{"cve": [{"lastseen": "2018-10-16T10:52:02", "bulletinFamily": "NVD", "description": "Multiple buffer overflows in securecgi-bin/CSuserCGI.exe in User-Changeable Password (UCP) before 4.2 in Cisco Secure Access Control Server (ACS) for Windows and ACS Solution Engine allow remote attackers to execute arbitrary code via a long argument located immediately after the Logout argument, and possibly unspecified other vectors.", "modified": "2018-10-15T18:01:01", "published": "2008-03-14T16:44:00", "id": "CVE-2008-0532", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0532", "title": "CVE-2008-0532", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-16T10:52:02", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in securecgi-bin/CSuserCGI.exe in User-Changeable Password (UCP) before 4.2 in Cisco Secure Access Control Server (ACS) for Windows and ACS Solution Engine allow remote attackers to inject arbitrary web script or HTML via an argument located immediately after the Help argument, and possibly unspecified other vectors.", "modified": "2018-10-15T18:01:01", "published": "2008-03-14T16:44:00", "id": "CVE-2008-0533", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0533", "title": "CVE-2008-0533", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cisco": [{"lastseen": "2017-09-26T15:34:15", "bulletinFamily": "software", "description": "", "modified": "2008-03-12T16:00:00", "published": "2008-03-12T16:00:00", "id": "CISCO-SA-20080312-UCP", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080312-ucp", "type": "cisco", "title": "Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:25", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nCisco Security Advisory: Cisco Secure Access Control Server for\r\n Windows User-Changeable Password \r\n Vulnerabilities\r\n\r\nAdvisory ID: cisco-sa-20080312-ucp\r\n\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml\r\n\r\nRevision 1.0\r\n============\r\n\r\nFor Public Release 2008 March 12 1600 UTC (GMT)\r\n\r\nSummary\r\n=======\r\n\r\nTwo sets of vulnerabilities were discovered in the Cisco Secure\r\nAccess Control Server (ACS) for Windows User-Changeable Password\r\n(UCP) application and reported to Cisco by Felix 'FX' Lindner, \r\nRecurity Labs GmbH.\r\n\r\nThe first set of vulnerabilities address several buffer overflow\r\nconditions in the UCP application that could result in remote\r\nexecution of arbitrary code on the host system where UCP is\r\ninstalled.\r\n\r\nThe second set of vulnerabilities address cross-site scripting in the\r\nUCP application pages.\r\n\r\nBoth sets of vulnerabilities could be remotely exploited, and do not\r\nrequire valid user credentials.\r\n\r\nCisco has released a free software update for UCP that addresses\r\nthese vulnerabilities.\r\n\r\nThere are no workarounds that mitigate these vulnerabilities.\r\n\r\nThis advisory is posted at\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml\r\n\r\nAffected Products\r\n=================\r\n\r\nUCP is the vulnerable application and can be installed to\r\ninter-operate with:\r\n\r\n * Cisco Secure ACS for Windows\r\n * Cisco Secure ACS Solution Engine (Appliance)\r\n\r\nNOTE: In Cisco Secure ACS for Windows, UCP may be installed on the\r\n same or different host as the Cisco Secure ACS for Windows\r\n application. In the Cisco Secure ACS Solution Engine (Appliance)\r\n the UCP will be installed on a different host other than the\r\n appliance.\r\n\r\nUCP is not installed by default with ACS installations.\r\n\r\nVulnerable Products\r\n+------------------\r\n\r\nUCP versions prior to 4.2 are affected. Users can perform the\r\nfollowing steps to determine the version of UCP installed on a\r\nsystem:\r\n\r\n 1. Log in to the system where UCP is installed\r\n 2. Open a Windows command prompt\r\n 3. Change the current working directory to the default directory of\r\n the CGI scripts that was specified during installation of UCP.\r\n The default installation directory is \r\n "C:\Inetpub\Wwwroot\securecgi-bin". Within this directory execute\r\n the command "CSuserCGI ver".\r\n\r\nThe output returned will indicate a CSuserCGI version. Any version\r\nearlier than 4.2 is vulnerable. The following example shows a system\r\nwith UCP version 4.2 installed.\r\n\r\n C:\> c:\r\n C:\> cd c:\inetpub\Wwwroot\securecgi-bin\r\n C:\Inetpub\Wwwroot\securecgi-bin>CSuserCGI ver\r\n CSuserCGI 4.2, Copyright 2008 Cisco Systems Inc\r\n\r\nProducts Confirmed Not Vulnerable\r\n+--------------------------------\r\n\r\nInstallations of Cisco Secure ACS for Windows or Cisco Secure ACS\r\nSolution Engine without UCP installed, are not vulnerable.\r\n\r\nCisco Secure ACS for UNIX, does not support the UCP utility and is\r\nnot vulnerable.