procheckup logo
sidebar_boxes_image

Contact Us

Find out more information about ProCheckUp click here.


sidebar_boxes_image

Services

Find out more about ProCheckUp services here.


sidebar_boxes_image

Events

  • PCI DSS User Group meeting

    Neira Jones will be speaking on Barclaycards current approach to PCI and offering advice and guidance to merchants.

Click here to see more events.

Vulnerabilities 2009


PR08-19 XSS on Cisco IOS HTTP Server


  • Advisory publicly released: Wednesday, 14 January 2009
  • Vulnerability found: Friday, 1 August 2008
  • Vendor informed: Friday, 1 August 2008
  • Severity level: Medium
  • Credits
    Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)
  • Description
    Cisco IOS HTTP server is vulnerable to XSS within invalid parameters processed by the "/ping" server-side binary/script.
  • Proof of concept
    http://192.168.100.1/ping?<script>alert("Running+code+within+the_context+of+"%2bdocument.domain)</script>

    Content of HTML body returned:

    <BODY BGCOLOR=#FFFFFF><H2>test-router</H2><HR><DT>Error: URL syntax: ?<script>alert("Running code within the_context of "+document.domain)</script></BODY>
  • How to fix
    Please see Cisco advisory for information on available updates.
  • Consequences
    An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to the HTTP server of a Cisco device.

    This type of attack can result in non-persistent defacement of the target admin interface, or the redirection of confidential information to unauthorised third parties. i.e.: by scraping the data returned by the '/level/15/exec/-/show/run/CR' URL via the XMLHttpRequest object

    It might also be possible to perform administrative changes by submitting forged commands (CSRF) within the payload of the XSS attack. i.e.: injecting an 'img' tag which points to '/level/15/configure/-/enable/secret/newpass' would change the enable password to 'newpass'
  • Notes
    1. The victim administrator needs to be currently authenticated for this vulnerability to be exploitable

    2. In order to exploit this vulnerability successfully, the attacker only needs to know the IP address of the Cisco device. There is NO need to have access to the IOS HTTP server
  • Sucessfully tested on
    Cisco 1803
    Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(6)T7, RELEASE SOFTWARE (fc5)

    Cisco has confirmed that this vulnerability affects 12.1E based trains and all Cisco IOS releases after 12.2(13)T. Please see Cisco advisory in the "References" section for more information.
  • Assigned Cisco Bug ID#
    CSCsr72301
  • CVE reference
    CVE-2008-3821
  • BID
    33260
  • References


    http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19


    http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml


  • Legal
    Copyright 2009 ProCheckUp Ltd. All rights reserved.

    Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes.

    Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.