Sekcje

Przejdź na skróty do treści. | Przejdź do nawigacji

Jesteś w: Start → Devices hacking research → Cisco SA500 multiple vulnerabilities

Cisco SA500 multiple vulnerabilities

About Cisco Appliance

Cisco SA500 is a small business pro security appliance which offers such features as: Firewall, IPS, VPN, email, and web security capabilities. The appliance can be managed via web management console.

The vulnerabilities were tested on firmware: V2.1.18 and are confirmed to work on the following devices:

SA 520
SA 520W
SA 540

Image from Cisco.com

Details

1. Remote, unauthenticated access on any user on the device - including admin account

Due to blind SQL injection in the login form of web management (port 443, https,login field, embedded sqlite DB), there is possible to obtain:

all logins
all passwords (which are kept in the DB in plaintext)
other data from embedded DB (configuration parts, which possibly include passwords, etc).

Authentication mechanisms seem to query the DB multiple times (different queries), so it may be not so easy to bypass it using single SQLi. Still, of course, plaintext passwords retrieval is possible. To exploit the issue remote access to web administration (login form) is required. PoC is presented below.

2. Privilege escalation to OS root level.

Having access to any user on the target system (including guest user), it is possible to get full OS root access by injection in ping/traceroute/dns lookup functionalities (see also similar vulnerabilities in WAG54G2 and RVS4000)

Injection characters include:

;
|
& (encoded in url hex notation)
%0a (new line)
etc

User interface prohibits such injections, but viewing / modifying http requests in raw form allows to bypass the restriction.

Vendor's reaction / issue history

01.06.2011 - full disclosure sent to the vendor
07.06.2011 - vulnerabilities confirmed
20.06.2011 - patch issued by the vendor, Cisco public announcement
25.06.2011 - public disclosure by Securitum

Thanks to Gaweł Mikołajczyk for providing test hardware.

Research / contact

We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ devices_hacking@securitum.pl

Disclaimer

All the information is provided for educational use only.
We strongly discourage to use the information for cracking / illegal purposes.
We are not responsible for damages made to your router - play with your router carefully.

Michal Sajdak
michal.sajdak@securitum.pl

Przydatne informacje? Polub nas na facebooku.

Polecamy

Aktualności: Szkolenie: monitoring bezpieczeństwa sieci 2012-01-26; SEMAFOR 2012 2012-01-25; Spotkanie ISACA - Warszawa 2012-01-02; Cisco SRP500 os root 2011-11-25; Krakowskie spotkanie OWASP 2011-11-15

Oferta

Sprawdź bezpieczeństwo:

Więcej informacji

Sprawdź szkolenia

Subskrybuj RSS:

Tagcloud: zabezpieczenia testy bezpieczeństwa oferta ochrona systemów IT bezpieczeństwo www bezpieczeństwo danych aplikacje

Szkolenia: Najbardziej interesowałoby mnie szkolenie z zakresu:

Bezpieczeństwa sieci
Hardeningu systemów operacyjnych
Testów penetracjnych aplikacji
Bezpiecznego pisania kodu; Głosów : 410