[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+CewVBs7UjABukiogVgDDPUz+8YHxTPSfDoKVP5hN5FdRy8Yg@mail.gmail.com>
Date: Wed, 19 Feb 2014 04:01:41 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, Daniel Wood <daniel.wood@...sp.org>
Subject: CISCO Systems Inc. Security Report,
Web App Vulnerabilities (XSS)
_____ .___ _________
/ _ \ | |/ _____/
/ /_\ \| |\_____ \
/ | \ |/ \
\____|__ /___/_______ /
\/ \/ Corporation
CISCO Systems Inc. Security Report
============================================================
Published Report: 19/02/2014
Credits: Advanced Information Security Corporation, USA
Severity: High/Critical (OWASP TOP 10)
Type: Web Application / Cross-Site Scripting Attack.
Author: Nicholas Lemonias. (Information Security Expert)
Vendor Overview
===========================
Cisco Systems, Inc. is an American multinational corporation headquartered
in San Jose, California, that designs, manufactures, and sells networking
equipment.
The stock was added to the Dow Jones Industrial Average on June 8, 2009,
and is also included in the S&P 500 Index, the Russell 1000 Index,
NASDAQ-100 Index and the Russell 1000 Growth Stock Index.
Cisco Systems was founded in December 1984 by two members of Stanford
University computer support staff: Leonard Bosack who was in charge of the
computer science department's computers,
and Sandy Lerner, who managed the Graduate School of Business' computers.
Coordinated Disclosure Timeline
==================================================
[-] 12th of August 2013 - Contacted Vendor regarding the security
realisation.
[+] 10th of September, 2013 - Vendor Acknowledged the problem.
[+] 11th of September, 2013 - Vendor issued a fix, and thanked us for our
efforts and responsible disclosure.
Description of the security realisation
=========================================
CISCO's Visitors, users and products entrust the vendor's website by
default.
The downloads directory in the public-facing online environment is
therefore, vulnerable to a web application type / cross-site scripting
vulnerability.
A page in the scope of software release updates is therefore vulnerable to
a cross-site scripting attack.
The input variable 'release', derived as part of the cisco software
downloads page does not filter metacharacters from user-input. This problem
results
in the reproduction and execution of third-party untrusted heterogeneous
code. The user and product confidentiality, integrity and availability of
information are impacted by this issue
as outlined by security standards and best security practise (ISO 27001).
Proof of Concept (PoC 1) / Affected Services
==============================================
http://www.cisco.com/download/release.html?catid=268438162&mdfid=281940730&os=Windows&release=
<script>alert(1);</script>&relind=AVAILABLE&rellifecycle=&reltype=latest&softwareid=282364316
Affected directory/script: /download/release.html
Injected Code to path fragment:
&release=<script>alert(1);</script>&relind=AVAILABLE&rellifecycle=&reltype=lastest&softwareid=282364316
Recommendations provided for Quality of Service
===============================================
A. The recommendations that have been made to CISCO Systems Inc. were in
good faith, and in support of quality of service and best security
practises.
The technical recommendations made are therefore, to consider encrypting
the view state of the application.
Furthermore to implement a stronger Cross-Site Scripting protection.
Apparently XSS filtering is not properly applied, and metacharacter
filtering allows data input over the HTTP protocol,
and the ability to inject third-party heterogeneous code, which is
untrusted, either in: Java-Script, Active-X or Visual Basic Script.
Please note that malicious adversaries could take advantage of such issues
- as we have seen in notable cases of malware and virus
propagation cases.
B. Our consultation to CISCO Systems Inc was therefore for an immediate
risk
assessment and thus to immediate review upper-level security policies in
accord to ISO 27001 and ISO 27002. This was followed kindly by the
team. We also consulted for a full review of the ISMS policy scope, and
revisiting of the vulnerable
SDLC application, and other subsidiary pages.
Cross Site Scripting attacks are present when a website allows
the injection of malicious data from a malicious user. The information
is often gathered in the form of a hyperlink. The hyperlink could
be disseminated either through email, social networking websites, forums
or other online sources. A malicious adversary could take advantage
of this vulnerability, for the mass exploitation of unsuspected users,
through malware and virus propagation. Malicious user can use defects
in the encoding methods, so that the payload is obfuscated.
Appendices
============================
A. Suggested the filtering of metacharacters.
B. Suggested the utilisation User-server encoding of < and > to < and
> in application output.
C. An XSS attack could embrace mass user and product attacks, phishing;
theft of private and confidential information such as credit cards,
passwords, and stored accounts.
D. Suggested Filtering < and > and using appropriate encoding methods.
We consulted for ( and ) to be changed, filtered and encoded to ( and
),
Example:
# and & converted to # (#) and & (&).
References
============================
OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011
OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.
Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:
http://msdn.microsoft.com/en-us/library/ff649310.aspx.
** This vulnerability report is posted for the wider benefit of the
security community, as is and without any warranties, including that of the
warranty of merchantability and capability fit for a particular purpose.
The information is posted under the FOI as per best security practises.
*Copyright Advanced Information Security Corp ©, 2014*
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists