lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8654C851B1DAFA4FA18A9F150145F92502C16C55@fnex01.fishnetsecurity.com>
Date: Tue, 29 Nov 2005 10:52:52 -0600
From: "Evans, Arian" <Arian.Evans@...hnetsecurity.com>
To: "Florian Weimer" <fw@...eb.enyo.de>, <picardos@...ra.es>,
	<bugtraq@...urityfocus.com>
Subject: RE: - Cisco IOS HTTP Server code injection/execution vulnerability-


To further aggravate the CSRF/'Session Riding' angle, one may
implement two attack mechanisms against Cisco IOS/HTTP (and any
similar platform) with current browsers/javascript injection:

1) img src=[IE only]javascript: and increment through RFC-reserved
IP space; you could focus on .1's and .254's to target common
gateway locations. I presented script targeting Nokia IPSO doing
this at Black Hat Amsterdam 05 that was written in 2003. Further
research revealed a _lot_ of folks have done work here going back
farther than I initially realized...

2) Pop an iFrame and get full browser control. Reference Jeremiah
Grossman's BH Vegas 05 presentation & Anton Rager's XSS Proxy and
05 Schmoocon presentation (you will have to tweak XSS_Proxy's frame
to get it to work transparently). We have similar scripts that can
perform anything from keyboard capture (useful for things like Citrix
nFuse sessions) to payload injection.

More importantly: through #2 iFrame method, you can control the client
browser and use it to scan and effectively fingerprint/map the target
internal network for [Cisco] devices by parsing DOM contents/HTTP header.

No one has done a good write-up on this attack vector bit but it's
relatively trivial to execute and doesn't require much coding knowledge
to write a working exploit (a little js and a server-side controller).

If someone wants to flip an ActiveX control in they could wreak
real havoc. Many of these devices (think SSL VPNs) already rely
on ActiveX so users are used to installing them. This has been
talked about for years but no one has released an ActiveX written
for, say, full client disk-control and marked safe for scripting
and initialization with XSS/js injection PoC or proxy toolkits. </hint>

(nota bene: yes these ActiveX *have* been released--reference the
Sony 'Rootkit removal ActiveX control'--but not released in the
sense of a reusable ActiveX purpose built for client-control to
embed on target.site or to host on a malware.site that the attack
code can link to...at least that I'm aware of...)

-ae

> -----Original Message-----
> From: Florian Weimer [mailto:fw@...eb.enyo.de] 
> Sent: Monday, November 28, 2005 3:55 PM
> To: picardos@...ra.es
> Cc: bugtraq@...urityfocus.com
> Subject: Re: - Cisco IOS HTTP Server code injection/execution 
> vulnerability-
> 
> 
> > It has been identified a vulnerability in the Cisco IOS Web
> > Server. An attacker can inject arbitrary code in some of the
> > dynamically generated web pages. To succesfully exploit the
> > vulnerability the attacker only needs to know the IP of the
> > Cisco. THERE'S NO NEED TO HAVE ACCESS TO THE WEB SERVER! Once the
> > code has been inyected, attacker must wait until the admin browses
> > some of the affected web pages.
> 
> Isn't your exploit somewhat complicated?  Just put
> 
> <img 
> src="http://192.0.2.1/level/15/configure/-/enable/secret/mypassword"/>
> 
> on a web page, and trick the victim to visit it while he or she is
> logged into the Cisco router at 192.0.2.1 over HTTP.  This has been
> dubbed "Cross-Site Request Forgery" a couple of years ago, but the
> authors of RFC 2109 were already aware of it in 1997.  At that time,
> browser-side countermeasures were proposed (such as users examining
> the HTML source code *cough*), but current practice basically mandates
> that browsers transmit authentication information when following
> cross-site links.
> 
> Such attacks are probably more problematic on low-end NAT routers
> whose internal address defaults to 192.168.1.1 and which generally
> offer HTTP access, which makes shotgun exploitation easier.  So much
> for the "put your Windows box behind a NAT router" advice you often
> read.
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