Cisco Secure ACS UCP CSuserCGI.exe buffer overflow

2008-04-0700:00:00

SAINT Corporation

download.saintcorporation.com

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.927 High

EPSS

Percentile

98.8%

JSON

Added: 04/07/2008
CVE: CVE-2008-0532
BID: 28222
OSVDB: 42961

Background

Cisco Secure Access Control Server (ACS) is a centralized user access control framework which can be used with routers, switches, firewalls, VPNs, and other devices. User Changeable Passwords (UCP), a utility implemented by Cisco Secure ACS, allows users to change their ACS passwords using a web browser.

Problem

A buffer overflow in the **CSuserCGI.exe** program allows remote attackers to execute arbitrary commands by sending a specially crafted HTTP request with a long Logout argument.

Resolution

Upgrade to UCP 4.2.

References

<http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml>
<http://www.frsirt.com/english/advisories/2008/0868>

Limitations

Exploit works on Cisco UCP 4.1.4.13.

On Windows Server 2003, Read and Execute privileges on the file **%windir%\system32\cmd.exe** must be granted to the Internet Guest Account “IUSR_” for the exploit to work properly.