SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Cisco Secure Access Control System Vendors:   Cisco
Cisco Secure Access Control Server (ACS) Input Validation Flaw Lets Remote Users Conduct Cross-site Scripting Attacks Against ACS Administrators
SecurityTracker Alert ID:  1004546
SecurityTracker URL:  http://securitytracker.com/id/1004546
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 15 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.0(1), Build 40
Description:   An input validation vulnerability was reported in Cisco Secure ACS RADIUS implementation. A remote user can conduct cross-site scripting attacks against administrators.

It is reported that the web server component of Cisco Secure ACS does not properly filter user-supplied input from the 'action' argument in the setup.exe handler. The report indicates that other arguments may also be affected but were not tested.

A remote user can create a URL that, when loaded by a Cisco Secure ACS administrator, will cause arbitrary scripting code to be executed by the administrator's browser. The code will appear to originate from the ACS web server and will run in the security context of that site. As a result, the code may be able to access the administrator's authentication cookies associated with that site (i.e., the ACS web interface) or to take actions on the web interface acting as the administrator.

A demonstration exploit URL is provided:

http://IP.ADD.RE.SS:dyn_port/setup.exe?action=<script>alert('foo+bar')</script>&page=list_users&user=P*

For the exploit to be effective, the target ACS administrator must already be logged into the application.

The vendor has reportedly been notified.

Impact:   A remote user may be able to cause arbitrary scripting code to be executed on a Cisco Secure ACS administrator's browser to steal the administrator's authentication cookies and gain access to the administrator's ACS account.
Solution:   No solution was available at the time of this entry.

The vendor has reportedly indicated that this will be fixed in the next release of the software, due out in "mid to late summer."

Vendor URL:  www.cisco.com/warp/public/cc/pd/sqsw/sq/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  XSS in CiscoSecure ACS v3.0


sMax. Security Advisory
-------------------------------

Title:	Cross-Site Scripting in CiscoSecure ACS v3.0
Date:	June 14, 2002

PRODUCT AFFECTED:

CiscoSecure ACS v3.0 (Win32)

PRODUCT OVERVIEW:

CiscoSecure ACS is Cisco's implementation of RADIUS. 
v3.0 is the current release of the product.  Taken
from their website: "Cisco Secure ACS provides
authentication, authorization, and accounting
devices that function as AAA clients, such as a
network access server, PIX Firewall, or router."

VULNERABILITY:

Testing CiscoSecure ACS v3.0(1), Build 40 reveals a
cross-site scripting problem in the web server
component.  Specifically, the "action" argument that
the setup.exe handler uses does not appear to do
proper input validation.  Other arguments were not
tested, though they may be vulnerable as well.

Proof-of-concept:
http://IP.ADD.RE.SS:dyn_port/setup.exe?action=<script>alert('foo+bar')</script>&page=list_users&user=P*
(URL may wrap)

Obviously one needs to already be authenticated to the
ACS web server for this to successfully be carried
out.

SOLUTION:

Follow best practices, don't make the web component of
ACS server available over the Internet.

Cisco was contacted on May 21st.  They have committed
to fixing this in the next release of the software,
due out in "mid to late summer".

- Dave Palumbo


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC