[Full-disclosure] Cisco ACS UCP Remote Pre-Authentication Buffer Overflows



Hi,

please find attached an advisory covering vulnerabilities in the Cisco
ACS UCP program. Alternatively, the advisory can also be found at
http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt

cheers
FX

--
Recurity Labs GmbH | Felix 'FX' Lindner
http://www.recurity-labs.com | fx@xxxxxxxxxxxxxxxxx
Wrangelstrasse 4 | Fon: +49 30 69539993-0
10997 Berlin | PGP: A740 DE51 9891 19DF 0D05
Germany | 13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner
________________________________________________________________________

Recurity Labs GmbH
http://www.recurity-labs.com
entomology@xxxxxxxxxxxxxxxxx
Date: 12.03.2008
________________________________________________________________________

Vendor: Cisco Systems
Product: Cisco Secure Access Control Server (ACS) for
Windows User-Changeable Password (UCP) application
Vulnerability: Multiple remote pre-authentication buffer overflows
Cross Site Scripting issue
Affected Releases: ACS 3 and 4, UCP v3.3.4.12.5, CSuserCGI 3.3.1
NOT Affected Releases: UCP 4.2 and above
Severity: HIGH
CVE: CVE-2008-0532, CVE-2008-0533
________________________________________________________________________

Vendor communication:
20.11.2007 Initial notification to PSIRT
20.11.2007 Response from PSIRT, PGP encrypted to PSIRT only
26.11.2007 Response from Paul Oxman / PSIRT
26.11.2007 Even more detailed information to Paul Oxman
27.11.2007 Received new PGP keys from PSIRT
27.11.2007 Retransmit
28.11.2007 Paul Oxman reports they are working on it
28.11.2007 Fix discussions with Paul Oxman
29.11.2007 Paul Oxman provides Cisco Bug IDs
29.11.2007 Fix discussions with Paul Oxman
12.12.2007 Fixed version provided for testing
13.12.2007 Feedback to the fixed code
14.12.2007 Paul Oxman acknowledges feedback
17.12.2007 Paul Oxman reports internal progress
17.12.2007 More feedback
08.01.2008 Paul Oxman reports internal progress
08.01.2008 ACK
30.01.2008 Paul Oxman proposes advisory release date
30.01.2008 Acknowleding advisory release date
27.02.2008 Paul Oxman updates on progress
27.02.2008 ACK
05.03.2008 Paul Oxman sends draft Cisco advisory
05.03.2008 Sending draft Recurity Labs advisory
06.03.2008 Paul Oxman provides fixed release version
06.03.2008 Final communication with Paul Oxman
12.03.2008 Coordinated release
________________________________________________________________________

Overview:
Cisco Secure Access Control Server (ACS) for Windows User-Changeable
Password (UCP) application is a set of CGI programs and web site contents
installed on Microsoft IIS.

From the Cisco Advisory:
"The UCP application enables end users to change their ACS passwords
with a web-based utility. When users need to change their own
passwords, they can access the UCP web page by using a supported web
browser, validate their existing credentials, and then change their
password via the utility."

The CGI /securecgi-bin/CSUserCGI.exe suffers from multiple buffer
overflows exploitable remotely through the HTTP protocol before
authentication. Additionally, CSUserCGI.exe suffers from a non-persistent
Cross Site Scripting vulnerability.

Description:
The main() function of CSuserCGI.exe compares the first command line
argument passed to the program using strcmp() against a list of
supported arguments, among them "Logout", "Main", "ChangePass", etc.

For most of the aguments, it will simply parse the following arguments
and pass them to a wsprintf() call with format strings like
"Action=%s&Username=%s&OldPass=%s&NetPass=%s". The destination buffer of
these calls is located in the .data segment of the application.

In case of the "Logout" argument, main() passes the second argument,
usually of the form "1234.xyzab.c.username.", as well as a char[]
buffer on the stack to a function that first extracts the string up
to the first '.' character using strtok and then copies the string
into the supplied char[] buffer. The char buffer is 96 bytes long.
Accordingly, if the string before the first dot character exceeds this
length, the buffer as well as the return address is overwritten.

.text:00401065 mov eax, [ebx+8] ; get argv[2]
.text:00401068 test eax, eax
.text:0040106A jz loc_401520
.text:00401070 push eax ; char *
.text:00401071 call sub_402870
...
.text:00402870 sub esp, 60h
.text:00402873 mov ecx, 17h
.text:00402878 xor eax, eax
.text:0040287A push edi
.text:0040287B lea edi, [esp+64h+var_60]
.text:0040287F rep stosd
.text:00402881 mov ecx, [esp+64h+arg_0]
.text:00402885 stosw
.text:00402887 stosb
.text:00402888 lea eax, [esp+64h+var_60]
.text:0040288C push eax ; int
.text:0040288D push ecx ; char *
.text:0040288E call sub_402940
...
.text:00402940 mov ecx, [esp+arg_0]
.text:00402944 xor eax, eax
.text:00402946 test ecx, ecx
.text:00402948 jz locret_402A11
.text:0040294E push ebx
.text:0040294F push esi
.text:00402950 push edi
.text:00402951 push offset a_ ; "."
.text:00402956 push ecx ; char *
.text:00402957 call _strtok
.text:0040295C mov edi, eax
.text:0040295E or ecx, 0FFFFFFFFh
.text:00402961 xor eax, eax
.text:00402963 mov ebx, [esp+14h+arg_4]
.text:00402967 repne scasb
.text:00402969 not ecx
.text:0040296B sub edi, ecx
.text:0040296D lea edx, [ebx+1]
.text:00402970 mov eax, ecx
.text:00402972 mov esi, edi
.text:00402974 mov edi, edx
.text:00402976 push offset a_ ; "."
.text:0040297B shr ecx, 2
.text:0040297E rep movsd
.text:00402980 mov ecx, eax
.text:00402982 push 0 ; char *
.text:00402984 and ecx, 3
.text:00402987 rep movsb

Example:
The following request will cause EIP to be overwritten with 0x42424242.
The line may wrap, depending on how you view this file.
https://target/securecgi-bin/CSUserCGI.exe?Logout+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB.xyzab.c.hacker.

A non-persistent Cross Site Scripting vulnerability can also be triggered
using the Help facility of the CGI. An example request would be as
follows. The line may wrap, depending on how you view this file.
https://target/securecgi-bin/CSUserCGI.exe?Help+00.lala.c.hacker%22%22%22%3E%3Ch1%3EHello_Cisco%3C/h1%3E

Solution:
Update to UCP version 4.2.
See the Cisco Advisory for how to obtain fixed software:
http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml

________________________________________________________________________

Credit:
The vulnerabilities were identified by Felix 'FX' Lindner, Recurity Labs
GmbH, during a cursory inspection of a customer installation of the ACS
UCP product.

Greets to the teams at Recurity Labs and Zynamics, Sergio Alvarez, Max
Moser, Alexander Kornbrust, Maxim Salomon, Nicolas Fischbach, Karsten
Schumann, Frank Becker, PSIRT, Paul Oxman, John Stewart
________________________________________________________________________

The information provided is released "as is" without warranty
of any kind. The publisher disclaims all warranties, either express or
implied, including all warranties of merchantability. No responsibility
is taken for the correctness of this information.
In no event shall the publisher be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if the publisher has been advised of
the possibility of such damages.

The contents of this advisory are copyright (c) 2008 Recurity Labs GmbH
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.
________________________________________________________________________

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/