline leadersWorkplace gardening philosophy for frontline leaders
Workplace gardening philosophy for frontline leadersletsgrow
 

Recommended

Owning NX-OS - t2 2010
Owning NX-OS - t2 2010Owning NX-OS - t2 2010
Owning NX-OS - t2 2010blh42
 
HWallet: The simplest Bitcoin hardware wallet
HWallet: The simplest Bitcoin hardware walletHWallet: The simplest Bitcoin hardware wallet
HWallet: The simplest Bitcoin hardware walletNemanja Nikodijević
 
Full disclosure-vulnerabilities
Full disclosure-vulnerabilitiesFull disclosure-vulnerabilities
Full disclosure-vulnerabilitiesslideseces
 
1142996034 597183
1142996034 5971831142996034 597183
1142996034 597183smumbahelp
 
Low-cost Protection against Cold Boot Attacks for an Authentication Token
Low-cost Protection against Cold Boot Attacks for an Authentication TokenLow-cost Protection against Cold Boot Attacks for an Authentication Token
Low-cost Protection against Cold Boot Attacks for an Authentication TokenGraeme Jenkinson
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesbsidesaugusta
 
データーベース - SELECT文入門
データーベース - SELECT文入門 データーベース - SELECT文入門
データーベース - SELECT文入門金沢工業高等専門学校
 
Workplace gardening philosophy for frontline leaders
Workplace gardening philosophy for frontline leadersWorkplace gardening philosophy for frontline leaders
Workplace gardening philosophy for frontline leadersletsgrow
 
A Practical Look At Symfony2
A Practical Look At Symfony2A Practical Look At Symfony2
A Practical Look At Symfony2Stefan Koopmanschap
 
以實用寫作培訓通用技能
以實用寫作培訓通用技能以實用寫作培訓通用技能
以實用寫作培訓通用技能kaikwong
 
대신리포트_모닝미팅_141015
대신리포트_모닝미팅_141015대신리포트_모닝미팅_141015
대신리포트_모닝미팅_141015DaishinSecurities
 
Толока добрих ідей. інформація для партнерів і благодійників
Толока добрих ідей. інформація для партнерів і благодійниківТолока добрих ідей. інформація для партнерів і благодійників
Толока добрих ідей. інформація для партнерів і благодійниківMedvedska
 
The State of Content: Expectations on the Rise
The State of Content: Expectations on the RiseThe State of Content: Expectations on the Rise
The State of Content: Expectations on the RiseAdobe
 
บทนำ1
บทนำ1บทนำ1
บทนำ1Pipat Chooto
 
Seminar: Cost-effective Solutions for Complying with the CARE Act
Seminar: Cost-effective Solutions for Complying with the CARE ActSeminar: Cost-effective Solutions for Complying with the CARE Act
Seminar: Cost-effective Solutions for Complying with the CARE ActGold Group Enterprises
 
Nutritionlabels
NutritionlabelsNutritionlabels
Nutritionlabelsnaziasadat
 
Household items
Household itemsHousehold items
Household itemscmasdeva
 
Ificpptspanish2013 131203092059-phpapp01
Ificpptspanish2013 131203092059-phpapp01Ificpptspanish2013 131203092059-phpapp01
Ificpptspanish2013 131203092059-phpapp01Food Insight
 
Informes de practica neuro
Informes de practica neuroInformes de practica neuro
Informes de practica neuroJohn Molina
 
una visión crítica del manejo del riesgo cardiovascular
una visión crítica del manejo del riesgo cardiovascularuna visión crítica del manejo del riesgo cardiovascular
una visión crítica del manejo del riesgo cardiovascularfguiraos
 
预言启示全家族修炼李洪志大师的法轮功
预言启示全家族修炼李洪志大师的法轮功预言启示全家族修炼李洪志大师的法轮功
预言启示全家族修炼李洪志大师的法轮功bialontu97497
 
Alma de ciudad
Alma de ciudadAlma de ciudad
Alma de ciudadFermin Chavez Mego
 
2015 RJI Mobile Media Research Report 2
2015 RJI Mobile Media Research Report 22015 RJI Mobile Media Research Report 2
2015 RJI Mobile Media Research Report 2Reynolds Journalism Institute (RJI)
 
Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013
Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013
Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013Piotr Biegun
 
Webinar: Motivate Action with iBeacons
Webinar: Motivate Action with iBeaconsWebinar: Motivate Action with iBeacons
Webinar: Motivate Action with iBeaconsGold Group Enterprises
 
L i n g k a r a n
L i n g k a r a nL i n g k a r a n
L i n g k a r a nFina Nurmita
 
