Email or username:

Password:

Forgot your password?
daniel:// stenberg://

I was reminded of the great #Cisco security fix of 2019

#curl

89 comments
Gina Häußge

@bagder OMG, did they really pull that off? That's... amazing 😂

daniel:// stenberg://

@foosel that's the genuine "fix" for a reported security problem against some of their devices at the time, yes indeed

Simon Zerafa :donor: :verified:

@bagder @foosel

So I assume that Curl can now present different User-Agent values as needed (assuming it didn't before, of course)?

Which given I very rarely use Curl is probably a very stupid question but give I could think of that as a potential issue/solution shows how monumentally ridiculous that bug fix really is 🫤🤦‍♂️

Neil Craig

@simonzerafa @bagder @foosel It can indeed, there's a specific arg or you can use the generic `-H "header-name: header-value"` form.
Those have been a thing as long as I've been using curl 👍🏻.
curl.se/docs/manpage.html#-A

Simon Zerafa :donor: :verified:

@tdp_org @bagder @foosel

Well at least I have more foresight that an Oracle programmer 🙂🤷‍♂️

Ángela Stella Matutina

@tdp_org @simonzerafa @bagder @foosel

Even good old wget does it. I've used -U MSIE more times than I can remember. It also has a --header option.

Paul Nicholls

@foosel @bagder I can well believe it, from the company that once broke their website by somehow removing every lowercase "t" from their HTML... Though that was about a decade earlier!

@infosec_jcp 🐈🃏 done differently

@flq @nullcolaship @foosel @bagder

Searh '& replacet' ? 😂

As 🖖 says ' most impressive! ' 😂🤦‍♂️

root42

@nullcolaship @foosel @bagder "Skip o Conen" sounds like an Irish talk show host.

cd ~

@root42 @nullcolaship @foosel @bagder Interesting that it still renders as a website of sorts with all letters 't' removed. I wonder which letters are the most redundant ones in this metric.

mausmalone

@cd_home @root42 @nullcolaship @foosel @bagder It is pretty funny - it's just that most of the HTML tags for content (h1-6, a, p, div) don't have the letter t, while a lot of stuff in the head (title, script, style) do.

Surely any tables on the page are ruined, though.

cd ~

@root42 @nullcolaship @foosel @bagder "Skip o search" is the process of quickly finding the non-sponsored, un-SEOed and not generated pages in the search results. Will soon be taught in schools.

Aren

@cd_home @root42 @nullcolaship @foosel @bagder Skip o Search would be a great name for a search engine

husjon

@nullcolaship @foosel @bagder I looked at the source code image before reading your command and I thought I had a stroke 😅

Giles

@nullcolaship @foosel @bagder Just think of all those tabs they’d have been able to remove if they’d escaped their regex properly.

David Nash

@nullcolaship @foosel @bagder When Cisco announced public access to the simplified web presentation language they used internally, “HML”, they failed to describe exactly *how* they simplified it, but one look at their website revealed all.

0xC0DEC0DE07E8

@colin_mcmillen @bagder wait, you can dump the config without authentication of any kind, which includes the devices password hashes, and somehow you can just pass those hashes back to authenticate to the device?
No, that all tracks with the sophistication of this “fix”.

0xC0DEC0DE07E8

@colin_mcmillen @bagder
✅ don’t store passwords in plaintext
❓ don’t transmit credentials in the clear
❌ prevent replay attacks

Jess👾

I've got some really bad news for you about just how many devices there are out there that fail at LEAST 1 of those, and a nontrivial number that fail all 3.

@c0dec0dec0de
@colin_mcmillen @bagder

Todd Knarr

@JessTheUnstill @c0dec0dec0de @colin_mcmillen @bagder TBF using symmetric encryption/hashing it's hard to avoid either storing or transmitting the credentials in the clear. To avoid both you need to use asymmetric (public-key) encryption and only transmit nonces (what hardware tokens do with certificate-based authentication).

Jess👾

That's not how that works.

When we talk about exchanging credentials in the clear, we're talking stuff like telnet where a MitM can just dump your password via Wireshark. An ssh connection sets up a secure tunnel between the systems, and then compares cryptographic hashes. The plain text password never is stored on disk anywhere, just the one way salted hash of the password.

digitalocean.com/community/tut

@tknarr
@c0dec0dec0de @colin_mcmillen @bagder

That's not how that works.

When we talk about exchanging credentials in the clear, we're talking stuff like telnet where a MitM can just dump your password via Wireshark. An ssh connection sets up a secure tunnel between the systems, and then compares cryptographic hashes. The plain text password never is stored on disk anywhere, just the one way salted hash of the password.

0xC0DEC0DE07E8

@JessTheUnstill
Yup. This device is probably transmitting stuff in the clear because it’s got a web server running without encryption. The “normal” answer would be to enable TLS on your web server, but how do you do that when you’re embedded and cant just bake in CA-signed TLS certs?
The thing that interests me about this failure is that you can pass-the-hash to get in.

@tknarr @colin_mcmillen @bagder

@JessTheUnstill
Yup. This device is probably transmitting stuff in the clear because it’s got a web server running without encryption. The “normal” answer would be to enable TLS on your web server, but how do you do that when you’re embedded and cant just bake in CA-signed TLS certs?
The thing that interests me about this failure is that you can pass-the-hash to get in.

Colin McMillen

@c0dec0dec0de @JessTheUnstill @tknarr @bagder my printer self-signs a cert. That's better than clear text even if there's the browser warning.

0xC0DEC0DE07E8 replied to Colin

@colin_mcmillen
Yeah, I’m thinking that’s probably true. You don’t have proof you’re talking to the right device (and therefore vulnerable to MITM attacks notionally but you connected to this thing via an IP address that you got out-of-band so unlikely), but you’re getting the other security benefits (including encrypting your password in transit and resistance to replay attacks).
@JessTheUnstill @tknarr @bagder

Tom van Dijk

@bagder I like how this pentesting team just kept using curl, but schooled Cisco with “-A kurl” 😁

Who even IS Gordo!?
@bagder 😶

This is why I have trust issues.
DELETED

@bagder alt text mentions 404 error but screenshot shows 403, i guess that's a mistake?

Alexander The 1st

@triallax @bagder Given the fix, an off-by-one error seems most fitting.

AcidePoulain

@bagder litterally «if asked if vulnerable then politely reply no»

wakame

@bagder
That's why I always use the curl fork "kewl" when pentesting. /j

Yaksh Bariya

@bagder This is ofcourse going the obvious solution when your blog's "network engineer" tag is filled with PR BS:

CW: everything on this blog is bullshit, and unrelated to what the tag name is

blogs.cisco.com/tag/network-en

Karl Fredrik 🦊

@bagder This is sorta what imgur does for wget as well, to "stop" scraping I guess...

(it has returned 429 "too many requests" every time I've tried, so I assumme it's an ingress rule for the user agent)

Carnildo

@kfh @bagder It makes sense for imgur, because it's a quick way to stop clueless people from trying to spider the site. Usage tracking requires a lot more resources than a simple string comparison on a header, so if you can stop 99% of the spiders before they even hit the usage-tracking code, it's a win.

Kelvin n0mql EN35ld

@bagder
Your alt text says it returns a 404.

Nope. It returns a 403.

Gytis Repečka

@bagder Kudos to those Cisco folks who think security is anyhow supposed to be tweaked based on user input. Everyone knows how to alter request header value, right? I'm sure #curl users do :ablobcatfloofpat:

🔗 David Sommerseth

@bagder

😆

I hope they followed up with a pull-request to the curl project .... removing the -A option ... for security reasons .....

Chris Gioran 💔

@bagder Ah, the classic Volkswagen approach to systems development.

MarkAssPandi

@chrisg @bagder What does it mean? Volkswagen approach?

Raymond

@bagder

Yikes.. 2019 even.. Reminds me of discovering something i called super-root that allowed any monitored system to gain full read write and execute privileges on everything else monitored over the monitoring message bus via the local agent.

They used IP address for ID validation when validating source in an auth token, then just wrote a bypass to ignore that when they needed to make monitoring work across NAT. It took years to beat a proper fix out of them.

