________________________________________________________________________ Recurity Labs GmbH http://www.recurity-labs.com entomology@recurity-labs.com Date: 12.03.2008 ________________________________________________________________________ Vendor: Cisco Systems Product: Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application Vulnerability: Multiple remote pre-authentication buffer overflows Cross Site Scripting issue Affected Releases: ACS 3 and 4, UCP v3.3.4.12.5, CSuserCGI 3.3.1 NOT Affected Releases: UCP 4.2 and above Severity: HIGH CVE: CVE-2008-0532, CVE-2008-0533 ________________________________________________________________________ Vendor communication: 20.11.2007 Initial notification to PSIRT 20.11.2007 Response from PSIRT, PGP encrypted to PSIRT only 26.11.2007 Response from Paul Oxman / PSIRT 26.11.2007 Even more detailed information to Paul Oxman 27.11.2007 Received new PGP keys from PSIRT 27.11.2007 Retransmit 28.11.2007 Paul Oxman reports they are working on it 28.11.2007 Fix discussions with Paul Oxman 29.11.2007 Paul Oxman provides Cisco Bug IDs 29.11.2007 Fix discussions with Paul Oxman 12.12.2007 Fixed version provided for testing 13.12.2007 Feedback to the fixed code 14.12.2007 Paul Oxman acknowledges feedback 17.12.2007 Paul Oxman reports internal progress 17.12.2007 More feedback 08.01.2008 Paul Oxman reports internal progress 08.01.2008 ACK 30.01.2008 Paul Oxman proposes advisory release date 30.01.2008 Acknowleding advisory release date 27.02.2008 Paul Oxman updates on progress 27.02.2008 ACK 05.03.2008 Paul Oxman sends draft Cisco advisory 05.03.2008 Sending draft Recurity Labs advisory 06.03.2008 Paul Oxman provides fixed release version 06.03.2008 Final communication with Paul Oxman 12.03.2008 Coordinated release ________________________________________________________________________ Overview: Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application is a set of CGI programs and web site contents installed on Microsoft IIS. From the Cisco Advisory: "The UCP application enables end users to change their ACS passwords with a web-based utility. When users need to change their own passwords, they can access the UCP web page by using a supported web browser, validate their existing credentials, and then change their password via the utility." The CGI /securecgi-bin/CSUserCGI.exe suffers from multiple buffer overflows exploitable remotely through the HTTP protocol before authentication. Additionally, CSUserCGI.exe suffers from a non-persistent Cross Site Scripting vulnerability. Description: The main() function of CSuserCGI.exe compares the first command line argument passed to the program using strcmp() against a list of supported arguments, among them "Logout", "Main", "ChangePass", etc. For most of the aguments, it will simply parse the following arguments and pass them to a wsprintf() call with format strings like "Action=%s&Username=%s&OldPass=%s&NetPass=%s". The destination buffer of these calls is located in the .data segment of the application. In case of the "Logout" argument, main() passes the second argument, usually of the form "1234.xyzab.c.username.", as well as a char[] buffer on the stack to a function that first extracts the string up to the first '.' character using strtok and then copies the string into the supplied char[] buffer. The char buffer is 96 bytes long. Accordingly, if the string before the first dot character exceeds this length, the buffer as well as the return address is overwritten. .text:00401065 mov eax, [ebx+8] ; get argv[2] .text:00401068 test eax, eax .text:0040106A jz loc_401520 .text:00401070 push eax ; char * .text:00401071 call sub_402870 ... .text:00402870 sub esp, 60h .text:00402873 mov ecx, 17h .text:00402878 xor eax, eax .text:0040287A push edi .text:0040287B lea edi, [esp+64h+var_60] .text:0040287F rep stosd .text:00402881 mov ecx, [esp+64h+arg_0] .text:00402885 stosw .text:00402887 stosb .text:00402888 lea eax, [esp+64h+var_60] .text:0040288C push eax ; int .text:0040288D push ecx ; char * .text:0040288E call sub_402940 ... .text:00402940 mov ecx, [esp+arg_0] .text:00402944 xor eax, eax .text:00402946 test ecx, ecx .text:00402948 jz locret_402A11 .text:0040294E push ebx .text:0040294F push esi .text:00402950 push edi .text:00402951 push offset a_ ; "." .text:00402956 push ecx ; char * .text:00402957 call _strtok .text:0040295C mov edi, eax .text:0040295E or ecx, 0FFFFFFFFh .text:00402961 xor eax, eax .text:00402963 mov ebx, [esp+14h+arg_4] .text:00402967 repne scasb .text:00402969 not ecx .text:0040296B sub edi, ecx .text:0040296D lea edx, [ebx+1] .text:00402970 mov eax, ecx .text:00402972 mov esi, edi .text:00402974 mov edi, edx .text:00402976 push offset a_ ; "." .text:0040297B shr ecx, 2 .text:0040297E rep movsd .text:00402980 mov ecx, eax .text:00402982 push 0 ; char * .text:00402984 and ecx, 3 .text:00402987 rep movsb Example: The following request will cause EIP to be overwritten with 0x42424242. The line may wrap, depending on how you view this file. https://target/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker. A non-persistent Cross Site Scripting vulnerability can also be triggered using the Help facility of the CGI. An example request would be as follows. The line may wrap, depending on how you view this file. https://target/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%3Ch1%3EHello_Cisco%3C/h1%3E Solution: Update to UCP version 4.2. See the Cisco Advisory for how to obtain fixed software: http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml ________________________________________________________________________ Credit: The vulnerabilities were identified by Felix 'FX' Lindner, Recurity Labs GmbH, during a cursory inspection of a customer installation of the ACS UCP product. Greets to the teams at Recurity Labs and Zynamics, Sergio Alvarez, Max Moser, Alexander Kornbrust, Maxim Salomon, Nicolas Fischbach, Karsten Schumann, Frank Becker, PSIRT, Paul Oxman, John Stewart ________________________________________________________________________ The information provided is released "as is" without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages. The contents of this advisory are copyright (c) 2008 Recurity Labs GmbH and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. ________________________________________________________________________