From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 8 Dec 2005 15:47:11 +0200
Subject: [NEWS] Cisco IOS HTTP Server Command Injection
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051208165805.F042D588F@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco IOS HTTP Server Command Injection
------------------------------------------------------------------------
SUMMARY
" <http://www.cisco.com/>; The Cisco IOS Web browser interface (which
enables the device to perform as an HTTP server) allows configuration and
monitoring of a router or access server using any web browser."
Lack of user's input filtering allows attackers to add malicious code into
Cisco IOS HTTP Server, allowing attackers to perform cross site scripting
and executing arbitrary code on the HTTP server.
DETAILS
Vulnerable Systems:
* Cisco IOS HTTP Server version 11.0 through 12.4
Immune Systems:
* Cisco IOS XR
The Cisco IOS Web browser interface (which enables the device to perform
as an HTTP server) allows configuration and monitoring of a router or
access server using any web browser. This feature was introduced in IOS
11.0.
A vulnerability exists in the IOS HTTP server in which HTML code inserted
into dynamically generated output, such as the output from a "show
buffers" command, will be passed to the browser requesting the page. This
HTML code could be interpreted by the client browser and potentially
execute malicious commands against the device or other possible cross-site
scripting attacks. Successful exploitation of this vulnerability requires
that a user browse a page containing dynamic content in which HTML
commands have been injected.
In order to be vulnerable to the cross-site scripting attack, a user must
browse and view the content during the same period of time the injected
code exists in memory. On the other hand, if a user does not browse
contaminated dynamic content on the device, then exploitation is not
possible.
A proof of concept exploit exists for this vulnerability, in which the
exploit attempts to reset the enable password on the device. For the
attack to work against the device itself, the user browsing tainted
dynamic content on the router will only be able to execute commands at or
below the privilege level for which they are authenticated and authorized
for on the device.
This security advisory applies to all Cisco products that run Cisco IOS
Software versions 11.0 through 12.4 with the HTTP server enabled. A system
which contains the IOS HTTP server or HTTP secure server, but does not
have it enabled, is not affected.
To determine if the HTTP server is running on your device, issue the "show
ip http server status" and "show ip http server secure status" commands at
the prompt and look for output similar to:
Router>show ip http server status
HTTP server status: Enabled
If the device is not running the HTTP server, you should see output
similar to:
Router>show ip http server status
HTTP server status: Disabled
Workarounds:
Disable the HTTP server:
If the HTTP server is not used for any legitimate purposes on the device,
it is a best practice to disable it by issuing the following commands in
configure mode:
no ip http server
no ip http secure-server
Disable the HTTP WEB_EXEC service:
A feature was introduced in 12.3(14)T and later in which selective HTTP
and HTTPS services could be enabled or disabled. Two typical services are
WEB_EXEC and the IOS Certificate Server (SCEP). The WEB_EXEC
service provides a facility to configure the box and retrieve current
state of the box from remote clients. The IOS Certificate Server service
provides a facility wherein remote clients can enroll and obtain Crypto
Certificates.
It is possible to disable the WEB_EXEC service while still leaving SCEP
running to serve Certificates. If an installation requires the use of the
SCEP service, the WEB_EXEC service may be disabled via the commands in
configure mode:
no ip http active-session-modules WEB_EXEC
no ip http secure-active-session-modules WEB_EXEC
Avoid the use of Web-based SHOW commands:
Successful exploitation of this vulnerability requires an unsuspecting
user to request dynamic content from the device via the "show" commands
which are available. Avoiding the use of those commands via the web
interface until an upgrade to fixed software is possible may be perfectly
legitimate for some installations.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
