[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BFD4D243999BA5458F6A8AC2CB3575050132CFDD@xmb-hkg-416.apac.cisco.com>
Date: Sat, 17 Jun 2006 18:51:38 +0800
From: "Paul Oxman (poxman)" <poxman@...co.com>
To: <liam.romanis@...fujitsu.com>, <bugtraq@...urityfocus.com>
Subject: RE: Cisco Secure ACS Cross Site Scripting Vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
This is Cisco PSIRT response to the statements made by Thomas
Liam Romanis of Fujitsu Services Limited in their posting to BugTraq on
the 15th June 2006, regarding Cisco Secure ACS LoginProxy.CGI Cross-Site
Scripting Vulnerability, located at
http://www.securityfocus.com/bid/18449/info.
An official response is location at:
http://www.cisco.com/warp/public/707/cisco-sr-20060615-acs.shtml
This vulnerability is addressed by Cisco Bug ID:
* CSCsd50560 -- ACS LogonProxy.cgi vulnerable to Cross Site
Scripting attacks.
We would like to thank Thomas Liam Romanis and Fujitsu Services
Limited for reporting this vulnerability to us.
We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.
Additional Information
======================
Cisco Secure Access Control Server (ACS) is a centralized user access
control framework. Cisco Secure ACS offers centralized command and
control for all user authentication, authorization, and accounting
(AAA pronounced "triple A") services to network devices that function
as AAA clients.
Cisco Secure ACS for UNIX LogonProxy.cgi is vulnerable to Cross Site
Scripting (XSS) attacks via both HTML GET and POST requests.
This vulnerability affects only Cisco Secure ACS for Unix.
Cisco Secure ACS for Windows and Cisco Secure ACS Solution Engine are
not affected.
This vulnerability could be used to redirect the ACS administrative
users to another host which could be used to proxy logon requests
back to the bona fide ACS server while harvesting administrative
user credentials.
Solution
========
Download and apply patch for CSCsd50560, which is located on
Cisco.com at:
http://www.cisco.com/cgi-bin/tablebuild.pl/cspatchunix-3des
Instructions for applying the patch are found at the same location.
The following best practices will help mitigate the risks of this
vulnerability:
* Ensure that only IP addresses of trusted administrator hosts can
access the Cisco Secure ACS server.
* Prevent access to the web component of the ACS server over the
Internet.
Regards
Paul Oxman
Cisco Systems PSIRT
- -----Original Message-----
From: liam.romanis@...fujitsu.com [mailto:liam.romanis@...fujitsu.com]
Sent: Friday, 16 June 2006 1:03 AM
To: bugtraq@...urityfocus.com
Subject: Cisco Secure ACS Cross Site Scripting Vulnerability.
FUJITSU SERVICES SECURITY ADVISORY
DATE: 27-01-2006
AUTHOR: THOMAS LIAM ROMANIS
VENDOR: Cisco
PRODUCT: Cisco Secure ACS
VERSION(S) TESTED: Cisco Secure ACS version 2.3 UNIX hosted on Netscape
FastTrack Server version 2.01c on Sun Solaris 8.0
TITLE: Cisco Secure ACS LogonProxy.cgi Cross Site Scripting
vulnerability.
Summary:
Cisco Secure ACS LoginProxy.cgi has been found to be vulnerable to Cross
Site Scripting attacks via both GET and POST requests due to a failure
to properly filter undesirable user input. Successful exploitation could
result in a loss of privacy of sensitive data, such as usernames and
passwords.
Detail:
Exploitation of this type of attack relies on the attacker's ability to
inject code (in this case java script) into the HTML that is delivered
to the user's Internet Browser. In this case it is possible to craft
POST and GET requests to LogonProxy.CGI that result in detailed errors
being presented in which the requested URL (or Query) is displayed.
Thus, it is possible to inject java script into the error message which
could be utilised to execute a Cross Site Scripting attack.
In this case the attack could not be used to steal session information
(as it is commonly used) but it could be used to redirect the user to
another host. A possible scenario would be that the user is redirected
to a host owned by the attacker which hosts a copy of the Cisco Secure
ACS front end. This would then be used to proxy logon requests back to
the bone fide server whilst harvesting administrative user credentials.
Exploitation:
The following test scripts could be used to ascertain whether the system
under test is vulnerable:
1. POST Request.
POST http://10.17.12.184:80/CScgi/LogonProxy.cgi HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Referer: http://10.17.12.184/cs/index.html
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.0.3705; .NET CLR 1.1.4322)
Host: 10.17.12.184
Content-Length: 33
Pragma: no-cache
Server=0.0.0.0&error=<script>alert("help")</script>
2. GET Requests.
http://10.17.12.184/CScgi/LogonProxy.cgi?Server=0.0.0.0&error=<script>al
ert("help")</script>
http://10.17.12.184/CScgi/LogonProxy.cgi?Server=10.17.12.184/Logon?null&
SSL=<script>alert('help')</script>
http://10.17.12.184/CScgi/LogonProxy.cgi?Ok=<script>alert('help')</scrip
t>
Recommendations: (Until patch information is available).
These recommendations are based on Cisco Secure ACS being used on an
internal network rather than an internet facing system.
* If possible reconfigure the system so that detailed error
messages are not displayed in the user's internet browser.
* Network Architecture Design should ensure that only the IP
addresses of hosts used by bone fide Cisco Secure ACS
users/Administrators can connect to these services.
* Consider dissemination of the attack string along side of
controls in place on systems such as e-mail (spoofing and HTML e-mail),
Vulnerable web services (publication/uploading of malicious code),
exploitable applications (eg: guestbooks) and code published in MS
Office document types.
* Consider whether current controls on desktops and servers are
adequate to prevent users from installing and controlling their own
network services.
Recommendations supplied to the Vendor:
Logonproxy.cgi needs to have addition code added to filter out
undesirable requests. The characters which should be filtered in all
forms (i.e. ASCII and UNICODE etc) to avoid Cross Site Scripting attacks
are: <,>,>,<,(,),",/,=,:,;,
Vendor Recommendations:
A new version of fastadmin.zip will be made available by Cisco at the
following location:
http://www.cisco.com/warp/public/707/cisco-sr-20060615-acs.shtml
Once you have downloaded this follow these instructions:
Steps to install the patch:
===========================
1) Stop the Ciscosecure process using $BASEDIR/utils/kcs
2) Create a backup of the existing file $BASEDIR/FastAdmin/fastadmin.zip
3) Copy the patch(fastadmin.zip) to the location $BASEDIR/FastAdmin
4) Start the CiscoSecure process using $BASEDIR/utils/scs
Final Comments:
Fujitsu Services would like to thank Paul Oxman and Cisco for their
cooperation and professionalism.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBRJPeslNe5xf4YEH7EQKwTQCdFz964bRw3kNCcVXmmW1w067tTRYAnjQI
jjvLrnv49chyepdTUaVqgJlV
=S3dw
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists