|
PR08-19: XSS on Cisco IOS HTTP Server
Date found: 1st August 2008
Vendor contacted: 1st August 2008
Advisory publicly released: 14th January 2009
Severity: Medium
Credits: Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)
Description:
Cisco IOS HTTP server is vulnerable to XSS within invalid parameters
processed by the "/ping" server-side binary/script.
Consequences:
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to the HTTP server of a
Cisco device.
This type of attack can result in non-persistent defacement of the
target admin interface, or the redirection of confidential information
to unauthorised third parties. i.e.: by scraping the data returned by
the '/level/15/exec/-/show/run/CR' URL via the XMLHttpRequest object.
It might also be possible to perform administrative changes by
submitting forged commands (CSRF) within the payload of the XSS attack.
i.e.: injecting an 'img' tag which points to
'/level/15/configure/-/enable/secret/newpass' would change the enable
password to 'newpass'.
Notes:
1. The victim administrator needs to be currently authenticated for this
vulnerability to be exploitable
2. In order to exploit this vulnerability successfully, the attacker
only needs to know the IP address of the Cisco device. There is NO need
to have access to the IOS HTTP server
Proof of concept (PoC):
http://192.168.100.1/ping?
Content of HTML body returned:
test-router