\r\n\r\nNo other Cisco products are currently known to be affected by these\r\nvulnerabilities.\r\n\r\nDetails\r\n=======\r\n\r\nThe UCP application enables end users to change their ACS passwords\r\nwith a web-based utility. When users need to change their own\r\npasswords, they can access the UCP web page by using a supported web\r\nbrowser, validate their existing credentials, and then change their\r\npassword via the utility.\r\n\r\nFor more information about the UCP application please see\r\nhttp://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/user_passwords/ucp.html.\r\n\r\nSeveral vulnerabilities exist within the UCP application.\r\n\r\n * Multiple Buffer Overflow Vulnerabilities.\r\n \r\n Multiple buffer overflows exist within the UCP CSuserCGI.exe\r\n code. CSuserGCI.exe is the HTTP interface to the server. \r\n\r\n This vulnerability is addressed by Cisco Bug ID CSCsl49180 and\r\n has been assigned Common Vulnerabilities and Exposures (CVE) \r\n identifier CVE-2008-0532\r\n\r\n * Cross Site Scripting Vulnerabilities.\r\n\r\n Cross-site scripting vulnerabilities exist within the UCP\r\n CSuserCGI.exe code. \r\n\r\n This vulnerability is addressed by Cisco Bug ID CSCsl49205 and\r\n has been assigned Common Vulnerabilities and Exposures (CVE) \r\n identifier CVE-2008-0533.\r\n\r\n\r\nVulnerability Scoring Details\r\n=============================\r\n\r\nCisco has provided scores for the vulnerabilities in this advisory\r\nbased on the Common Vulnerability Scoring System (CVSS). The CVSS\r\nscoring in this Security Advisory is done in accordance with CVSS\r\nversion 2.0. CVSS is a standards-based scoring method that conveys\r\nvulnerability severity and helps determine urgency and priority of\r\nresponse. Cisco has provided a base and temporal score. Customers can\r\nthen compute environmental scores to assist in determining the impact\r\nof the vulnerability in individual networks. Cisco has provided an\r\nFAQ to answer additional questions regarding CVSS at\r\nhttp://www.cisco.com/web/about/security/intelligence/cvss-qandas.html\r\nCisco has also provided a CVSS calculator to help compute the\r\nenvironmental impact for individual networks at\r\nhttp://intellishield.cisco.com/security/alertmanager/cvss .\r\n\r\n\r\n* CSCsl49180: Multiple Buffer Overflow Vulnerabilities.\r\n\r\n CVSS Base Score - 10\r\n\r\n Access Vector: Network\r\n Access Complexity: Low\r\n Authentication: None\r\n\r\n Confidentiality Impact: Complete\r\n Integrity Impact: Complete\r\n Availability Impact: Complete\r\n\r\n CVSS Temporal Score - 8.3\r\n\r\n Exploitability: Functional\r\n Remediation Level: Official-Fix\r\n Report Confidence: Confirmed\r\n\r\n\r\n* CSCsl49205: Cross Site Scripting Vulnerabilities.\r\n\r\n CVSS Base Score - 4.3\r\n\r\n Access Vector: Network\r\n Access Complexity: Medium\r\n Authentication: None\r\n\r\n Confidentiality Impact: None\r\n Integrity Impact: Partial\r\n Availability Impact: None\r\n\r\n CVSS Temporal Score - 3.6\r\n\r\n Exploitability: Functional\r\n Remediation Level: Official-Fix\r\n Report Confidence: Confirmed\r\n\r\nImpact\r\n======\r\n\r\nSuccessful exploitation of the buffer overflow vulnerabilities may\r\nresult in the execution of arbitrary code on the system the UCP\r\napplication is installed.\r\n\r\nSuccessful exploitation of the cross-site scripting vulnerabilities\r\nmay result in the embedding of malicious code and/or scripts within a\r\nUCP URL.\r\n\r\nThe malicious code is likely to be a script that is embedded in the\r\nURL of a link. The malicious code may also be stored on the\r\nvulnerable server or a malicious website. An attacker could try to\r\nconvince an unsuspecting user to follow a malicious link to a\r\nvulnerable UCP application server that injects (reflects) the\r\nmalicious code back to the user's browser.\r\n\r\nSoftware Versions and Fixes\r\n===========================\r\n\r\nWhen considering software upgrades, also consult \r\nhttp://www.cisco.com/go/psirt and any subsequent advisories to\r\ndetermine exposure and a complete upgrade solution. In all cases,\r\ncustomers should exercise caution to be certain the devices to be\r\nupgraded contain sufficient memory and that current hardware and\r\nsoftware configurations will continue to be supported properly by\r\nthe new release. If the information is not clear, contact the Cisco\r\nTechnical Assistance Center (TAC) or your contracted maintenance\r\nprovider for assistance.\r\n\r\nUCP Version 4.2 contains the fixes for the listed vulnerabilities.\r\n\r\nUCP Version 4.2 can be downloaded from the following location:\r\nhttp://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/special/acs/macgyver/UCP_4.2.0.124-K9.zip&app=Tablebuild&status=showC2A\r\n\r\nNote: UCP Version 4.2 works with all 4.x version of Cisco Secure\r\n ACS for Windows and Cisco Secure ACS Solution Engine. UCP\r\n version 4.2 is not compatible with 3.x ACS installations.