what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Meraki Systems Manager CSRF / XSS / Functionality Abuse

Cisco Meraki Systems Manager CSRF / XSS / Functionality Abuse
Posted Jan 29, 2015
Authored by Denis Andzakovic | Site security-assessment.com

Cisco Meraki Systems Manager suffers from cross site request forgery, abuse of functionality, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
systems | cisco
SHA-256 | 9c34baf2089dd34e016937a33e17e5155490db6c285d7340f4b9688fcc63d496

Cisco Meraki Systems Manager CSRF / XSS / Functionality Abuse

Change Mirror Download
(    , )     (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.

presents..

Cisco Meraki Systems Manager Multiple Vulnerabilities
Affected Versions: Cisco Meraki Systems Manager - Unknown Versions

PDF:
http://www.security-assessment.com/files/documents/advisory/Cisco_Meraki_Systems_Manager_Multiple_Vulnerabilities.pdf

+-------------+
| Description |
+-------------+

The Cisco Meraki Systems Manager system was found to suffer from a number of
vulnerabilities. A Cross Site Request Forgery vulnerability was discovered,
allowing an attacker to determine the registration code for an organisation's
Systems Manager instance or send out spam email. A Stored Cross Site Scripting
vulnerability was discovered, allowing a malicious end user running the
Systems Manager MDM software to stage Cross Site Scripting attacks against the
organisation's administrative users.

The Cisco Meraki Systems Manager administrative console was found to suffer
from a Mass Assignment vulnerability, allowing a malicious user to leverage
the "Backpack" functionality to automatically download and install arbitrary
applications to the end user devices. Additionally, legitimate updates for the
Systems Manager MDM software were found to be shipped over HTTP. This allows
an attacker to intercept and tamper the application package provided they have
access to the network communications somewhere between the client and the
Meraki cloud.


+--------------+
| Exploitation |
+--------------+

--[ Cross Site Request Forgery

The Cisco Meraki System Manager administrative console uses an ‘X-CSRF-Token’
HTTP header to protect against Cross Site Request Forgery attacks, however it
was found that this header is often not validated on the server side and can
simply be omitted. The following POC can be used to coerce an authenticated
user into sending an email containing arbitrary content to an arbitrary
address.

<html>
<body>
<form action="https://n85.meraki.com/Systems-Manager/n/Q6mExcvb/manage/configure/pcc_send_mdm_link/">
<input type="hidden" name="type" value="email" />
<input type="hidden" name="addr" value="ao367gnae9aer7ghb@mailinator.com" />
<input type="hidden" name="msg" value="Enroll in Meraki Systems Manager by opening this URL on your Android device:" />
<input type="hidden" name="platform" value="android" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

The CSRF POC on the previous page will send an invitation message to
‘ao367gnae9aer7ghb@mailinator.com’. An attacker may leverage this to enumerate
an organizations registration code and stage further attacks against the
Meraki deployment.

--[ Stored Cross Site Scripting

As Systems Manager relies on a certificate on the mobile device
(provisioned via SCEP during registration) to provide authentication. A
condition was discovered wherein a malicious user can retrieve the relevant
certificate and key and stage attacks against the Systems Manager
administrative console. This lead to a Stored Cross Site Scripting
vulnerability, where a malicious user may send a crafted request to
/android/callback with malicious JavaScript code in the system_model
parameter. The Mdm-Signature header is then recreated by the malicious user
and the payload sent. The Mdm-Signature header can be generated by using a
SpongyCastle content signer to generate a signature for the POST parameter
data.

The following is a request detailing the exploit. The system_model parameter
is the affected field. The parameter field has been shortened for brevities
sake.

POST /android/callback HTTP/1.1
Mdm-Signature: <Recreated MDM Signature>
Content-Length: <content length>
Content-Type: application/x-www-form-urlencoded
Host: <Meraki Host>
Connection: Keep-Alive

{snip}&system_model=Galaxy+XSS+%3cscript%3ealert(%27Malicious+Javascript%27)%3c%2fscript%3e{snip}

The certificate and key used to create the Mdm-Signature header can be found
under /data/data/com.meraki.sm/files/ on a provisioned Android
device. The password for the keystore is under the ‘scep_keystore_password’
shared preference.

In order to exploit this, the attacker must be registered against the
Meraki MDM instance (in order to have the correct certificate). This requires
the knowledge of a 10 digit enrollment code (xxx-xxx-xxxx). These need to be
brute forced or obtained via other means (invitation email, QR code,
etcetera).

--[ Backpack Mass Assignment

The ‘Backpack’ functionality of the Cisco Meraki Systems Manager can be abused
to install arbitrary APK files on users’ devices. This is achieved by using
mass assignment to define the ‘auto_download’ and ‘auto_install’ flags on a
specific item (in this case an APK file). This is done in the post to
/System-Manager/n/<id>/manage/configure/update_pcc_ios. Further information is
available in the PDF version of this advisory.

It should be noted that the management policy popup on the device disables the
back button once the user is prompted to install the arbitrary APK and access
back into the Meraki Systems manager application cannot be achieved without
tapping the 'install' button.

--[ Updates over HTTP

An attacker with access to network traffic between the device and the
Meraki servers may tamper the APK file used for updating. The update
notification specifies ‘http://dl.meraki.net/androidsm/AndroidSM.apk’ as the
document_url of the update. When an update is available, the
http://dl.meraki.com URL is requested by the application.

+----------+
| Solution |
+----------+

The Cisco Meraki Systems Manager cloud has been patched as deemed appropriate by Cisco.

+---------------------+
| Disclosure Timeline |
+---------------------+

13/10/2014 - Initial Advisory Sent to security@meraki.com
14/10/2014 - Response from Cisco acknowledging the advisory documents and
confirming the Updates over HTTP vulnerability.
14/10/2014 - Response from Cisco stating that "The ability to require the
download and installation of APK (and other files) is a feature of MDM
Administration, and does not on its own constitute a
vulnerability." In regards to the Mass Assignment vulnerability. Remaining
vulnerabilities acknowledged and more information requested.
17/10/2014 - Additional information sent to Cisco, as requested.
30/10/2014 - Request for Update
30/10/2014 - Response stating the Cross Site Request Forgery and Cross Site
Scripting vulnerabilities were resolved
29/01/2015 - Advisory Release

+-------------------------------+
| About Security-Assessment.com |
+-------------------------------+

Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings,
contact us:

Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650




Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close