Cisco WAAS Mobile Server ReportReceiver CAB Processing Remote Code Execution Vulnerability
2013-12-15T00:00:00
ID ZDI-13-276 Type zdi Reporter Andrea Micalizzi aka rgod Modified 2013-06-22T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of CISCO WAAS Mobile Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of CAB files uploaded through ReportReceiver. By uploading a crafted CAB file, an attacker is able to add a hostile web page to the web server. Using this, an attacker is able to run arbitrary code as either DefaultAppPool or NetworkService, depending on the operating system version.
{"enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-5554"]}, {"type": "cisco", "idList": ["CISCO-SA-20131106-WAASM"]}, {"type": "nessus", "idList": ["CISCO_WAAS_3_5_5.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13412"]}], "modified": "2020-06-22T11:41:21", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2020-06-22T11:41:21", "rev": 2}, "vulnersScore": 7.8}, "edition": 3, "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-276/", "modified": "2013-06-22T00:00:00", "published": "2013-12-15T00:00:00", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of CISCO WAAS Mobile Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of CAB files uploaded through ReportReceiver. By uploading a crafted CAB file, an attacker is able to add a hostile web page to the web server. Using this, an attacker is able to run arbitrary code as either DefaultAppPool or NetworkService, depending on the operating system version.", "bulletinFamily": "info", "viewCount": 1, "title": "Cisco WAAS Mobile Server ReportReceiver CAB Processing Remote Code Execution Vulnerability", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131106-waasm"], "cvelist": ["CVE-2013-5554"], "type": "zdi", "id": "ZDI-13-276", "lastseen": "2020-06-22T11:41:21", "reporter": "Andrea Micalizzi aka rgod", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "scheme": null, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:06:58", "description": "Directory traversal vulnerability in the web-management interface in the server in Cisco Wide Area Application Services (WAAS) Mobile before 3.5.5 allows remote attackers to upload and execute arbitrary files via a crafted POST request, aka Bug ID CSCuh69773.", "edition": 6, "cvss3": {}, "published": "2013-11-08T04:47:00", "title": "CVE-2013-5554", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5554"], "modified": "2013-11-08T18:24:00", "cpe": ["cpe:/a:cisco:wide_area_application_services_mobile:3.3.4", "cpe:/a:cisco:wide_area_application_services_mobile:3.5.4", "cpe:/a:cisco:wide_area_application_services_mobile:3.4.2", "cpe:/a:cisco:wide_area_application_services_mobile:3.4.1", "cpe:/a:cisco:wide_area_application_services_mobile:3.3.1", "cpe:/a:cisco:wide_area_application_services_mobile:3.5.3", "cpe:/a:cisco:wide_area_application_services_mobile:3.5.0", "cpe:/a:cisco:wide_area_application_services_mobile:3.4", "cpe:/a:cisco:wide_area_application_services_mobile:3.5.1", "cpe:/a:cisco:wide_area_application_services_mobile:3.5.2"], "id": "CVE-2013-5554", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5554", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cisco:wide_area_application_services_mobile:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wide_area_application_services_mobile:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wide_area_application_services_mobile:3.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wide_area_application_services_mobile:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wide_area_application_services_mobile:3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wide_area_application_services_mobile:3.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wide_area_application_services_mobile:3.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wide_area_application_services_mobile:3.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wide_area_application_services_mobile:3.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wide_area_application_services_mobile:3.5.1:*:*:*:*:*:*:*"]}], "cisco": [{"lastseen": "2020-12-24T11:41:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-5554"], "description": "A vulnerability in the web management interface of Cisco WAAS Mobile server could allow an unauthenticated, remote attacker to execute arbitrary code on the affected system.\n\nThe vulnerability is due to insufficient validation of user-supplied data in the body of an HTTP POST request. An attacker could exploit this vulnerability by crafting an HTTP POST request for content upload that would result in an uncontrolled directory traversal. An exploit could allow the attacker to execute arbitrary code on the WAAS Mobile server with the privileges of the IIS web server.\n\nCisco Wide Area Application Services (WAAS) Mobile contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the Cisco WAAS Mobile server with the privileges of the Microsoft Internet Information Services (IIS) web server.\n\nCisco has released software updates that address this vulnerability.\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131106-waasm[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131106-waasm\"]", "modified": "2013-11-06T14:34:02", "published": "2013-11-06T16:00:00", "id": "CISCO-SA-20131106-WAASM", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131106-waasm", "type": "cisco", "title": "Cisco WAAS Mobile Remote Code Execution Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:53", "bulletinFamily": "software", "cvelist": ["CVE-2013-5554"], "description": "Directory traversal on file upload.", "edition": 1, "modified": "2013-11-18T00:00:00", "published": "2013-11-18T00:00:00", "id": "SECURITYVULNS:VULN:13412", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13412", "title": "Cisco WAAS directory traversal", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-04-01T01:42:15", "description": "The remote host has a version of Cisco WAAS Mobile Server prior to\nversion 3.5.5. It is, therefore, affected by a remote code execution\nvulnerability that can be triggered via a specially crafted HTTP POST\nrequest with a directory traversal string to the ReportReceiver.", "edition": 27, "published": "2014-01-07T00:00:00", "title": "Cisco WAAS Mobile Server < 3.5.5 Remote Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5554"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:cisco:wide_area_application_services_mobile"], "id": "CISCO_WAAS_3_5_5.NASL", "href": "https://www.tenable.com/plugins/nessus/71841", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71841);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2013-5554\");\n script_bugtraq_id(63554);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCuh69773\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20131106-waasm\");\n\n script_name(english:\"Cisco WAAS Mobile Server < 3.5.5 Remote Code Execution\");\n script_summary(english:\"Checks Cisco WAAS Mobile version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application on the remote host is affected by a remote code\nexecution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host has a version of Cisco WAAS Mobile Server prior to\nversion 3.5.5. It is, therefore, affected by a remote code execution\nvulnerability that can be triggered via a specially crafted HTTP POST\nrequest with a directory traversal string to the ReportReceiver.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-276/\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131106-waasm\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?66884be2\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Cisco WAAS Mobile Server 3.5.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:wide_area_application_services_mobile\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"cisco_waas_mobile_installed.nbin\");\n script_require_keys(\"SMB/Cisco_WAAS_Mobile_Server/Installed\");\n exit(0);\n\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nkb_base = \"SMB/Cisco_WAAS_Mobile_Server/\";\nget_kb_item_or_exit(kb_base + \"Installed\");\nnum_installs = get_kb_item_or_exit(kb_base + \"NumInstalls\");\n\nreport = \"\";\nfor (install_num = 0; install_num < num_installs; install_num++)\n{\n version = get_kb_item(kb_base + install_num + \"/Version\");\n if (!isnull(version) && ver_compare(ver:version, fix:'3.5.5', strict:FALSE) == -1)\n {\n path = get_kb_item(kb_base + install_num + \"/Path\");\n report += '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 3.5.5\\n';\n }\n}\n\nif (report)\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n\n if (report_verbosity > 0) security_hole(port:port, extra:report);\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Cisco WAAS Mobile Server\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
