Sekcje

Przejdź na skróty do treści. | Przejdź do nawigacji


Devices hacking research Cisco SA500 multiple vulnerabilities

Cisco SA500 multiple vulnerabilities

About Cisco Appliance

Cisco SA500 is a small business pro security appliance which offers such features as: Firewall, IPS, VPN, email, and web security capabilities. The appliance can be managed via web management console.

The vulnerabilities were tested on firmware: V2.1.18 and are confirmed to work on the following devices:

  • SA 520
  • SA 520W
  • SA 540
sa500

Image from Cisco.com

Details

1. Remote, unauthenticated access on any user on the device - including admin account

Due to blind SQL injection in the login form of web management (port 443, https,login field, embedded sqlite DB), there is possible to obtain:

  • all logins
  • all passwords (which are kept in the DB in plaintext)
  • other data from embedded DB (configuration parts, which possibly include passwords, etc).

Authentication mechanisms seem to query the DB multiple times (different queries), so it may be not so easy to bypass it using single SQLi. Still, of course, plaintext passwords retrieval is possible. To exploit the issue remote access to web administration (login form) is required. PoC is presented below.

 

sa arbitrary user

2. Privilege escalation to OS root level.

Having access to any user on the target system (including guest user), it is possible to get full OS root access by injection in ping/traceroute/dns lookup functionalities (see also similar vulnerabilities in WAG54G2 and RVS4000)

 sa500 ping

Injection characters include:

  • ;
  • |
  • & (encoded in url hex notation)
  • %0a (new line)
  • etc

User interface prohibits such injections, but viewing / modifying http requests in raw form allows to bypass the restriction.

Vendor's reaction / issue history

  • 01.06.2011 - full disclosure sent to the vendor
  • 07.06.2011 - vulnerabilities confirmed
  • 20.06.2011 - patch issued by the vendor, Cisco public announcement
  • 25.06.2011 - public disclosure by Securitum

 

Thanks to Gaweł Mikołajczyk for providing test hardware.

Research / contact

  • We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ devices_hacking@securitum.pl

Disclaimer

  • All the information is provided for educational use only.
  • We strongly discourage to use the information for cracking / illegal purposes.
  • We are not responsible for damages made to your router - play with your router carefully.

 

Michal Sajdak
michal.sajdak@securitum.pl

Przydatne informacje? Polub nas na facebooku.

Darmowy magazyn o ITsec

zine
Subskrybuj RSS:
RSS