Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Cisco WSM URL Filtering Solution TCP ACL Bypass Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Cisco WSM URL Filtering Solution TCP ACL Bypass Vulnerability
Date: 15 May 2005 18:08:30 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco WSM URL Filtering Solution TCP ACL Bypass Vulnerability
------------------------------------------------------------------------


SUMMARY

The Cisco Firewall Services Module (FWSM) is "a high-speed, integrated 
firewall module for Catalyst 6500 series switches and Cisco 7600 series 
routers". A vulnerability exists in the Cisco Firewall Services Module 
when URL, FTP, or HTTPS filtering is enabled in which inbound TCP packets 
can bypass access-list entries intended to explicitly filter them.

DETAILS

Vulnerable Systems:
 * Firewall Services Module 2.3.1 and prior

Immune Systems:
 * Firewall Services Module 2.3.2

Although access lists (ACL) can be used to prevent outbound access to 
specific websites or File Transfer Protocol (FTP) servers via IP address 
and/or IP address/port pairs, configuring and managing web usage this way 
is often not practical because of the size and dynamic nature of the 
Internet. The FWSM may be used in conjunction with a Websense Enterprise 
or N2H2 server to better manage filtering of Hypertext Transfer Protocol 
(HTTP), HTTP over Secure Sockets Layer (HTTPS), and FTP connections to and 
from the Internet.

If URL, HTTPS, or FTP filtering exceptions has been configured via the 
command
filter < url | https | ftp > except

In order to exclude certain addresses from being filtered, then a 
vulnerability exists where any TCP traffic that matches this exception 
filter is also exempt from the inbound ACL inspection on any interface.

Since filtering is enabled for outbound connections from the inside 
interface, a configuration may be common where any source address coming 
from an internal network is able to reach servers placed on a DMZ via a 
source address and mask of all zeros in order to simplify configurations.

Proof of Concept:
An example configuration of a filter exception which allows internal hosts 
to reach another network might be:
FWSM# show filter
filter https except 0.0.0.0 0.0.0.0 10.1.3.0 255.255.255.0
filter ftp except 0.0.0.0 0.0.0.0 10.1.3.0 255.255.255.0
filter url except 0.0.0.0 0.0.0.0 10.1.3.0 255.255.255.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

In this example, all TCP traffic from any interface destined to hosts on 
the 10.1.3.0/24 network will bypass all FWSM interface input ACLs 
including those that explicitly deny them.

If the resulting output includes a "filter" command with an argument of 
"except", you may be susceptible to the vulnerability outlined in this 
advisory.

Vulnerability Detection:
To determine if you are running a vulnerable version of FWSM software, 
issue the "show module" command in IOS or CatOS to identify what modules 
and sub-modules are installed in the system.

The example below shows a system with a Firewall Service Module 
(WS-SVC-FWM-1) installed in slot 4.

6506-B#show module
Mod Ports Card Type                              Model              Serial 
No.
 -- ----- -------------------------------------- ------------------ 
-----------
  1   48  SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX     
SAxxxxxxxxx
  4    6  Firewall Module                        WS-SVC-FWM-1       
SAxxxxxxxxx
  5    2  Supervisor Engine 720 (Active)         WS-SUP720-BASE     
SAxxxxxxxxx
  6    2  Supervisor Engine 720 (Hot)            WS-SUP720-BASE     
SAxxxxxxxxx

After locating the correct slot, issue the "show module <slot number>" 
command to identify the version of software running:
6506-B#sho module 4
Mod Ports Card Type                              Model              Serial 
No.
-- ----- -------------------------------------- ------------------ 
-----------
  4    6  Firewall Module                        WS-SVC-FWM-1       
SAxxxxxxxxx

Mod MAC addresses                       Hw    Fw           Sw           
Status
-- ---------------------------------- ------ ------------ ------------ 
-------
  4  0003.e4xx.xxxx to 0003.e4xx.xxxx   3.0   7.2(1)       2.3(1)       Ok

In this example, the FWSM is running version 2.3(1) as indicated by the 
column under "Sw" above.

Alternatively, the information may also be gained directly from the FWSM 
via the "show version" command:
FWSM#show version

FWSM Firewall Version 2.3(1)

For customers managing their FWSM via the PIX Device Manager (PDM), simply 
log into the application, and the version may be found either in the table 
in the login window or in the upper left hand corner of the PDM window 
indicated by a label similar to:
FWSM Version: 2.3(1)


ADDITIONAL INFORMATION

The information has been provided by ">Cisco Systems.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20050511-url.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20050511-url.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Cisco WSM URL Filtering Solution TCP ACL Bypass Vulnerability, SecuriTeam <=
Previous by Date:  [EXPL] Apache HTDigest Realm Command Overflow (Exploit), SecuriTeam
Next by Date:  [NT] OllyDbg Format String Vulnerability ("INT3 AT"), SecuriTeam
Previous by Thread:  [EXPL] Apache HTDigest Realm Command Overflow (Exploit), SecuriTeam
Next by Thread:  [NT] OllyDbg Format String Vulnerability ("INT3 AT"), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]