It has been a few days since I made the video of the Cisco exploits I have written and now it is time to release the details and actual exploit codes.
The most vulnerable targets are Cisco Administrators using Safari. These exploits are near "auto-pwn" for these targets. Safari in general seems more focused on functionality and usability much, much more than security anyways.
Cisco routers with the HTTP administration interface enabled are vulnerable to an CSRF (Cross-Site Request Forgery) vulnerability that can yield remote command execution with level 15 privileges.
An attacker can execute ANY command on the router with level 15 (root, same as enable) privileges (usually level 15 user by default) by getting a target user (administrator or etc) to view a web page that has the exploit embedded. The exploits can be modified to, on loading of the page with the exploits embedded, to execute both exec and configure commands on the Cisco router. These exploits have been tested on a Cisco 871 router running IOS 12.4 but are assumed to work universally on any router configured to use the HTTP interface.
These exploits have been tested in the following situations:
1) Tab of Router HTTP Administration Interface is open somewhere on the browser.
2) The session is still active @ Router HTTP Admin Interface.
3) The browser used has the credentials saved (No prompts /w Safari).
4) Nearly any situation where the target visits the page (But if not 1, 2, or 3 a prompt will usually pop up asking for credentials)
Basically, the target views the page where the exploit is embedded, exploit triggers with specified command and sends it to the router to be executed. As long as either the session is active, another tab is pulled with with the router interface, or the credentials are saved in Safari (and safari is happy to keep things easy for us with no prompts), the exploit should be successful and the attacker will have executed commands with full privileges of the Cisco router.
There are two exploits:
Exploit #1 (ciscOWN1.htm):
Exec Mode Commands. Just specify the router's address and command you want to be executed.
Exploit #2 (ciscOWN2.htm):
Configure Mode Commands. Just specify the router's address and command you want to be executed.
Now, unfortunately, this doesn't look easy to fix so don't expect a patch soon. One way to fix this bug would be to check the referrer, that would probably be the easiest. But even in doing that, its not full proof. Cisco administrators, your smart... be safe.
You can get the exploit codes @ Milw0rm.
Tuesday, September 16, 2008
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment