RecurityLabs_Cisco_ACS_UCP_advisory.txt

`________________________________________________________________________  
  
Recurity Labs GmbH  
http://www.recurity-labs.com  
[email protected]  
Date: 12.03.2008  
________________________________________________________________________  
  
Vendor: Cisco Systems  
Product: Cisco Secure Access Control Server (ACS) for   
Windows User-Changeable Password (UCP) application  
Vulnerability: Multiple remote pre-authentication buffer overflows  
Cross Site Scripting issue  
Affected Releases: ACS 3 and 4, UCP v3.3.4.12.5, CSuserCGI 3.3.1  
NOT Affected Releases: UCP 4.2 and above  
Severity: HIGH  
CVE: CVE-2008-0532, CVE-2008-0533  
________________________________________________________________________  
  
Vendor communication:  
20.11.2007 Initial notification to PSIRT  
20.11.2007 Response from PSIRT, PGP encrypted to PSIRT only  
26.11.2007 Response from Paul Oxman / PSIRT  
26.11.2007 Even more detailed information to Paul Oxman  
27.11.2007 Received new PGP keys from PSIRT  
27.11.2007 Retransmit  
28.11.2007 Paul Oxman reports they are working on it  
28.11.2007 Fix discussions with Paul Oxman  
29.11.2007 Paul Oxman provides Cisco Bug IDs  
29.11.2007 Fix discussions with Paul Oxman  
12.12.2007 Fixed version provided for testing  
13.12.2007 Feedback to the fixed code  
14.12.2007 Paul Oxman acknowledges feedback  
17.12.2007 Paul Oxman reports internal progress  
17.12.2007 More feedback   
08.01.2008 Paul Oxman reports internal progress  
08.01.2008 ACK  
30.01.2008 Paul Oxman proposes advisory release date  
30.01.2008 Acknowleding advisory release date  
27.02.2008 Paul Oxman updates on progress  
27.02.2008 ACK  
05.03.2008 Paul Oxman sends draft Cisco advisory  
05.03.2008 Sending draft Recurity Labs advisory  
06.03.2008 Paul Oxman provides fixed release version  
06.03.2008 Final communication with Paul Oxman  
12.03.2008 Coordinated release  
________________________________________________________________________  
  
Overview:  
Cisco Secure Access Control Server (ACS) for Windows User-Changeable   
Password (UCP) application is a set of CGI programs and web site contents  
installed on Microsoft IIS.  
  
From the Cisco Advisory:  
"The UCP application enables end users to change their ACS passwords  
with a web-based utility. When users need to change their own  
passwords, they can access the UCP web page by using a supported web  
browser, validate their existing credentials, and then change their  
password via the utility."  
  
The CGI /securecgi-bin/CSUserCGI.exe suffers from multiple buffer  
overflows exploitable remotely through the HTTP protocol before  
authentication. Additionally, CSUserCGI.exe suffers from a non-persistent  
Cross Site Scripting vulnerability.  
  
Description:  
The main() function of CSuserCGI.exe compares the first command line   
argument passed to the program using strcmp() against a list of   
supported arguments, among them "Logout", "Main", "ChangePass", etc.   
  
For most of the aguments, it will simply parse the following arguments   
and pass them to a wsprintf() call with format strings like   
"Action=%s&Username=%s&OldPass=%s&NetPass=%s". The destination buffer of  
these calls is located in the .data segment of the application.  
  
In case of the "Logout" argument, main() passes the second argument,  
usually of the form "1234.xyzab.c.username.", as well as a char[]   
buffer on the stack to a function that first extracts the string up   
to the first '.' character using strtok and then copies the string   
into the supplied char[] buffer. The char buffer is 96 bytes long.  
Accordingly, if the string before the first dot character exceeds this  
length, the buffer as well as the return address is overwritten.  
  
.text:00401065 mov eax, [ebx+8] ; get argv[2]  
.text:00401068 test eax, eax  
.text:0040106A jz loc_401520  
.text:00401070 push eax ; char *  
.text:00401071 call sub_402870  
...  
.text:00402870 sub esp, 60h  
.text:00402873 mov ecx, 17h  
.text:00402878 xor eax, eax  
.text:0040287A push edi  
.text:0040287B lea edi, [esp+64h+var_60]  
.text:0040287F rep stosd  
.text:00402881 mov ecx, [esp+64h+arg_0]  
.text:00402885 stosw  
.text:00402887 stosb  
.text:00402888 lea eax, [esp+64h+var_60]  
.text:0040288C push eax ; int  
.text:0040288D push ecx ; char *  
.text:0040288E call sub_402940  
...  
.text:00402940 mov ecx, [esp+arg_0]  
.text:00402944 xor eax, eax  
.text:00402946 test ecx, ecx  
.text:00402948 jz locret_402A11  
.text:0040294E push ebx  
.text:0040294F push esi  
.text:00402950 push edi  
.text:00402951 push offset a_ ; "."  
.text:00402956 push ecx ; char *  
.text:00402957 call _strtok  
.text:0040295C mov edi, eax  
.text:0040295E or ecx, 0FFFFFFFFh  
.text:00402961 xor eax, eax  
.text:00402963 mov ebx, [esp+14h+arg_4]  
.text:00402967 repne scasb  
.text:00402969 not ecx  
.text:0040296B sub edi, ecx  
.text:0040296D lea edx, [ebx+1]  
.text:00402970 mov eax, ecx  
.text:00402972 mov esi, edi  
.text:00402974 mov edi, edx  
.text:00402976 push offset a_ ; "."  
.text:0040297B shr ecx, 2  
.text:0040297E rep movsd  
.text:00402980 mov ecx, eax  
.text:00402982 push 0 ; char *  
.text:00402984 and ecx, 3  
.text:00402987 rep movsb  
  
Example:  
The following request will cause EIP to be overwritten with 0x42424242.  
The line may wrap, depending on how you view this file.  
https://target/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker.  
  
A non-persistent Cross Site Scripting vulnerability can also be triggered  
using the Help facility of the CGI. An example request would be as  
follows. The line may wrap, depending on how you view this file.  
https://target/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%3Ch1%3EHello_Cisco%3C/h1%3E  
  
Solution:  
Update to UCP version 4.2.  
See the Cisco Advisory for how to obtain fixed software:  
http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml  
  
________________________________________________________________________  
  
Credit:   
The vulnerabilities were identified by Felix 'FX' Lindner, Recurity Labs  
GmbH, during a cursory inspection of a customer installation of the ACS  
UCP product.  
  
Greets to the teams at Recurity Labs and Zynamics, Sergio Alvarez, Max  
Moser, Alexander Kornbrust, Maxim Salomon, Nicolas Fischbach, Karsten   
Schumann, Frank Becker, PSIRT, Paul Oxman, John Stewart  
________________________________________________________________________  
  
The information provided is released "as is" without warranty  
of any kind. The publisher disclaims all warranties, either express or   
implied, including all warranties of merchantability. No responsibility  
is taken for the correctness of this information.  
In no event shall the publisher be liable for any damages whatsoever   
including direct, indirect, incidental, consequential, loss of business   
profits or special damages, even if the publisher has been advised of   
the possibility of such damages.   
  
The contents of this advisory are copyright (c) 2008 Recurity Labs GmbH  
and may be distributed freely provided that no fee is charged for this   
distribution and proper credit is given.  
________________________________________________________________________  
  
`