Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Cisco ACS UCP Pre-Authentication Buffer Overflows

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Cisco ACS UCP Pre-Authentication Buffer Overflows
Date: 16 Mar 2008 14:42:07 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco ACS UCP Pre-Authentication Buffer Overflows
------------------------------------------------------------------------


SUMMARY

Cisco Secure Access Control Server (ACS) for Windows User-Changeable 
Password (UCP) application is a set of CGI programs and web site contents 
installed on Microsoft IIS.


From the Cisco Advisory:

"The UCP application enables end users to change their ACS passwords with 
a web-based utility. When users need to change their own passwords, they 
can access the UCP web page by using a supported web browser, validate 
their existing credentials, and then change their password via the 
utility."

The CGI /securecgi-bin/CSUserCGI.exe suffers from multiple buffer 
overflows exploitable remotely through the HTTP protocol before 
authentication. Additionally, CSUserCGI.exe suffers from a non-persistent 
Cross Site Scripting vulnerability.

DETAILS

Vulnerable Systems:
 * Cisco ACS version 3 and version 4
 * Cisco UCP version 3.3.4.12.5
 * Cisco CSuserCGI version 3.3.1

Immune Systems:
 * Cisco ACS UCP version 4.2

The main() function of CSuserCGI.exe compares the first command line 
argument passed to the program using strcmp() against a list of supported 
arguments, among them "Logout", "Main", "ChangePass", etc.

For most of the aguments, it will simply parse the following arguments and 
pass them to a wsprintf() call with format strings like 
"Action=%s&Username=%s&OldPass=%s&NetPass=%s". The destination buffer of 
these calls is located in the .data segment of the application.

In case of the "Logout" argument, main() passes the second argument, 
usually of the form "1234.xyzab.c.username.", as well as a char[] buffer 
on the stack to a function that first extracts the string up to the first 
'.' character using strtok and then copies the string into the supplied 
char[] buffer. The char buffer is 96 bytes long. Accordingly, if the 
string before the first dot character exceeds this length, the buffer as 
well as the return address is overwritten.

 .text:00401065 mov eax, [ebx+8] ; get argv[2]
 .text:00401068 test eax, eax
 .text:0040106A jz loc_401520
 .text:00401070 push eax ; char *
 .text:00401071 call sub_402870
 ...
 .text:00402870 sub esp, 60h
 .text:00402873 mov ecx, 17h
 .text:00402878 xor eax, eax
 .text:0040287A push edi
 .text:0040287B lea edi, [esp+64h+var_60]
 .text:0040287F rep stosd
 .text:00402881 mov ecx, [esp+64h+arg_0]
 .text:00402885 stosw
 .text:00402887 stosb
 .text:00402888 lea eax, [esp+64h+var_60]
 .text:0040288C push eax ; int
 .text:0040288D push ecx ; char *
 .text:0040288E call sub_402940
 ...
 .text:00402940 mov ecx, [esp+arg_0]
 .text:00402944 xor eax, eax
 .text:00402946 test ecx, ecx
 .text:00402948 jz locret_402A11
 .text:0040294E push ebx
 .text:0040294F push esi
 .text:00402950 push edi
 .text:00402951 push offset a_ ; "."
 .text:00402956 push ecx ; char *
 .text:00402957 call _strtok
 .text:0040295C mov edi, eax
 .text:0040295E or ecx, 0FFFFFFFFh
 .text:00402961 xor eax, eax
 .text:00402963 mov ebx, [esp+14h+arg_4]
 .text:00402967 repne scasb
 .text:00402969 not ecx
 .text:0040296B sub edi, ecx
 .text:0040296D lea edx, [ebx+1]
 .text:00402970 mov eax, ecx
 .text:00402972 mov esi, edi
 .text:00402974 mov edi, edx
 .text:00402976 push offset a_ ; "."
 .text:0040297B shr ecx, 2
 .text:0040297E rep movsd
 .text:00402980 mov ecx, eax
 .text:00402982 push 0 ; char *
 .text:00402984 and ecx, 3
 .text:00402987 rep movsb

Example:
The following request will cause EIP to be overwritten with 0x42424242. 
The line may wrap, depending on how you view this file.
https://target/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker.

A non-persistent Cross Site Scripting vulnerability can also be triggered 
using the Help facility of the CGI. An example request would be as 
follows. The line may wrap, depending on how you view this file.
https://target/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%3Ch1%3EHello_Cisco%3C/h1%3E

Solution:
Update to UCP version 4.2. See the Cisco Advisory for how to obtain fixed 
software:  
<http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml


ADDITIONAL INFORMATION





======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Cisco ACS UCP Pre-Authentication Buffer Overflows, SecuriTeam <=
Previous by Date:  [NEWS] Java Web Start Encoding Stack Buffer Overflow, SecuriTeam
Next by Date:  [NT] Microsoft Excel Rich Text Memory Corruption Vulnerability (MS08-014), SecuriTeam
Previous by Thread:  [NEWS] Java Web Start Encoding Stack Buffer Overflow, SecuriTeam
Next by Thread:  [NT] Microsoft Excel Rich Text Memory Corruption Vulnerability (MS08-014), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]