COMMAND

	Cisco ACS web interface vulnerabilities

SYSTEMS AFFECTED

	The affected product is Cisco Secure Access Control Server  for  Windows
	releases 2.6.x and ACS 3.0.1 (build 40).

PROBLEM

	In          Cisco          Security          Advisory           [http://
	www.cisco.com/warp/public/707/ACS-Win-Web.shtml] :
	

	There are two different vulnerabilities, as described  by  the  Bug  IDs
	below. The first can lead to execution of  an  arbitrary  code  and  the
	second can be used to reveal customer data.
	

	* By connecting to a port 2002 and sending a crafted URL it is  possible
	to, in a less severe case, kill the  CSADMIN  module  or,  in  a  severe
	case, to execute an arbitrary user supplied code. The  functionality  of
	authentication, authorization, and accounting (AAA) is not  affected  by
	termination of the CSADMIN module. This means that users  will  be  able
	to authenticate normally.  Only  the  administration  function  will  be
	affected.  Port  2002  is  used  by  the  CSADMIN  module   for   remote
	administration.
	   

	By providing an URL containing formatting symbols (for example, %s,  %p)
	it is possible to execute an  user  provided  code.  This  technique  is
	described          in          the          following           article:
	http://www.securityfocus.com/archive/1/66842
	   

	This vulnerability  is  documented  as  Cisco  Bug  IDs  CSCdx17622  and
	CSCdx17683.
	

	By exploiting the format  vulnerability  an  attacker  may  execute  the
	arbitrary code on the machine. This code will be executed  in  the  same
	context as the CSADMIN process, and  that  is  Administrator.  Executing
	arbitrary code will lead to a total compromise of the machine.
	

	* The another vulnerability  can  lead  to  unauthorized  disclosure  of
	data. By using \"..\\..\" in the URL it is possible to  access  data  in
	any directory outside the Web root directory but on the same  hard  disk
	or disk partition. With this technique it is  possible  to  access  only
	the following file types: html, htm, class, jpg, jpeg or gif.
	   

	Please note that an attacker must  know  the  exact  location  and  file
	name. It is not possible to browse a directory this way.
	   

	This vulnerability  is  documented  as  Cisco  Bug  IDs  CSCdx17689  and
	CSCdx17698.
	

	By exploiting the directory  traversal  vulnerability  an  attacker  can
	gain an unauthorized access to information in on of the  following  file
	types: html, htm, class, jpg, jpeg or gif. The main issue  may  be  html
	files with hardcoded passwords or other sensitive information.
	

	

	 Exploit : 

	 ======

	

	This   is   based   on   iXsecurity   Security   Vulnerability    Report
	[http://www.ixsecurity.com] by Patrik Karlsson.
	

	Cisco Secure ACS has a webserver interface listening on  port  2002.  It
	is possible for a logged in user to read  files  outside  the  webdirect
	ory. After a succesfull login, one could supply eg.
	

	http://<ip>:<dynamicport>/..\\..\\..\\..\\..\\..\\temp\\temp.class 

	

	To read the contents of the file temp.class in the folder  temp  on  the
	same volume that the software is installed.
	

	-or-
	

	

	http://servername:9090///

	

SOLUTION

	Both  vulnerabilities  are  fixed  by  the  patched   CSAdmin.exe   file
	available at:
	

	http://www.cisco.com/cgi-bin/tablebuild.pl/cs-acs-win

	

	The     file     names      are:      CSAdmin-patch-2.6-4-4.zip      and
	CSAdmin-patch-3.0-1-40.zip.