ProCheckUp Security Advisory 2008.19

`PR08-19: XSS on Cisco IOS HTTP Server  
  
Date found: 1st August 2008  
  
Vendor contacted: 1st August 2008  
  
Advisory publicly released: 14th January 2009  
  
Severity: Medium  
  
Credits: Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)  
  
Description:  
  
Cisco IOS HTTP server is vulnerable to XSS within invalid parameters  
processed by the "/ping" server-side binary/script.  
  
  
Consequences:  
  
An attacker may be able to cause execution of malicious scripting code  
in the browser of a user who clicks on a link to the HTTP server of a  
Cisco device.  
  
This type of attack can result in non-persistent defacement of the  
target admin interface, or the redirection of confidential information  
to unauthorised third parties. i.e.: by scraping the data returned by  
the '/level/15/exec/-/show/run/CR' URL via the XMLHttpRequest object.  
  
It might also be possible to perform administrative changes by  
submitting forged commands (CSRF) within the payload of the XSS attack.  
i.e.: injecting an 'img' tag which points to  
'/level/15/configure/-/enable/secret/newpass' would change the enable  
password to 'newpass'.  
  
  
Notes:  
  
1. The victim administrator needs to be currently authenticated for this  
vulnerability to be exploitable  
  
2. In order to exploit this vulnerability successfully, the attacker  
only needs to know the IP address of the Cisco device. There is NO need  
to have access to the IOS HTTP server  
  
Proof of concept (PoC):  
  
http://192.168.100.1/ping?<script>alert("Running+code+within+the_context+of+"%2bdocument.domain)</script>  
  
  
Content of HTML body returned:  
  
<BODY BGCOLOR=#FFFFFF><H2>test-router</H2><HR><DT>Error: URL syntax:  
?<script>alert("Running code within the_context of  
"+document.domain)</script></BODY>  
  
Successfully tested on:  
  
Cisco 1803  
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version  
12.4(6)T7, RELEASE SOFTWARE (fc5)  
  
  
Assigned Cisco Bug ID#:  
  
CSCsr72301  
  
CVE reference:  
  
CVE-2008-3821  
  
  
References:  
  
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19  
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml  
  
Fix:  
  
Please see Cisco advisory for information on available updates.  
  
  
Legal:  
  
Copyright 2009 ProCheckUp Ltd. All rights reserved.  
  
Permission is granted for copying and circulating this Bulletin to the  
Internet community for the purpose of alerting them to problems, if and  
only if the Bulletin is not changed or edited in any way, is attributed  
to ProCheckUp indicating this web page URL, and provided such  
reproduction and/or distribution is performed for non-commercial purposes.  
  
Any other use of this information is prohibited. ProCheckUp is not  
liable for any misuse of this information by any third party. ProCheckUp  
is not responsible for the content of external Internet sites.  
`