Cisco Security Agent Management Center Code Execution

2011-03-17T00:00:00
ID SAINT:95BEF1836EA9EBC0A6AE397C135DE2E9
Type saint
Reporter SAINT Corporation
Modified 2011-03-17T00:00:00

Description

Added: 03/17/2011
CVE: CVE-2011-0364
BID: 65436
OSVDB: 70884

Background

Cisco Security Agent Management Center is the server component of Cisco's Security Agent endpoint IPS solution. It is responsible for collecting event log information from endpoints and distributing rules updates.

Problem

The Management Center web interface fails to validate parameters when handeling 'st_upload' requests. An attacker may upload arbitrary executable files and place them such that they will be executed.

Resolution

Upgrade to Cisco Security Agent version 6.0.2.145 or later as instructed in Cisco advisory cisco-sa-20110216-csa.

References

<http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6cee6.shtml>
<http://www.zerodayinitiative.com/advisories/ZDI-11-088/>

Limitations

Exploit works against Cisco Systems Security Agent Management Center 6.0.2.138 on Windows Server 2003 SP2 English (DEP OptOut). The 'IO::Socket::SSL' PERL module is required.

A valid HOST_UID of the target Security Agent Management Center must be provided to the exploit script. The HOST_UID can be retrieved from the target Security Agent Management Center without credentials. The following steps illustrate how to retrieve the HOST_UID:

1. Download the Agent Kit from URL: https:///csamc60/kits is the host address of the Security Agent Management Center.

2. Install the Agent Kit on a host running Windows Server 2003: Install the Agent Kit and reboot the machine. Open Cisco Security Agent panel by double-clicking on the Cisco Security Agent icon in Windows status bar. On the Status screen, make sure the host name in the "Management Center" field matches the target server running Security Agent Management Center, and the "Registration date" has a valid date.

3. Open the following text file to retrieve the HOST_UID: c:\Program Files\Cisco\CSAgent\cfg\agent.state

An example of HOST_UID looks as below: HOST_UID={1AE3136C-142D-40F9-9C88-8FCB76D648F7}

Platforms

Windows