Cisco Meraki Systems Manager CSRF / XSS / Functionality Abuse

`( , ) (,  
. '.' ) ('. ',  
). , ('. ( ) (  
(_,) .'), ) _ _,  
/ _____/ / _ \ ____ ____ _____  
\____ \==/ /_\ \ _/ ___\/ _ \ / \  
/ \/ | \\ \__( <_> ) Y Y \  
/______ /\___|__ / \___ >____/|__|_| /  
\/ \/.-. \/ \/:wq  
(x.0)  
'=.|w|.='  
_=''"''=.  
  
presents..  
  
Cisco Meraki Systems Manager Multiple Vulnerabilities  
Affected Versions: Cisco Meraki Systems Manager - Unknown Versions  
  
PDF:  
http://www.security-assessment.com/files/documents/advisory/Cisco_Meraki_Systems_Manager_Multiple_Vulnerabilities.pdf  
  
+-------------+  
| Description |  
+-------------+  
  
The Cisco Meraki Systems Manager system was found to suffer from a number of  
vulnerabilities. A Cross Site Request Forgery vulnerability was discovered,  
allowing an attacker to determine the registration code for an organisation's  
Systems Manager instance or send out spam email. A Stored Cross Site Scripting  
vulnerability was discovered, allowing a malicious end user running the  
Systems Manager MDM software to stage Cross Site Scripting attacks against the  
organisation's administrative users.  
  
The Cisco Meraki Systems Manager administrative console was found to suffer  
from a Mass Assignment vulnerability, allowing a malicious user to leverage  
the "Backpack" functionality to automatically download and install arbitrary  
applications to the end user devices. Additionally, legitimate updates for the  
Systems Manager MDM software were found to be shipped over HTTP. This allows  
an attacker to intercept and tamper the application package provided they have  
access to the network communications somewhere between the client and the  
Meraki cloud.  
  
  
+--------------+  
| Exploitation |  
+--------------+  
  
--[ Cross Site Request Forgery  
  
The Cisco Meraki System Manager administrative console uses an ‘X-CSRF-Token’  
HTTP header to protect against Cross Site Request Forgery attacks, however it  
was found that this header is often not validated on the server side and can  
simply be omitted. The following POC can be used to coerce an authenticated  
user into sending an email containing arbitrary content to an arbitrary  
address.  
  
<html>  
<body>  
<form action="https://n85.meraki.com/Systems-Manager/n/Q6mExcvb/manage/configure/pcc_send_mdm_link/">  
<input type="hidden" name="type" value="email" />  
<input type="hidden" name="addr" value="[email protected]" />  
<input type="hidden" name="msg" value="Enroll in Meraki Systems Manager by opening this URL on your Android device:" />  
<input type="hidden" name="platform" value="android" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
The CSRF POC on the previous page will send an invitation message to  
‘[email protected]’. An attacker may leverage this to enumerate  
an organizations registration code and stage further attacks against the  
Meraki deployment.  
  
--[ Stored Cross Site Scripting  
  
As Systems Manager relies on a certificate on the mobile device  
(provisioned via SCEP during registration) to provide authentication. A  
condition was discovered wherein a malicious user can retrieve the relevant  
certificate and key and stage attacks against the Systems Manager  
administrative console. This lead to a Stored Cross Site Scripting  
vulnerability, where a malicious user may send a crafted request to  
/android/callback with malicious JavaScript code in the system_model  
parameter. The Mdm-Signature header is then recreated by the malicious user  
and the payload sent. The Mdm-Signature header can be generated by using a  
SpongyCastle content signer to generate a signature for the POST parameter  
data.  
  
The following is a request detailing the exploit. The system_model parameter  
is the affected field. The parameter field has been shortened for brevities  
sake.  
  
POST /android/callback HTTP/1.1  
Mdm-Signature: <Recreated MDM Signature>  
Content-Length: <content length>  
Content-Type: application/x-www-form-urlencoded  
Host: <Meraki Host>  
Connection: Keep-Alive  
  
{snip}&system_model=Galaxy+XSS+%3cscript%3ealert(%27Malicious+Javascript%27)%3c%2fscript%3e{snip}  
  
The certificate and key used to create the Mdm-Signature header can be found  
under /data/data/com.meraki.sm/files/ on a provisioned Android  
device. The password for the keystore is under the ‘scep_keystore_password’  
shared preference.  
  
In order to exploit this, the attacker must be registered against the  
Meraki MDM instance (in order to have the correct certificate). This requires  
the knowledge of a 10 digit enrollment code (xxx-xxx-xxxx). These need to be  
brute forced or obtained via other means (invitation email, QR code,  
etcetera).  
  
--[ Backpack Mass Assignment  
  
The ‘Backpack’ functionality of the Cisco Meraki Systems Manager can be abused  
to install arbitrary APK files on users’ devices. This is achieved by using  
mass assignment to define the ‘auto_download’ and ‘auto_install’ flags on a  
specific item (in this case an APK file). This is done in the post to  
/System-Manager/n/<id>/manage/configure/update_pcc_ios. Further information is  
available in the PDF version of this advisory.  
  
It should be noted that the management policy popup on the device disables the  
back button once the user is prompted to install the arbitrary APK and access  
back into the Meraki Systems manager application cannot be achieved without  
tapping the 'install' button.  
  
--[ Updates over HTTP  
  
An attacker with access to network traffic between the device and the  
Meraki servers may tamper the APK file used for updating. The update  
notification specifies ‘http://dl.meraki.net/androidsm/AndroidSM.apk’ as the  
document_url of the update. When an update is available, the  
http://dl.meraki.com URL is requested by the application.   
  
+----------+  
| Solution |  
+----------+  
  
The Cisco Meraki Systems Manager cloud has been patched as deemed appropriate by Cisco.  
  
+---------------------+  
| Disclosure Timeline |  
+---------------------+  
  
13/10/2014 - Initial Advisory Sent to [email protected]  
14/10/2014 - Response from Cisco acknowledging the advisory documents and  
confirming the Updates over HTTP vulnerability.  
14/10/2014 - Response from Cisco stating that "The ability to require the  
download and installation of APK (and other files) is a feature of MDM  
Administration, and does not on its own constitute a  
vulnerability." In regards to the Mass Assignment vulnerability. Remaining  
vulnerabilities acknowledged and more information requested.  
17/10/2014 - Additional information sent to Cisco, as requested.  
30/10/2014 - Request for Update  
30/10/2014 - Response stating the Cross Site Request Forgery and Cross Site  
Scripting vulnerabilities were resolved  
29/01/2015 - Advisory Release  
  
+-------------------------------+  
| About Security-Assessment.com |  
+-------------------------------+  
  
Security-Assessment.com is Australasia's leading team of Information Security  
consultants specialising in providing high quality Information Security   
services to clients throughout the Asia Pacific region. Our clients include  
some of the largest globally recognised companies in areas such as finance,  
telecommunications, broadcasting, legal and government. Our aim is to provide  
the very best independent advice and a high level of technical expertise while  
creating long and lasting professional relationships with our clients.  
  
Security-Assessment.com is committed to security research and development,  
and its team continues to identify and responsibly publish vulnerabilities  
in public and private software vendor's products. Members of the   
Security-Assessment.com R&D team are globally recognised through their release  
of whitepapers and presentations related to new security research.  
  
For further information on this issue or any of our service offerings,   
contact us:  
  
Web www.security-assessment.com  
Email info () security-assessment com  
Phone +64 4 470 1650  
  
  
  
  
`