SANs
From Rory.wiki
Some notes from a recent on EMC Clariion CX700 and Brocode Silkworm switches.
Contents |
Basic Info
EMC - Clariion is a range of systems that manage fibre channel and iSCSI SANs. they're likely to be found in larger companies for managing storage arrays. The brocade fibre channel switches fill the role of standard network switches for the storage network. The network cards (called HBAs) and protocols that run over Fibre channel networks are not the same as for a standard network. if iSCSI is used the setup will be different as that does run over IP.Both the manager and the switches have ethernet connections for management purposes.
Operating System
The EMC Manager (recent versions) run Windows XP embedded. Not very useful from a known vulnerability point of view as most of the vulns I have seen for Win XP embedded are imaging parsing, and as far as I could see there's no opportunity for that.
The brocade switches (recent versions) run Montevista linux and there's a GPL compliant listing of packages that they use here . From that there's some old versions of Apache and Sendmail in use and if you get shell (which may be pretty easy) there's some scope for privilege escalation (didn't get time to play much with this so far)
Scans & Vulns - EMC
The EMC manager has a couple of potentially interesting ports that may be listening. Main thing is if 6389/TCP is listening then it's likely the "classic CLI" is in use. Interesting thing about that is that it's plain text and relies on the client for security. You'll need a copy of navicli which can be downloaded if you have a powerlink account from EMCs site.
The main management is done throught the "web app". It's not really a web app, just a web server which downloads a large java applet and then receives XML style web services calls generated by that application. Intercepting traffic from the java applet is possible but a bit tricky. It doesn't respect proxy settings in either the java control panel or browser.
What I did was set up to Burp listeners on 127.0.0.1/80 and 443 and flagged them for invisible proxying with the manager IP address in the "redirect to host" box. that seemed to work pretty well.
There's a couple of pages (/setup) which are on the site, and for findings there may be a decent Robohelp vuln. The Navisphere web seerver may be using an old version of Robhelp hich has a HTML content injection vuln. Basically a URL specified after the # character is loaded up by javascript into a frame on the page...
On the UDP side of things, SNMP may be, which may have the community string "public" (apparently until recent versions it's hardcoded to that and can't be changed)
For more findings, the authentication setup (if they're relying on the ones provided by Navisphere) is unlikely to comply with best practice for security. No minimum password length, no passowrd complexity requirements, no lockout, no restrictions on multiple accounts, no session timeout.
Scans & Vulns - Brocade
The brocades scanned out like kinda standard linux boxes. 22/TCP, SSH, 23/TCP, telnet, 80/TCP web server and rpcbind on 111/TCP. On the UDP side SNMP again. There are several possible default community strings, some of which are read/write! try public, private, OrigEquipMfr, common and FibreChannel.
First thing which'll pop up is potential for default accounts. Brocades ship with 4 default accounts (admin, root, factory and user). AFAICS the default password is "password" for all of them.
The main admin is done via the web server. Similar setup to the Navisphere stuff, the webserver downloads a Java applet which you sign in to and it then makes requests in the background. The auth is weak (basic in the clear over HTTP, unless the SSL webserver has been enabled). Also instead of making web services calls what the app appears to do is have various URLs stored in the source code which it then accesses and parses the results of. De-Compiling the applet and greping through for web pages produces the list below. The access control on the web pages seems spotty, with several being accessible without authentication. In particular events.html returns the event log for the switch and SwitchInfo.html returns the configuration of the switch.
Another minor vuln is that the login page on the website reveals the existence of a username with different error messages for valid and invalid users.
Brocade web page list
--
AAAConfig.html
ActiveRefs.html
AddLicense.html
Authenticate.html
ChassisManager.html
ConfigPerformance.html
Configure.html
DynamicData.html
ExtendedFabric.html
FWAlarms.html
FWAreaCfg.html
FWElemCfg.html
FWEmailCfg.html
FWFruAlarms.html
FWFruCfg.html
FabricConfiguration.html
FabricInfo.html
FabricWatch.html
FiconStatus.html
FileXfer.html
FwAreaCfg.html
HaAdmin.html
HaCp.html
HaInfo.html
HaService.html
HaSummary.html
LicenseAdmin.html
Logout.html
NSTableShow.html
NetworkConfig.html
NewGigePerformance.html
NewPerformance.html
NewSwitch.html
PerformanceMonitor.html
PortAdmin.html
PortDetail.html
PortGbic.html
PortLoop.html
PortSetting.html
Redirect.html
RemoteSwitch.html
RoutingConfig.html
SecInfo.html
SecuritySetting.html
SnmpConfig.html
Switch.html
SwitchCert.html
SwitchInfo.html
SwitchSetting.html
Trace.html
TrunkingInfo.html
UserAdmin.html
WTLastEvent.html
ZoneAdmin.html
ZoneAdminAuth.html
addLicense.html
admin.html
adminDomain.html
admindomain.html
agdevice.html
agportcfg.html
blade.html
changePassword.html
closewin.html
cupPdcm.html
da.html
events.html
fabricinfo.html
fabswitch.html
fcradmin.html
ficonCup.html
filexfer.html
gzoneinfo.html
iSCSIadmin.html
isalive.html
iscsiadmin.html
licenseAuth.html
licenseCheck.html
loopaction.html
loopdiag.html
mainRightFrame.html
metaInfo.html
openloopActWin.html
openwin.html
portadmin.html
rebootAdmin.html
redirect.html
securityBanner.html
session.html
switch.html
switchReport.html
switchexplorer.html
telnet.html
text.html
weblicchk.html
