首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
The Cisco IOS HTTP server is vulnerable to cross site scripting within invalid p
来源:http://www.procheckup.com/ 作者:Pastor 发布时间:2009-01-15  
PR08-19: XSS on Cisco IOS HTTP Server

Date found: 1st August 2008

Vendor contacted: 1st August 2008

Advisory publicly released: 14th January 2009

Severity: Medium

Credits: Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)

Description:

Cisco IOS HTTP server is vulnerable to XSS within invalid parameters
processed by the "/ping" server-side binary/script.


Consequences:

An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to the HTTP server of a
Cisco device.

This type of attack can result in non-persistent defacement of the
target admin interface, or the redirection of confidential information
to unauthorised third parties. i.e.: by scraping the data returned by
the '/level/15/exec/-/show/run/CR' URL via the XMLHttpRequest object.

It might also be possible to perform administrative changes by
submitting forged commands (CSRF) within the payload of the XSS attack.
i.e.: injecting an 'img' tag which points to
'/level/15/configure/-/enable/secret/newpass' would change the enable
password to 'newpass'.


Notes:

1. The victim administrator needs to be currently authenticated for this
vulnerability to be exploitable

2. In order to exploit this vulnerability successfully, the attacker
only needs to know the IP address of the Cisco device. There is NO need
to have access to the IOS HTTP server

Proof of concept (PoC):

http://192.168.100.1/ping?<script>alert("Running+code+within+the_context+of+"%2bdocument.domain)</script>


Content of HTML body returned:

<BODY BGCOLOR=#FFFFFF><H2>test-router</H2><HR><DT>Error: URL syntax:
?<script>alert("Running code within the_context of
"+document.domain)</script></BODY>

Successfully tested on:

Cisco 1803
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version
12.4(6)T7, RELEASE SOFTWARE (fc5)


Assigned Cisco Bug ID#:

CSCsr72301

CVE reference:

CVE-2008-3821


References:

http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

Fix:

Please see Cisco advisory for information on available updates.


Legal:

Copyright 2009 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not changed or edited in any way, is attributed
to ProCheckUp indicating this web page URL, and provided such
reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party. ProCheckUp
is not responsible for the content of external Internet sites.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NetSurf version 1.2 hspace rem
·NetSurf Web Browser 1.2 Multip
·NetSurf version 1.2 width remo
·NetSurf version 1.2 remote mem
·Joomla com_Eventing 1.6.x Blin
·Oracle TimesTen Remote Format
·Ciansoft PDFBuilderX 2.2 Activ
·Oracle Secure Backup 10g exec_
·Blue Eye CMS <= 1.0.0 (clanek)
·phosheezy 2.0 Remote Command E
·Novell Netware 6.5 ICEbrowser
·AAA EasyGrid ActiveX 3.51 Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved