NAPALM - command execution on NAPLM controller from host
During a summary code review of NAPALM, we found and exploited several issues that allow a compromised host to execute commands on the NAPALM controller and thus gain access to the other hosts controlled by that controller.
During a summary code review of NAPALM, Computest found and exploited several issues that allow a compromised host to execute commands on the NAPALM controller and thus gain access to the other hosts controlled by that controller.
This was not a full audit and further issues may or may not be present.
About NAPALM
NAPALM (Network Automation and Programmability Abstraction Layer with Multivendor support) is a Python library that implements a set of functions to interact with different router vendor devices using a unified API.
NAPALM supports several methods to connect to the devices, to manipulate configurations or to retrieve data.
(Taken from their README)
Technical Background
A big threat to a configuration management system like NAPALM, Ansible, Salt Stack and others is compromise of the central node, or controller. If the controller is compromised, an attacker has unfettered access to all hosts that are controlled by the controller. As such, in any deployment, the central node receives extra attention in terms of security measures and isolation, and threats to this node are taken even more seriously.
Issue: Unsafe eval() when validating configurations
The validator allows for a number comparison using < and >. This is
handled by the compare_numeric() function in napalm-base/validator.py. The
function assumes that the value that is retrieved from the router is also a
number and continues to use the eval() function for the actual comparison.
However, a compromised device can of course also return an arbitrary string,
which will be evaluated.
def compare_numeric(src_num, dst_num):
"""Compare numerical values. You can use '<%d','>%d'."""
complies = eval(str(dst_num)+src_num)
if not isinstance(complies, bool):
return False
return complies
Issue 2: Unsafe eval() in the IOS XR driver
The eval() function is also used quite extensively in the IOS XR
driver. Its use case seems to be to transform a
string, from the API, which contains true or false to a Python boolean.
When the router is compromised however, the string could contain an arbitrary
value that is passed to the eval() function. The difficulty in exploiting this
would be that the value is first passed to the title() function before it is
evaluated as Python code. The title() function capitalizes the first character
of each word in a string.
For example:
multipath = eval((napalm_base.helpers.find_txt(
bgp_group, 'NeighborGroupAFTable/NeighborGroupAF/Multipath') or 'false').title())
napalm_iosxr/iosxr.py#L821
napalm_iosxr/iosxr.py#L821
napalm_iosxr/iosxr.py#L952
napalm_iosxr/iosxr.py#L966
napalm_iosxr/iosxr.py#L968
napalm_iosxr/iosxr.py#L970
napalm_iosxr/iosxr.py#L1003
napalm_iosxr/iosxr.py#L1005
napalm_iosxr/iosxr.py#L1145
napalm_iosxr/iosxr.py#L1368
Mitigation
Users that are unable to update, can mitigate the issues by not using the <
or < validation options and not use the IOS XR driver.
Resolution
Users can update to version 0.24.3 of napalm-base and 0.5.3 of napalm-iosxr, which fixes these vulnerabilities.
Challenge
We have taken the liberty to transform this vulnerability into a CTF challenge for SHA2017. Exploitation is left as an exercise for the reader:
#!/usr/bin/env python2
eval(raw_input().title())
Conclusion
The NAPALM project assumes that all nodes are playing nice. However, this assumption does not hold in a situation where a node is compromised. The project would benefit from a more defensive programming style, were values that are returned from a node are considered hostile and addressed accordingly.
We would like to thank the developers of NAPALM for their quick response. The mentioned vulnerabilities were fixed within 2 hours after our initial email!
Timeline
2017-07-12 First contact with NAPALM developers
2017-07-12 NAPALM released a fix