🚲

@bagder *inserts slapping flex tape meme

hnapel

@bagder

I looked up the curl man page, especially the example for changing the user agent:

Example:
curl -A "Agent 007" example.com

😎

Martin Rocket

@bagder So many servers are happy when you just provide a trusted user-agent, and a referer. Sometimes one alao needs a token that can be obtaimed from an additional request.

Troed Sångberg

@bagder This should be the first hit on Google when searching for "imposter syndrome".

Sertonix

@bagder Could you just change the casing of the default curl user agent?

Alex Gleason
@bagder But you see, `curl -A "anonymous" ` is now considered unauthorized access of a computer system and is illegal according to the Computer Fraud and Abuse Act.
Wayne Dixon

@bagder @briankrebs I’ve been selectively blocking all sorts of stuff on some servers like that.

Sandor Szücs

@bagder to buy cisco is just sick: expensive and you see the "quality" of their sophisticated "security" devices.
How can they play with their reputation like this...

Tito Swineflu

@bagder If it just piped the offending IP address into the iptables drop list, it would be a good start. No reason to let your adversary know they can try again with different parameters.

srslypascal

@bagder Same nonsense on dl.dell.com - the default user agents of curl and wget trigger a 403 error, but setting the user agent to a less suspicious string such as "bullshit" or "nmap" solves the problem.

Michelle Hughes

@bagder

We won't let you hack into this device unless you ask *politely*! That will stop hackers because the evil in their hearts prevents them from being polite.

🐧DaveNull🐧 ☣️pResident Evil☣

@bagder 😂

As moronic as this "security fix" is, I can't exactly say that I'm surprised…

Raven667

@devnull @bagder Having recently dealt with a Cisco software product, where it seems clear to me that no one on the team built it or knows how it works, they can't even make a clean fresh installer and can only sequentially update from a very old version, they have a _lot_ of junior engineers and few leaders.

🐧DaveNull🐧 ☣️pResident Evil☣

@raven667 That company is full of shit. It's beyond me why network folks love Cisco so much… Even their logo shows you the fingers 😂

We use Cisco VPN load of crap at work because some clowns decided. "It's more secure lol".

As a Linux user, I don't use their anyconnect idiocy, thanks to OpenConnect client, which implement a workaround for CSD. CSD is a newspeak term to refer to their binary trojan downloaded by anyconnect, and executed on the client, for "security verification"…

@bagder

Asharas

@bagder Last time I checked supervisord's documentation website did the same, couldn't get an answer with curl until I try with another UA.

CauseOfBSOD :fediverse:

@bagder@mastodon.social oh no, whatever will i (a malicious hacker) do?

adds a command line argument to curl

Kevin Karhan :verified:

@bagder #Cisco is absitshow and since the #DUAL_EC_DRBG #Gviware #Backdoor they're banned for 3x the time it takes them to apologize.ajd undo harm completely.

So far, they've yet to do those things...

Carlos Solís
@bagder Oh look, a good reason for end users to move to wget </sarcasm>
Jason Sando

@bagder this hit so close to home today ... been struggling with an infrastructure team having a basic auth protected service redirecting https to http. Gave then curl screenshots and their response was "we are not familiar with this 'curl' software, can you try it on Chrome or Edge?" 😔😒🤨

daniel:// stenberg://

I posted this image on LinkedIn as well, and the stats there tells me that Cisco is in fact now the third most common employing company among the viewers... (only beaten by AWS and Microsoft)

linkedin.com/posts/danielstenb

eigenman :chickenroll:

@bagder Well that is a bit ridiculous now isn't it? 🤣

spmatich :blobcoffee:

@bagder does this qualify as code bloat? the user agent header is completely arbitrary and can be set to anything.
I mean why single out curl. Shouldn’t the nmap default user agent be in there too? etc etc

daniel:// stenberg://

@spmatich they singled out curl because the exploit proof of concept used curl. They stopped the example command line from working.

spmatich :blobcoffee:

@bagder so the exploit just needs an update to include setting the user agent header to something else right, and it could be one of many many many different strings.

daniel:// stenberg://

@spmatich ... and that is exactly why the "fix" is so fun!

Gen X-Wing

@bagder This makes me want to add a check for curl as the user agent, but only so it sends back a fun message as part of the return headers. Something harmless.

jn

@bagder takes a real hacker to bypass that one :p

Go Up