Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability

from [ovt] Network Security [Permanent Link]
Subject: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
Date: 21 Dec 2005 17:27:10 -0000 
Hi!

The following is the description of the vulnerability in the Cisco 
implementation of downloadable ACLs, which are used by the Cisco PIX firewall 
authentication proxy (aka cut-through proxy) and VPN 3000 concentrators.

When an administrator creates an ACL on the Cisco Secure Access Control Server 
(CS ACS Radius server) it is assigned the internal name 
#ACSACL#-IP-uacl-<random>. For example, the name may be the following: 
#ACSACL#-IP-uacl-43a97a9d. The <random> is changed by CS ACS every time the ACL 
is modified by the administrator. At the same time the internal hidden user 
with the name #ACSACL#-IP-uacl-43a97a9d and the password 
#ACSACL#-IP-uacl-43a97a9d (!) is created by CS ACS. This user is not seen in 
the CS ACS GUI.

The protocol used by the PIX to download the ACL works as follows: 0) User goes 
to Internet (for example) thru the PIX via HTTP(s). PIX asks a username and a 
password. User enters them into the dialog window. 1) PIX sends Radius 
Access-Request to CS ACS to authenticate the user (the user password is 
encrypted by Radius). 2) Radius server authenticates the user and sends back 
the cisco-av-pair Vendor-specific attribute (VSA) with the value 
ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-uacl-43a97a9d. 3) PIX again sends 
Radius Access-Request to authenticate the user #ACSACL#-IP-uacl-43a97a9d. 4) 
Radius server authenticates the user and sends back the ACL body as another 
cisco-av-pair VSA attribute (ip:inacl#1= ...).

Vulnerability:

This basically means that everybody with a sniffer can see the username 
#ACSACL#-IP-uacl-43a97a9d which is sent over the network in clear by the Radius 
protocol from the CS ACS server to the PIX. The password of this user is the 
same as the username. If some network device is configured to use the very same 
CS ACS server for login authentication then the sniffed username can be used to 
login to this network device.

Setting Radius IETF attribute Service-type to "Outbound" to prevent using this 
username for logins may not help: 1) it's impossible to set this attribute for 
the user #ACSACL#-IP-uacl-43a97a9d, because the user is not seen in the CS ACS 
Web interface 2) it's not always possible to set it for the "default" group 
(the user #ACSACL#-IP-uacl-43a97a9d always belongs to the "default" CS ACS 
group), because this group may be used for something else 3) some network 
devices (most notably the PIX firewall) ignore the Service-Type attribute (PIX 
firewall 6.x code does not support login authorization at all (!)). Cisco 
routers ignore this attribute if authorization is not configured (only 
authentication is configured).

Generally speaking the Radius protocol is not appropriate for doing such things 
as downloading ACLs or other attributes on behalf of the user on an "as-needed" 
basis, as it doesn't separate the authentication and authorization. Usually 
this leads to creation of a fake user with the password "cisco" or 
"<username>". Unfortunately this practice is common on Cisco devices.

Thx,
Oleg Tipisov,
Moscow
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  XSS vulnerabilities in Google.com, Watchfire Research
Next by Date:  [Full-disclosure] [USN-231-1] Linux kernel vulnerabilities, Martin Pitt
Previous by Thread:  XSS vulnerabilities in Google.com, Watchfire Research
Next by Thread:  Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability, 3APA3A
Indexes:  [Date] [Thread] [Top] [All Lists]