Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Cisco Wireless Control System Multiple Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Cisco Wireless Control System Multiple Vulnerabilities
Date: 29 Jun 2006 14:23:16 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco Wireless Control System Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

" <http://www.cisco.com/en/US/products/ps6305/index.html> Cisco Wireless 
Control System (WCS) is the industry leading platform for wireless LAN 
planning, configuration, and management."

Improper handling of user input and design issues, allow attackers to 
execute arbitrary code, retrieve and write information and gain 
administrator privileges in Cisco's Wireless Control System.

DETAILS

Vulnerable Systems:
 * WCS for Linux and Windows version 3.2(40) and prior
 * WCS for Linux and Windows version 3.2(51) and prior
 * WCS for Linux and Windows version 4.0(1) and prior

Cisco Wireless Control System (WCS) contains multiple vulnerabilities 
which may allow a remote user to:
 * access sensitive configuration information about access points managed 
by WCS
 * read from and write to arbitrary files on a WCS system
 * log in to a WCS system with a default administrator password
 * execute script code in a WCS user's web browser
 * access directories which may reveal sensitive WCS configuration 
information

Wireless Control System is a centralized, systems-level application for 
managing and controlling lightweight access points and wireless LAN 
controllers for the Cisco Unified Wireless Network.

WCS contains multiple vulnerabilities including information disclosure and 
privilege escalation issues. The issues are detailed below:

 * Remote users can connect to the WCS internal database with an 
undocumented username and hard-coded password, gaining access to the 
sensitive configuration information of managed wireless access points.
 * The undocumented database username and password are present in several 
WCS files in clear text.
 * WCS installations contain the default administrator username root with 
a default password of public. The password is not required to be changed 
during installation or upon the initial login. There is a workaround for 
this vulnerability.
 * A remote user can read from or write to arbitrary locations in the 
filesystem of a WCS system via the internal TFTP server. This problem only 
occurs if the directory path chosen by the user during the installation of 
WCS for the root of the internal TFTP server contains a space character. 
There is a workaround for this vulnerability.
 * The login page for the WCS HTTP interface does not completely sanitize 
user-supplied data for malicious script code. This may result in the 
ability for an attacker to entice a user to access a malicious URL which 
executes arbitrary script code in the user's web browser.
 * The WCS HTTP server does not completely secure certain directories, 
potentially allowing access to sensitive information like WCS usernames 
and directory paths.

These issues are documented by the following Cisco bug IDs:

 * WCS DBserver is remotely accessible using Solid SQL and static password
 * Database passwords are written in clear text on the program folders
 * WCS ships with default administrator account and password
 * WCS tftp read/writes to C:\ if given dir has a space
 * Possible CSS attack on login page of WCS
 * WCS allows unauthenticated access to user list and html files on server

Successful exploitation of the vulnerabilities presented in this advisory 
have different impacts.

 * May result in the exposure of sensitive configuration information for 
wireless access points managed by the WCS server, including encryption 
keys. With the encryption keys for managed wireless networks, an attacker 
can intercept and decrypt network traffic.
 * May allow an attacker to gain access to the WCS internal database.
 * May allow an attacker to gain complete control of a WCS installation.
 * May result in the ability to read from and write to arbitrary locations 
in the filesystem of a system running WCS, including the ability to 
overwrite and create new files.
 * Exploitation may allow an attacker to execute arbitrary script code in 
a user's web browser. This may be used to obtain sensitive session 
information which can be used to access the WCS management interface.
 *  Exploitation may allow an attacker to obtain sensitive WCS 
configuration data such as WCS usernames and directory installation paths.

Workaround:
There are are no workarounds for vulnerabilities described in default 
database account and password, database user and password in clear text, 
XSS and unprotected HTTP directories.

There is a workaround for the vulnerability described in default 
administrator account and password. Users can change the password for the 
root username via the WCS HTTP management interface. Select Administration 
-> Accounts -> root to change the password.

There is a workaround for the vulnerability described in TFTP file read 
and write. Follow these steps to mitigate the TFTP vulnerability.

 * Stop the WCS service via Programs -> Wireless Control System -> 
StopWCS.
 * Edit the file \webnms\conf\NmsProcessesBE.conf. WCS is typically 
installed in C:\Program Files\WCS32. Modify the section

          # java com.adventnet.nms.tftp.NmsTftpServer [TFTP_ROOT_DIRECTORY 
dir] [PORT portNo]
          # RJS WARNING - If you change these lines, you must change the 
installer.
          PROCESS             com.adventnet.nms.tftp.NmsTftpServer
          ARGS            TFTP_ROOT_DIRECTORY C:/some directory PORT 69 
RETRIES 3 TIMEOUT 30000

      by placing quotes around the directory path like "C:/some 
directory".
 * Start the WCS service via Programs -> Wireless Control System -> 
StartWCS


ADDITIONAL INFORMATION

The information has been provided by  <mailto:psirt@cisco.com> Cisco 
Systems Product Security.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Cisco Wireless Control System Multiple Vulnerabilities, SecuriTeam <=
Previous by Date:  [NT] Novell GroupWise Authentication Bypass, SecuriTeam
Next by Date:  [NT] ASP Stats Generator Multiple Vulnerabilities (SQL Injection, Code Execution), SecuriTeam
Previous by Thread:  [NT] Novell GroupWise Authentication Bypass, SecuriTeam
Next by Thread:  [NT] ASP Stats Generator Multiple Vulnerabilities (SQL Injection, Code Execution), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]