Presentation data center partner technical
Presentation data center partner technicalPresentation data center partner technical
Presentation data center partner technicalxKinAnx
 
Illustrated Accomplishments 1999 - present 080814
Illustrated Accomplishments 1999 - present 080814Illustrated Accomplishments 1999 - present 080814
Illustrated Accomplishments 1999 - present 080814Timothy R. (Tim) Loftus
 
2011 cisco icons 6_8_11
2011 cisco icons 6_8_112011 cisco icons 6_8_11
2011 cisco icons 6_8_11Quoc Khanh Pham
 
End-to-End Data Center Virtualization
End-to-End Data Center VirtualizationEnd-to-End Data Center Virtualization
End-to-End Data Center VirtualizationCisco Canada
 

More Related Content

Viewers also liked

以實用寫作培訓通用技能
以實用寫作培訓通用技能以實用寫作培訓通用技能
以實用寫作培訓通用技能kaikwong
 
대신리포트_모닝미팅_141015
대신리포트_모닝미팅_141015대신리포트_모닝미팅_141015
대신리포트_모닝미팅_141015DaishinSecurities
 
Толока добрих ідей. інформація для партнерів і благодійників
Толока добрих ідей. інформація для партнерів і благодійниківТолока добрих ідей. інформація для партнерів і благодійників
Толока добрих ідей. інформація для партнерів і благодійниківMedvedska
 
The State of Content: Expectations on the Rise
The State of Content: Expectations on the RiseThe State of Content: Expectations on the Rise
The State of Content: Expectations on the RiseAdobe
 
Seminar: Cost-effective Solutions for Complying with the CARE Act
Seminar: Cost-effective Solutions for Complying with the CARE ActSeminar: Cost-effective Solutions for Complying with the CARE Act
Seminar: Cost-effective Solutions for Complying with the CARE ActGold Group Enterprises
 
Nutritionlabels
NutritionlabelsNutritionlabels
Nutritionlabelsnaziasadat
 
Household items
Household itemsHousehold items
Household itemscmasdeva
 
Ificpptspanish2013 131203092059-phpapp01
Ificpptspanish2013 131203092059-phpapp01Ificpptspanish2013 131203092059-phpapp01
Ificpptspanish2013 131203092059-phpapp01Food Insight
 
Informes de practica neuro
Informes de practica neuroInformes de practica neuro
Informes de practica neuroJohn Molina
 
una visión crítica del manejo del riesgo cardiovascular
una visión crítica del manejo del riesgo cardiovascularuna visión crítica del manejo del riesgo cardiovascular
una visión crítica del manejo del riesgo cardiovascularfguiraos
 
预言启示全家族修炼李洪志大师的法轮功
预言启示全家族修炼李洪志大师的法轮功预言启示全家族修炼李洪志大师的法轮功
预言启示全家族修炼李洪志大师的法轮功bialontu97497
 
Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013
Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013
Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013Piotr Biegun
 
Webinar: Motivate Action with iBeacons
Webinar: Motivate Action with iBeaconsWebinar: Motivate Action with iBeacons
Webinar: Motivate Action with iBeaconsGold Group Enterprises
 

Viewers also liked (18)

A Practical Look At Symfony2
A Practical Look At Symfony2A Practical Look At Symfony2
A Practical Look At Symfony2
 
以實用寫作培訓通用技能
以實用寫作培訓通用技能以實用寫作培訓通用技能
以實用寫作培訓通用技能
 
대신리포트_모닝미팅_141015
대신리포트_모닝미팅_141015대신리포트_모닝미팅_141015
대신리포트_모닝미팅_141015
 
Толока добрих ідей. інформація для партнерів і благодійників
Толока добрих ідей. інформація для партнерів і благодійниківТолока добрих ідей. інформація для партнерів і благодійників
Толока добрих ідей. інформація для партнерів і благодійників
 
The State of Content: Expectations on the Rise
The State of Content: Expectations on the RiseThe State of Content: Expectations on the Rise
The State of Content: Expectations on the Rise
 
บทนำ1
บทนำ1บทนำ1
บทนำ1
 
Seminar: Cost-effective Solutions for Complying with the CARE Act
Seminar: Cost-effective Solutions for Complying with the CARE ActSeminar: Cost-effective Solutions for Complying with the CARE Act
Seminar: Cost-effective Solutions for Complying with the CARE Act
 
Nutritionlabels
NutritionlabelsNutritionlabels
Nutritionlabels
 
Household items
Household itemsHousehold items
Household items
 
Ificpptspanish2013 131203092059-phpapp01
Ificpptspanish2013 131203092059-phpapp01Ificpptspanish2013 131203092059-phpapp01
Ificpptspanish2013 131203092059-phpapp01
 
