lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201107270843.p6R8hIVP019900@sf01web3.securityfocus.com>
Date: Wed, 27 Jul 2011 08:43:18 GMT
From: michal.sajdak@...uritum.pl
To: bugtraq@...urityfocus.com
Subject: SA500 vulnerabilities - details

Hi

Advisory by Cisco was published a few days ago (Bugtraq ID: 48810).

Now more details:

1. Unathenticated access to web management (any user - including admin).
Due to blind SQLi in the login form of web management (port 443, https,
login field, embedded sqlite DB), there is possible to obtain:

a) all logins
b) all passwords (which are kept in the DB in plaintext)
c) other data stored in internal DB

2. Privilege escalation to OS root level.

Having access to any user on the target system (including guest user),
it is possible to get full OS root access by injection in ping/traceroute/dns lookup
functionalities.

User interface prohibits such injections, but viewing / modifying http
requests in raw form allows to bypass that restriction.

More datailed information - including screenshots: 
http://www.securitum.pl/dh/cisco_sa500_hacking

--
Michal Sajdak, Securitum

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