\r\n No fixed UCP version exists for 3.x ACS installations.\r\n\r\nWorkarounds\r\n===========\r\n\r\nThere are no workarounds for these vulnerabilities. Cisco recommends\r\nupgrading to the fixed version of UCP.\r\n\r\nFor additional information on cross-site scripting attacks and the\r\nmethods used to exploit these vulnerabilities, please refer to the\r\nCisco Applied Mitigation Bulletin "Understanding Cross-Site Scripting\r\n(XSS) Threat Vectors", which is available at the following link:\r\n\r\nhttp://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml\r\n\r\nObtaining Fixed Software\r\n========================\r\n\r\nCisco has released free software updates that address these\r\nvulnerabilities. Prior to deploying software, customers should\r\nconsult their maintenance provider or check the software for feature\r\nset compatibility and known issues specific to their environment.\r\nCustomers may only install and expect support for the feature sets\r\nthey have purchased. By installing, downloading, accessing or\r\notherwise using such software upgrades, customers agree to be bound\r\nby the terms of Cisco's software license terms found at\r\nhttp://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html \r\nor as otherwise set forth at Cisco.com Downloads at \r\nhttp://www.cisco.com/public/sw-center/sw-usingswc.shtml . Do not \r\ncontact psirt@cisco.com or security-alert@cisco.com for software \r\nupgrades.\r\n\r\nCustomers with Service Contracts\r\n+-------------------------------\r\n\r\nCustomers with contracts should obtain upgraded software through\r\ntheir regular update channels. For most customers, this means that\r\nupgrades should be obtained through the Software Center on Cisco's\r\nworldwide website at http://www.cisco.com.\r\n\r\nCustomers using Third Party Support Organizations\r\n+------------------------------------------------\r\n\r\nCustomers whose Cisco products are provided or maintained through\r\nprior or existing agreements with third-party support organizations,\r\nsuch as Cisco Partners, authorized resellers, or service providers\r\nshould contact that support organization for guidance and assistance\r\nwith the appropriate course of action in regards to this advisory.\r\nThe effectiveness of any workaround or fix is dependent on specific\r\ncustomer situations, such as product mix, network topology, traffic\r\nbehavior, and organizational mission. Due to the variety of affected\r\nproducts and releases, customers should consult with their service\r\nprovider or support organization to ensure any applied workaround or\r\nfix is the most appropriate for use in the intended network before it\r\nis deployed.\r\n\r\nCustomers without Service Contracts\r\n+----------------------------------\r\n\r\nCustomers who purchase direct from Cisco but do not hold a Cisco\r\nservice contract, and customers who purchase through third-party\r\nvendors but are unsuccessful in obtaining fixed software through\r\ntheir point of sale should acquire upgrades by contacting the Cisco\r\nTechnical Assistance Center (TAC). TAC contacts are as follows.\r\n\r\n * +1 800 553 2447 (toll free from within North America)\r\n * +1 408 526 7209 (toll call from anywhere in the world)\r\n * e-mail: tac@cisco.com\r\n\r\nCustomers should have their product serial number available and be\r\nprepared to give the URL of this notice as evidence of entitlement to\r\na free upgrade. Free upgrades for non-contract customers must be\r\nrequested through the TAC. Refer to \r\nhttp://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for\r\nadditional TAC contact information, including localized telephone\r\nnumbers, and instructions and e-mail addresses for use in various\r\nlanguages.\r\n\r\nExploitation and Public Announcements\r\n=====================================\r\n\r\nThe Cisco PSIRT is not aware of any public announcements or malicious\r\nuse of the vulnerability described in this advisory.\r\n\r\nWe would like to thank Felix 'FX' Lindner, Recurity Labs GmbH for \r\nreporting this issue to us. We greatly appreciate the opportunity to\r\nwork with researchers on security vulnerabilities, and welcome the\r\nopportunity to review and assist with security vulnerability reports\r\nagainst Cisco products.\r\n\r\nStatus of this Notice: FINAL\r\n======================\r\n\r\nTHIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY\r\nKIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\r\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\r\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\r\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\r\nDOCUMENT AT ANY TIME.\r\n\r\nA stand-alone copy or Paraphrase of the text of this document that\r\nomits the distribution URL in the following section is an\r\nuncontrolled copy, and may lack important information or contain\r\nfactual errors.\r\n\r\nDistribution\r\n============\r\n\r\nThis advisory is posted on Cisco's worldwide website at :\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml \r\nIn addition to worldwide web posting, a text version of this notice\r\nis clear-signed with the Cisco PSIRT PGP key and is posted to the\r\nfollowing e-mail and Usenet news recipients.\r\n\r\n * cust-security-announce@cisco.com\r\n * first-teams@first.org\r\n * bugtraq@securityfocus.com\r\n * vulnwatch@vulnwatch.org\r\n * cisco@spot.colorado.edu\r\n * cisco-nsp@puck.nether.net\r\n * full-disclosure@lists.grok.org.uk\r\n * comp.dcom.sys.cisco@newsgate.cisco.com\r\n\r\nFuture updates of this advisory, if any, will be placed on Cisco's\r\nworldwide website, but may or may not be actively announced on\r\nmailing lists or newsgroups. Users concerned about this problem are\r\nencouraged to check the above URL for any updates.\r\n\r\nRevision History\r\n================\r\n\r\n+-----------------------------------------------------+\r\n| Revision 1.0 | 2008-Mar-12 | Initial Public Release |\r\n+-----------------------------------------------------+\r\n\r\nCisco Security Procedures\r\n=========================\r\n\r\nComplete information on reporting security vulnerabilities in Cisco\r\nproducts, obtaining assistance with security incidents, and\r\nregistering to receive security information from Cisco, is available\r\non Cisco's worldwide website at\r\nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html\r\nThis includes instructions for press inquiries regarding Cisco\r\nsecurity notices. All Cisco security advisories are available at\r\nhttp://www.cisco.com/go/psirt.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (Darwin)\r\n\r\niD8DBQFH1/jr86n/Gc8U/uARAs8RAJ9CjRFqB8rwYtrpXTVIol2QW7jG9wCeMT/F\r\nu8p4qv+1c9/UQTmBx5TR7O4=\r\n=U667\r\n-----END PGP SIGNATURE-----", "modified": "2008-03-12T00:00:00", "published": "2008-03-12T00:00:00", "id": "SECURITYVULNS:DOC:19393", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19393", "title": "Cisco Security Advisory: Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:25", "bulletinFamily": "exploit", "description": "", "modified": "2008-03-13T00:00:00", "published": "2008-03-13T00:00:00", "href": "https://packetstormsecurity.com/files/64534/RecurityLabs_Cisco_ACS_UCP_advisory.txt.html", "id": "PACKETSTORM:64534", "type": "packetstorm", "title": "RecurityLabs_Cisco_ACS_UCP_advisory.txt", "sourceData": "`________________________________________________________________________ \n \nRecurity Labs GmbH \nhttp://www.recurity-labs.com \nentomology@recurity-labs.com \nDate: 12.03.2008 \n________________________________________________________________________ \n \nVendor: Cisco Systems \nProduct: Cisco Secure Access Control Server (ACS) for \nWindows User-Changeable Password (UCP) application \nVulnerability: Multiple remote pre-authentication buffer overflows \nCross Site Scripting issue \nAffected Releases: ACS 3 and 4, UCP v3.3.4.12.5, CSuserCGI 3.3.1 \nNOT Affected Releases: UCP 4.2 and above \nSeverity: HIGH \nCVE: CVE-2008-0532, CVE-2008-0533 \n________________________________________________________________________ \n \nVendor communication: \n20.11.2007 Initial notification to PSIRT \n20.11.2007 Response from PSIRT, PGP encrypted to PSIRT only \n26.11.2007 Response from Paul Oxman / PSIRT \n26.11.2007 Even more detailed information to Paul Oxman \n27.11.2007 Received new PGP keys from PSIRT \n27.11.2007 Retransmit \n28.11.2007 Paul Oxman reports they are working on it \n28.11.2007 Fix discussions with Paul Oxman \n29.11.2007 Paul Oxman provides Cisco Bug IDs \n29.11.2007 Fix discussions with Paul Oxman \n12.12.2007 Fixed version provided for testing \n13.12.2007 Feedback to the fixed code \n14.12.2007 Paul Oxman acknowledges feedback \n17.12.2007 Paul Oxman reports internal progress \n17.12.2007 More feedback \n08.01.2008 Paul Oxman reports internal progress \n08.01.2008 ACK \n30.01.2008 Paul Oxman proposes advisory release date \n30.01.2008 Acknowleding advisory release date \n27.02.2008 Paul Oxman updates on progress \n27.02.2008 ACK \n05.03.2008 Paul Oxman sends draft Cisco advisory \n05.03.2008 Sending draft Recurity Labs advisory \n06.03.2008 Paul Oxman provides fixed release version \n06.03.2008 Final communication with Paul Oxman \n12.03.2008 Coordinated release \n________________________________________________________________________ \n \nOverview: \nCisco Secure Access Control Server (ACS) for Windows User-Changeable \nPassword (UCP) application is a set of CGI programs and web site contents \ninstalled on Microsoft IIS. \n \nFrom the Cisco Advisory: \n\"The UCP application enables end users to change their ACS passwords \nwith a web-based utility. When users need to change their own \npasswords, they can access the UCP web page by using a supported web \nbrowser, validate their existing credentials, and then change their \npassword via the utility.\" \n \nThe CGI /securecgi-bin/CSUserCGI.exe suffers from multiple buffer \noverflows exploitable remotely through the HTTP protocol before \nauthentication. Additionally, CSUserCGI.exe suffers from a non-persistent \nCross Site Scripting vulnerability. \n \nDescription: \nThe main() function of CSuserCGI.exe compares the first command line \nargument passed to the program using strcmp() against a list of \nsupported arguments, among them \"Logout\", \"Main\", \"ChangePass\", etc. \n \nFor most of the aguments, it will simply parse the following arguments \nand pass them to a wsprintf() call with format strings like \n\"Action=%s&Username=%s&OldPass=%s&NetPass=%s\". The destination buffer of \nthese calls is located in the .data segment of the application. \n \nIn case of the \"Logout\" argument, main() passes the second argument, \nusually of the form \"1234.xyzab.c.username.\", as well as a char[] \nbuffer on the stack to a function that first extracts the string up \nto the first '.' character using strtok and then copies the string \ninto the supplied char[] buffer. The char buffer is 96 bytes long. \nAccordingly, if the string before the first dot character exceeds this \nlength, the buffer as well as the return address is overwritten. \n \n.text:00401065 mov eax, [ebx+8] ; get argv[2] \n.text:00401068 test eax, eax \n.text:0040106A jz loc_401520 \n.text:00401070 push eax ; char * \n.text:00401071 call sub_402870 \n... \n.text:00402870 sub esp, 60h \n.text:00402873 mov ecx, 17h \n.text:00402878 xor eax, eax \n.text:0040287A push edi \n.text:0040287B lea edi, [esp+64h+var_60] \n.text:0040287F rep stosd \n.text:00402881 mov ecx, [esp+64h+arg_0] \n.text:00402885 stosw \n.text:00402887 stosb \n.text:00402888 lea eax, [esp+64h+var_60] \n.text:0040288C push eax ; int \n.text:0040288D push ecx ; char * \n.text:0040288E call sub_402940 \n... \n.text:00402940 mov ecx, [esp+arg_0] \n.text:00402944 xor eax, eax \n.text:00402946 test ecx, ecx \n.text:00402948 jz locret_402A11 \n.text:0040294E push ebx \n.text:0040294F push esi \n.text:00402950 push edi \n.text:00402951 push offset a_ ; \".\" \n.text:00402956 push ecx ; char * \n.text:00402957 call _strtok \n.text:0040295C mov edi, eax \n.text:0040295E or ecx, 0FFFFFFFFh \n.text:00402961 xor eax, eax \n.text:00402963 mov ebx, [esp+14h+arg_4] \n.text:00402967 repne scasb \n.text:00402969 not ecx \n.text:0040296B sub edi, ecx \n.text:0040296D lea edx, [ebx+1] \n.text:00402970 mov eax, ecx \n.text:00402972 mov esi, edi \n.text:00402974 mov edi, edx \n.text:00402976 push offset a_ ; \".\" \n.text:0040297B shr ecx, 2 \n.text:0040297E rep movsd \n.text:00402980 mov ecx, eax \n.text:00402982 push 0 ; char * \n.text:00402984 and ecx, 3 \n.text:00402987 rep movsb \n \nExample: \nThe following request will cause EIP to be overwritten with 0x42424242. \nThe line may wrap, depending on how you view this file. \nhttps://target/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker. \n \nA non-persistent Cross Site Scripting vulnerability can also be triggered \nusing the Help facility of the CGI. An example request would be as \nfollows. The line may wrap, depending on how you view this file. \nhttps://target/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%3Ch1%3EHello_Cisco%3C/h1%3E \n \nSolution: \nUpdate to UCP version 4.2. \nSee the Cisco Advisory for how to obtain fixed software: \nhttp://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml \n \n________________________________________________________________________ \n \nCredit: \nThe vulnerabilities were identified by Felix 'FX' Lindner, Recurity Labs \nGmbH, during a cursory inspection of a customer installation of the ACS \nUCP product. \n \nGreets to the teams at Recurity Labs and Zynamics, Sergio Alvarez, Max \nMoser, Alexander Kornbrust, Maxim Salomon, Nicolas Fischbach, Karsten \nSchumann, Frank Becker, PSIRT, Paul Oxman, John Stewart \n________________________________________________________________________ \n \nThe information provided is released \"as is\" without warranty \nof any kind. The publisher disclaims all warranties, either express or \nimplied, including all warranties of merchantability. No responsibility \nis taken for the correctness of this information. \nIn no event shall the publisher be liable for any damages whatsoever \nincluding direct, indirect, incidental, consequential, loss of business \nprofits or special damages, even if the publisher has been advised of \nthe possibility of such damages. \n \nThe contents of this advisory are copyright (c) 2008 Recurity Labs GmbH \nand may be distributed freely provided that no fee is charged for this \ndistribution and proper credit is given. \n________________________________________________________________________ \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/64534/RecurityLabs_Cisco_ACS_UCP_advisory.txt"}], "seebug": [{"lastseen": "2017-11-19T21:45:51", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 28222\r\nCVE(CAN) ID: CVE-2008-0532,CVE-2008-0533\r\n\r\nUCP\u5e94\u7528\u5141\u8bb8\u7ec8\u7aef\u7528\u6237\u4f7f\u7528\u57fa\u4e8eWeb\u7684\u5de5\u5177\u66f4\u6539Cisco Secure Access Control Server\uff08ACS\uff09\u7684\u53e3\u4ee4\u3002\r\n\r\n/securecgi-bin/CSUserCGI.exe CGI\u5b58\u5728\u591a\u4e2a\u7f13\u51b2\u533a\u6ea2\u51fa\u548c\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63a7\u5236\u670d\u52a1\u5668\u3002\r\n\r\nCSuserCGI.exe\u7684main()\u51fd\u6570\u5c06\u4f7f\u7528strcmp()\u4f20\u9001\u7ed9\u7a0b\u5e8f\u7684\u7b2c\u4e00\u4e2a\u547d\u4ee4\u884c\u53c2\u6570\u4e0e\u6240\u652f\u6301\u7684\u53c2\u6570\u5217\u8868\u505a\u6bd4\u8f83\uff0c\u5982Logout\u3001Main\u3001ChangePass\u7b49\u3002\u5bf9\u4e8e\u5927\u591a\u6570\u53c2\u6570\uff0c\u51fd\u6570\u53ea\u662f\u89e3\u6790\u53c2\u6570\u5e76\u4ee5\u7c7b\u4f3c\u4e8eAction=%s&Username=%s&OldPass=%s&NetPass=%s\u683c\u5f0f\u4e32\u7684\u5f62\u5f0f\u4f20\u9001\u7ed9wsprintf()\u8c03\u7528\u3002\u8fd9\u4e9b\u8c03\u7528\u7684\u76ee\u6807\u7f13\u51b2\u533a\u4f4d\u4e8e\u4f4d\u4e8e\u5e94\u7528\u7684.data\u6bb5\u3002\r\n\r\n\u5982\u679c\u662fLogout\u53c2\u6570\u7684\u60c5\u51b5\uff0cmain()\u4f1a\u4f20\u9001\u7b2c\u4e8c\u4e2a\u53c2\u6570\uff0c\u901a\u5e38\u5176\u5f62\u5f0f\u4e3a1234.xyzab.c.username.\uff0c\u4ee5\u53ca\u6808\u4e0a\u7684char[]\u7f13\u51b2\u533a\u3002main()\u5c06\u8fd9\u4e9b\u5185\u5bb9\u4f20\u9001\u7ed9\u4e00\u4e2a\u51fd\u6570\uff0c\u8be5\u51fd\u6570\u4f7f\u7528strtok\u83b7\u5f97\u5b57\u7b26\u4e32\u76f4\u5230\u7b2c\u4e00\u4e2a\u201c.\u201d\u5b57\u7b26\uff0c\u7136\u540e\u5b57\u7b26\u4e32\u88ab\u62f7\u8d1d\u5230\u4e8696\u5b57\u8282\u5927\u5c0f\u7684char[]\u7f13\u51b2\u533a\u3002\u5982\u679c\u7b2c\u4e00\u4e2a\u53e5\u53f7\u5b57\u7b26\u524d\u7684\u5b57\u7b26\u4e32\u8d85\u8fc7\u4e86\u8fd9\u4e2a\u957f\u5ea6\uff0c\u5c31\u4f1a\u8986\u76d6\u7f13\u51b2\u533a\u548c\u8fd4\u56de\u5730\u5740\u3002\r\n\r\n .text:00401065 mov eax, [ebx+8] ; get argv[2]\r\n .text:00401068 test eax, eax\r\n .text:0040106A jz loc_401520\r\n .text:00401070 push eax ; char *\r\n .text:00401071 call sub_402870\r\n ...\r\n .text:00402870 sub esp, 60h\r\n .text:00402873 mov ecx, 17h\r\n .text:00402878 xor eax, eax\r\n .text:0040287A push edi\r\n .text:0040287B lea edi, [esp+64h+var_60]\r\n .text:0040287F rep stosd\r\n .text:00402881 mov ecx, [esp+64h+arg_0]\r\n .text:00402885 stosw\r\n .text:00402887 stosb\r\n .text:00402888 lea eax, [esp+64h+var_60]\r\n .text:0040288C push eax ; int\r\n .text:0040288D push ecx ; char *\r\n .text:0040288E call sub_402940\r\n ...\r\n .text:00402940 mov ecx, [esp+arg_0]\r\n .text:00402944 xor eax, eax\r\n .text:00402946 test ecx, ecx\r\n .text:00402948 jz locret_402A11\r\n .text:0040294E push ebx\r\n .text:0040294F push esi\r\n .text:00402950 push edi\r\n .text:00402951 push offset a_ ; "."\r\n .text:00402956 push ecx ; char *\r\n .text:00402957 call _strtok\r\n .text:0040295C mov edi, eax\r\n .text:0040295E or ecx, 0FFFFFFFFh\r\n .text:00402961 xor eax, eax\r\n .text:00402963 mov ebx, [esp+14h+arg_4]\r\n .text:00402967 repne scasb\r\n .text:00402969 not ecx\r\n .text:0040296B sub edi, ecx\r\n .text:0040296D lea edx, [ebx+1]\r\n .text:00402970 mov eax, ecx\r\n .text:00402972 mov esi, edi\r\n .text:00402974 mov edi, edx\r\n .text:00402976 push offset a_ ; "."\r\n .text:0040297B shr ecx, 2\r\n .text:0040297E rep movsd\r\n .text:00402980 mov ecx, eax\r\n .text:00402982 push 0 ; char *\r\n .text:00402984 and ecx, 3\r\n .text:00402987 rep movsb\r\n\r\n\u6b64\u5916\u5982\u679c\u5411CSUserCGI.exe\u63d0\u4ea4\u4e86\u6076\u610fURL\u8bf7\u6c42\u7684\u8bdd\uff0c\u8fd8\u53ef\u4ee5\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002\r\n\n\nCisco User-Changeable Password < 4.2\n \u5382\u5546\u8865\u4e01\uff1a\r\n\r\nCisco\r\n-----\r\nCisco\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08cisco-sa-20080312-ucp\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\ncisco-sa-20080312-ucp\uff1aCisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities\r\n\u94fe\u63a5\uff1a<a href=http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml target=_blank>http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml</a>\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\n<a href=http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/special/acs/macgyver/UCP_4.2.0.124-K9.zip&app=Tablebuild&status=showC2A target=_blank>http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/special/acs/macgyver/UCP_4.2.0.124-K9.zip&app=Tablebuild&status=showC2A</a>", "modified": "2008-03-15T00:00:00", "published": "2008-03-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3031", "id": "SSV:3031", "title": "Cisco User-Changeable Password\uff08UCP\uff09CSuserCGI.exe\u7f13\u51b2\u533a\u6ea2\u51fa\u53ca\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "type": "seebug", "sourceData": "\n https://target/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker.\r\nhttps://target/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-3031"}], "exploitdb": [{"lastseen": "2016-02-03T14:32:42", "bulletinFamily": "exploit", "description": "Cisco User-Changeable Password (UCP) 3.3.4.12.5 'CSuserCGI.exe' Multiple Remote Vulnerabilities. CVE-2008-0532 . Dos exploit for windows platform", "modified": "2008-03-12T00:00:00", "published": "2008-03-12T00:00:00", "id": "EDB-ID:31394", "href": "https://www.exploit-db.com/exploits/31394/", "type": "exploitdb", "title": "Cisco User-Changeable Password UCP 3.3.4.12.5 - 'CSuserCGI.exe' Multiple Remote Vulnerabilities", "sourceData": "source: http://www.securityfocus.com/bid/28222/info\r\n\r\nCisco User-Changeable Password (UCP) is prone to multiple remote vulnerabilities, including cross-site scripting and buffer-overflow vulnerabilities.\r\n\r\nExploiting the cross-site scripting issues may help the attacker steal cookie-based authentication credentials and launch other attacks. Exploiting the buffer-overflow vulnerabilities allows attackers to execute code in the context of the affected application, facilitating the remote compromise of affected computers.\r\n\r\nThe buffer-overflow issues are tracked by Cisco Bug ID CSCsl49180. The cross-site scripting issues are tracked by Cisco Bug ID CSCsl49205.\r\n\r\nThese issues affect versions prior to UCP 4.2 when running on Microsoft Windows. \r\n\r\nhttp://www.example.com/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker.", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/31394/"}, {"lastseen": "2016-02-03T14:32:52", "bulletinFamily": "exploit", "description": "Cisco User-Changeable Password (UCP) 3.3.4.12.5 CSUserCGI.exe Help Facility XSS. CVE-2008-0533. Remote exploit for windows platform", "modified": "2008-03-12T00:00:00", "published": "2008-03-12T00:00:00", "id": "EDB-ID:31395", "href": "https://www.exploit-db.com/exploits/31395/", "type": "exploitdb", "title": "Cisco User-Changeable Password UCP 3.3.4.12.5 - CSUserCGI.exe Help Facility XSS", "sourceData": "source: http://www.securityfocus.com/bid/28222/info\r\n \r\nCisco User-Changeable Password (UCP) is prone to multiple remote vulnerabilities, including cross-site scripting and buffer-overflow vulnerabilities.\r\n \r\nExploiting the cross-site scripting issues may help the attacker steal cookie-based authentication credentials and launch other attacks. Exploiting the buffer-overflow vulnerabilities allows attackers to execute code in the context of the affected application, facilitating the remote compromise of affected computers.\r\n \r\nThe buffer-overflow issues are tracked by Cisco Bug ID CSCsl49180. The cross-site scripting issues are tracked by Cisco Bug ID CSCsl49205.\r\n \r\nThese issues affect versions prior to UCP 4.2 when running on Microsoft Windows. \r\n\r\nhttp://www.example.com/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%3Ch1%3EHello_Cisco%3C/h1%3E ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/31395/"}], "saint": [{"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "description": "Added: 04/07/2008 \nCVE: [CVE-2008-0532](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0532>) \nBID: [28222](<http://www.securityfocus.com/bid/28222>) \nOSVDB: [42961](<http://www.osvdb.org/42961>) \n\n\n### Background\n\n[Cisco Secure Access Control Server (ACS)](<http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html>) is a centralized user access control framework which can be used with routers, switches, firewalls, VPNs, and other devices. User Changeable Passwords (UCP), a utility implemented by Cisco Secure ACS, allows users to change their ACS passwords using a web browser. \n\n### Problem\n\nA buffer overflow in the `**CSuserCGI.exe**` program allows remote attackers to execute arbitrary commands by sending a specially crafted HTTP request with a long Logout argument. \n\n### Resolution\n\nUpgrade to [UCP 4.2](<http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2>). \n\n### References\n\n<http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml> \n<http://www.frsirt.com/english/advisories/2008/0868> \n\n\n### Limitations\n\nExploit works on Cisco UCP 4.1.4.13. \n\nOn Windows Server 2003, Read and Execute privileges on the file `**%windir%\\system32\\cmd.exe**` must be granted to the Internet Guest Account \"IUSR_\" for the exploit to work properly. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2008-04-07T00:00:00", "published": "2008-04-07T00:00:00", "id": "SAINT:D6724CFE14B6330D0145E76C5F19A19B", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/cisco_acs_ucp_csusercgi", "type": "saint", "title": "Cisco Secure ACS UCP CSuserCGI.exe buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:19", "bulletinFamily": "exploit", "description": "Added: 04/07/2008 \nCVE: [CVE-2008-0532](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0532>) \nBID: [28222](<http://www.securityfocus.com/bid/28222>) \nOSVDB: [42961](<http://www.osvdb.org/42961>) \n\n\n### Background\n\n[Cisco Secure Access Control Server (ACS)](<http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html>) is a centralized user access control framework which can be used with routers, switches, firewalls, VPNs, and other devices. User Changeable Passwords (UCP), a utility implemented by Cisco Secure ACS, allows users to change their ACS passwords using a web browser. \n\n### Problem\n\nA buffer overflow in the `**CSuserCGI.exe**` program allows remote attackers to execute arbitrary commands by sending a specially crafted HTTP request with a long Logout argument. \n\n### Resolution\n\nUpgrade to [UCP 4.2](<http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2>). \n\n### References\n\n<http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml> \n<http://www.frsirt.com/english/advisories/2008/0868> \n\n\n### Limitations\n\nExploit works on Cisco UCP 4.1.4.13. \n\nOn Windows Server 2003, Read and Execute privileges on the file `**%windir%\\system32\\cmd.exe**` must be granted to the Internet Guest Account \"IUSR_\" for the exploit to work properly. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2008-04-07T00:00:00", "published": "2008-04-07T00:00:00", "id": "SAINT:EC522F5DF020A3400B7FFD53A64F470B", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/cisco_acs_ucp_csusercgi", "title": "Cisco Secure ACS UCP CSuserCGI.exe buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:06", "bulletinFamily": "exploit", "description": "Added: 04/07/2008 \nCVE: [CVE-2008-0532](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0532>) \nBID: [28222](<http://www.securityfocus.com/bid/28222>) \nOSVDB: [42961](<http://www.osvdb.org/42961>) \n\n\n### Background\n\n[Cisco Secure Access Control Server (ACS)](<http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html>) is a centralized user access control framework which can be used with routers, switches, firewalls, VPNs, and other devices. User Changeable Passwords (UCP), a utility implemented by Cisco Secure ACS, allows users to change their ACS passwords using a web browser. \n\n### Problem\n\nA buffer overflow in the `**CSuserCGI.exe**` program allows remote attackers to execute arbitrary commands by sending a specially crafted HTTP request with a long Logout argument. \n\n### Resolution\n\nUpgrade to [UCP 4.2](<http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2>). \n\n### References\n\n<http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml> \n<http://www.frsirt.com/english/advisories/2008/0868> \n\n\n### Limitations\n\nExploit works on Cisco UCP 4.1.4.13. \n\nOn Windows Server 2003, Read and Execute privileges on the file `**%windir%\\system32\\cmd.exe**` must be granted to the Internet Guest Account \"IUSR_\" for the exploit to work properly. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2008-04-07T00:00:00", "published": "2008-04-07T00:00:00", "id": "SAINT:99ACFCA2ADBB5CAB722631EFB3E8F813", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/cisco_acs_ucp_csusercgi", "type": "saint", "title": "Cisco Secure ACS UCP CSuserCGI.exe buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "d2": [{"lastseen": "2016-09-25T14:10:31", "bulletinFamily": "exploit", "description": "**Name**| d2sec_ciscoucp \n---|--- \n**CVE**| CVE-2008-0533 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| Cisco User-Changeable Password (UCP) Stack Overflow \n**Notes**| \n", "modified": "2008-03-14T16:44:00", "published": "2008-03-14T16:44:00", "id": "D2SEC_CISCOUCP", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_ciscoucp", "title": "DSquare Exploit Pack: D2SEC_CISCOUCP", "type": "d2", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}