Informes de practica neuro
Informes de practica neuroInformes de practica neuro
Informes de practica neuro
 
una visión crítica del manejo del riesgo cardiovascular
una visión crítica del manejo del riesgo cardiovascularuna visión crítica del manejo del riesgo cardiovascular
una visión crítica del manejo del riesgo cardiovascular
 
预言启示全家族修炼李洪志大师的法轮功
预言启示全家族修炼李洪志大师的法轮功预言启示全家族修炼李洪志大师的法轮功
预言启示全家族修炼李洪志大师的法轮功
 
Alma de ciudad
Alma de ciudadAlma de ciudad
Alma de ciudad
 
2015 RJI Mobile Media Research Report 2
2015 RJI Mobile Media Research Report 22015 RJI Mobile Media Research Report 2
2015 RJI Mobile Media Research Report 2
 
Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013
Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013
Warsztaty - Projektowanie aplikacji mobilnych - GeekGirls Carrots Poznań 2013
 
Webinar: Motivate Action with iBeacons
Webinar: Motivate Action with iBeaconsWebinar: Motivate Action with iBeacons
Webinar: Motivate Action with iBeacons
 
L i n g k a r a n
L i n g k a r a nL i n g k a r a n
L i n g k a r a n
 

Similar to Owning nx os-sec-t_2010

Presentation data center partner technical
Presentation data center partner technicalPresentation data center partner technical
Presentation data center partner technicalxKinAnx
 
Illustrated Accomplishments 1999 - present 080814
Illustrated Accomplishments 1999 - present 080814Illustrated Accomplishments 1999 - present 080814
Illustrated Accomplishments 1999 - present 080814Timothy R. (Tim) Loftus
 
End-to-End Data Center Virtualization
End-to-End Data Center VirtualizationEnd-to-End Data Center Virtualization
End-to-End Data Center VirtualizationCisco Canada
 
Presentation deploying cloud based services
Presentation deploying cloud based servicesPresentation deploying cloud based services
Presentation deploying cloud based servicesxKinAnx
 
Signal Planning Considerations and Network Designs
Signal Planning Considerations and Network DesignsSignal Planning Considerations and Network Designs
Signal Planning Considerations and Network DesignsScott Wagner
 
Presentation cloud computing and the internet
Presentation cloud computing and the internetPresentation cloud computing and the internet
Presentation cloud computing and the internetxKinAnx
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
IoT関連技術の動向@IETF87
IoT関連技術の動向@IETF87IoT関連技術の動向@IETF87
IoT関連技術の動向@IETF87Shoichi Sakane
 
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringPresentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringxKinAnx
 
Full disclosure-vulnerabilities
Full disclosure-vulnerabilitiesFull disclosure-vulnerabilities
Full disclosure-vulnerabilitiesslideseces
 
Presentation capturing the cloud opportunity
Presentation capturing the cloud opportunityPresentation capturing the cloud opportunity
Presentation capturing the cloud opportunityxKinAnx
 
Presentation cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...Presentation cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...xKinAnx
 
CCNA 2 Routing and Switching v5.0 Chapter 1
CCNA 2 Routing and Switching v5.0 Chapter 1CCNA 2 Routing and Switching v5.0 Chapter 1
CCNA 2 Routing and Switching v5.0 Chapter 1Nil Menon
 
Deploying Applications in Today’s Network Infrastructure
Deploying Applications in Today’s Network InfrastructureDeploying Applications in Today’s Network Infrastructure
Deploying Applications in Today’s Network InfrastructureCisco Canada
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
 

Similar to Owning nx os-sec-t_2010 (20)

Presentation data center partner technical
Presentation data center partner technicalPresentation data center partner technical
Presentation data center partner technical
 
Illustrated Accomplishments 1999 - present 080814
Illustrated Accomplishments 1999 - present 080814Illustrated Accomplishments 1999 - present 080814
Illustrated Accomplishments 1999 - present 080814
 
2011 cisco icons 6_8_11
2011 cisco icons 6_8_112011 cisco icons 6_8_11
2011 cisco icons 6_8_11
 
End-to-End Data Center Virtualization
End-to-End Data Center VirtualizationEnd-to-End Data Center Virtualization
End-to-End Data Center Virtualization
 
Presentation deploying cloud based services
Presentation deploying cloud based servicesPresentation deploying cloud based services
Presentation deploying cloud based services
 
Signal Planning Considerations and Network Designs
Signal Planning Considerations and Network DesignsSignal Planning Considerations and Network Designs
Signal Planning Considerations and Network Designs
 
