Cisco Secure Access Control Server (ACS) is a centralized user access control framework which can be used with routers, switches, firewalls, VPNs, and other devices. User Changeable Passwords (UCP), a utility implemented by Cisco Secure ACS, allows users to change their ACS passwords using a web browser.
A buffer overflow in the
**CSuserCGI.exe** program allows remote attackers to execute arbitrary commands by sending a specially crafted HTTP request with a long Logout argument.
Upgrade to UCP 4.2.
Exploit works on Cisco UCP 18.104.22.168.
On Windows Server 2003, Read and Execute privileges on the file
**%windir%\system32\cmd.exe** must be granted to the Internet Guest Account "IUSR_" for the exploit to work properly.
Windows Server 2003