Presentation cloud computing and the internet
Presentation cloud computing and the internetPresentation cloud computing and the internet
Presentation cloud computing and the internet
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
Cisco Icons
Cisco IconsCisco Icons
Cisco Icons
 
IoT関連技術の動向@IETF87
IoT関連技術の動向@IETF87IoT関連技術の動向@IETF87
IoT関連技術の動向@IETF87
 
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringPresentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualisering
 
Full disclosure-vulnerabilities
Full disclosure-vulnerabilitiesFull disclosure-vulnerabilities
Full disclosure-vulnerabilities
 
NetX
NetXNetX
NetX
 
Presentation capturing the cloud opportunity
Presentation capturing the cloud opportunityPresentation capturing the cloud opportunity
Presentation capturing the cloud opportunity
 
Presentation cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...Presentation cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...
 
L2 Attacks.pdf
L2 Attacks.pdfL2 Attacks.pdf
L2 Attacks.pdf
 
Protegendo sua cloud
Protegendo sua cloud Protegendo sua cloud
Protegendo sua cloud
 
CCNA 2 Routing and Switching v5.0 Chapter 1
CCNA 2 Routing and Switching v5.0 Chapter 1CCNA 2 Routing and Switching v5.0 Chapter 1
CCNA 2 Routing and Switching v5.0 Chapter 1
 
Deploying Applications in Today’s Network Infrastructure
Deploying Applications in Today’s Network InfrastructureDeploying Applications in Today’s Network Infrastructure
Deploying Applications in Today’s Network Infrastructure
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to us
 

Recently uploaded

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxleah joy valeriano
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 

Recently uploaded (20)

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 

Owning nx os-sec-t_2010

  • 1. Owning the data centre, Cisco NX-OS George Hedfors Working for Cybercom Sweden East AB(http://www.cybercomgroup.com) 12 years as IT- and information security consultant Previously worked for iX Security, Defcom, NetSec, n.runs and Pinion Contact george.hedfors@cybercomgroup.com Web page http://george.hedfors.com 2010-08-10 SEC-T 2010 1
  • 2. Short intro to Cisco NX-OS History of research Overview of underlying Linux Disclosure of vulnerabilities Undocumented CLi commands Command line interface escape Layer 2 attack Undocumented user account 2ndCLi escape (delayed) FAQ Topics 2010-08-10 SEC-T 2
  • 3. Based on MontaVista (http://www.mvista.com)embedded Linux with kernel 2.6.10 VDC Virtualization, Virtual Device Context What is NX-OS? 2010-08-10 SEC-T 2010 3 Nexus 4000 (for IBM BladeCenter) Nexus 5000 Nexus 7000 MDS 9500 FC Directors MDS 9222i FC Switch MDS 9100 FC Switches
  • 4. Accidentally made a Cisco-7020 fall over due to an 9 years old denial of service attack Was able to recover CORE dumps from the attack Able to extract all files from the Cisco .bin installation package Found a number of exploitable vulnerabilities To do Dig deeper into Cisco VDC/VRF security What has been done 2010-08-10 SEC-T 4
  • 5. Typical environment Banking/finance Other large data centers Impact Full exposure of interconnected networks and VLAN’s Possibility to eavesdrop and trafficmodification Switch based rootkit installation? Cisco 7000-series 2010-08-10 SEC-T 5
  • 7. Teh Linux 2010-08-10 SEC-T 7 root?!?
  • 8. DC3 Shell ‘the regular Cisco cli’ Configurations contain ‘hidden’ commands Hidden commands 2010-08-10 SEC-T 8
  • 10. How could that happened?! 2010-08-10 SEC-T 10 What could possibly go wrong here? /usr/bin/gdbserver
  • 11.
  • 12. So, where ‘ftpuser’ come from? Default user? Backdoor? Easter egg? Recovered password ‘nbv123’ Undocumented user account 2010-08-10 SEC-T 13
  • 13. Searching for ‘nbv123’ 2010-08-10 SEC-T 14
  • 14. CSCti03724 – CLI escape in NX-OS using GDB Workaround: None Fixed in NX-OS 4.1(4) CSCti04026 – Undocumented user available with default password on NX-OS system Workaround: None CSCtf08873 – CDP with long hostname crashes CDPD on N7k Workaround: Disable CDP CSCti85295 – NX-OS: SUDO privilege escalation Workaround: None Bug tracking 2010-08-10 SEC-T 15
  • 15. Special thanks to Juan-Manuel Gonzales, PSIRT Incident Manager <juagonza@cisco.com> Thanks 2010-08-10 SEC-T 16

Editor's Notes

  1. Each VDC runs as each own entity within the device